{
  "schemaVersion": "v1",
  "generatedAt": "2026-07-10T12:32:59.237Z",
  "methodologyVersion": "v1.3",
  "count": 52,
  "decisions": [
    {
      "slug": "ico-reddit-2026-02",
      "regulator": "ico",
      "caseRef": "reddit-2026-02",
      "date": "2026-02-23",
      "respondent": "Reddit, Inc.",
      "finding": "Reddit did not apply any robust age-assurance mechanism on its UK service and therefore had no lawful basis under Article 6 or Article 8 UK GDPR for processing the personal data of UK children under 13; the lawfulness and fairness principle in Article 5(1)(a) was breached and Reddit had not carried out a data protection impact assessment to assess and mitigate risks to children, in breach of Article 35 UK GDPR, before January 2025.",
      "primarySourceUrl": "https://ico.org.uk/media2/hrlmvj14/reddit-mpn-20260223.pdf",
      "archiveUrl": null,
      "fineEur": 16500000,
      "notes": "EUR amount approximate. Cite when a scanner finds an online service with under-13 reach and no age-assurance signal beyond a self- declared birth-date - the ICO has now ruled explicitly that self-declaration without verification is not lawful basis under Article 8.",
      "url": "https://www.consentmark.com/precedent/ico-reddit-2026-02"
    },
    {
      "slug": "cnil-san-2025-011",
      "regulator": "cnil",
      "caseRef": "SAN-2025-011",
      "date": "2025-11-27",
      "respondent": "AMERICAN EXPRESS CARTE FRANCE",
      "finding": "American Express recorded the content of customer-service calls without demonstrating necessity for the processing, breaching the data-minimisation principle in Article 5(1)(c) GDPR; and the cookie-consent-withdrawal mechanism on its website did not effectively stop the reading of previously-set cookies, breaching the consent-withdrawal limb of Article 82 of the French Data Protection Act.",
      "primarySourceUrl": "https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000052981827",
      "archiveUrl": null,
      "fineEur": 1500000,
      "notes": "Financial-services precedent. Cite when the scanner narrative needs the principle that withdrawal of consent must stop downstream reads (not only future writes), alongside SAN-2024-019 (Orange) and SAN-2025-010 (Condé Nast).",
      "url": "https://www.consentmark.com/precedent/cnil-san-2025-011"
    },
    {
      "slug": "cnil-san-2025-010",
      "regulator": "cnil",
      "caseRef": "SAN-2025-010",
      "date": "2025-11-20",
      "respondent": "LES PUBLICATIONS CONDE NAST",
      "finding": "Trackers were deposited on users' terminals before any consent action, in breach of Article 82 of the French Data Protection Act; the information presented in the banner did not describe the purposes of the trackers accurately; and trackers continued to be read after users had refused or withdrawn consent. The asymmetry between the ease of acceptance and the difficulty of refusal also undermined the freely-given character of any consent obtained.",
      "primarySourceUrl": "https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000052851847",
      "archiveUrl": null,
      "fineEur": 750000,
      "notes": "Media-publisher precedent (Vogue, Vanity Fair, GQ France). Cite when the scanner narrative covers an ad-supported editorial site where tag fires precede the CMP interaction or where refusal does not stop downstream reads. Comparable in pattern to SAN-2024-019 (Orange) but in the editorial-publisher sector rather than telco webmail.",
      "url": "https://www.consentmark.com/precedent/cnil-san-2025-010"
    },
    {
      "slug": "ico-lastpass-2025-11",
      "regulator": "ico",
      "caseRef": "lastpass-2025-11",
      "date": "2025-11-20",
      "respondent": "LastPass UK Limited",
      "finding": "In August 2022 an attacker compromised the corporate laptop of an EU-based LastPass employee and then a US-based employee's personal laptop used for work, capturing a master credential and accessing the LastPass backup database to take customer names, email addresses, phone numbers and stored website URLs of up to 1.6 million UK customers; LastPass had not implemented appropriate controls around BYOD device usage, breaching Article 5(1)(f) and Article 32(1) UK GDPR.",
      "primarySourceUrl": "https://ico.org.uk/media2/xfbl1uaa/lastpass-uk-ltd-penalty-notice.pdf",
      "archiveUrl": null,
      "fineEur": 1430000,
      "notes": "EUR amount approximate. The ICO highlighted BYOD-on-personal-devices as the central control failure - LastPass's zero-knowledge vault encryption prevented full credential extraction, but metadata loss alone was sufficient for an Article 32 breach. Cite when a scanner finds analytics or operations administered from personal devices outside a managed endpoint estate.",
      "url": "https://www.consentmark.com/precedent/ico-lastpass-2025-11"
    },
    {
      "slug": "ico-capita-2025-10",
      "regulator": "ico",
      "caseRef": "capita-2025-10",
      "date": "2025-10-15",
      "respondent": "Capita plc and Capita Pension Services Limited",
      "finding": "In March 2023 a ransomware actor obtained access to Capita's corporate environment via a malware-bearing download on a Capita employee laptop and exfiltrated personal data of approximately 6.6 million people, including pension members of 325 client schemes; Capita had been aware of the underlying vulnerabilities, did not treat the early indicators as a security incident, and lacked adequate technical and organisational measures, breaching Article 5(1)(f) and Article 32 UK GDPR.",
      "primarySourceUrl": "https://ico.org.uk/media2/pv5nhks4/capita-plc-and-cpsl-monetary-penalty-notice.pdf",
      "archiveUrl": null,
      "fineEur": 16100000,
      "notes": "EUR amount approximate. Fine split: GBP 8M against Capita plc as controller + GBP 6M against Capita Pension Services Limited as processor. The initial starting point was GBP 58M; settlement-and-no- appeal plus group-double-punishment adjustments reduced the final to GBP 14M. Cite as a recent precedent that the ICO will fine a processor directly under Article 32, not only the controller.",
      "url": "https://www.consentmark.com/precedent/ico-capita-2025-10"
    },
    {
      "slug": "cnil-san-2025-004",
      "regulator": "cnil",
      "caseRef": "SAN-2025-004",
      "date": "2025-09-01",
      "respondent": "GOOGLE LLC and GOOGLE IRELAND LIMITED",
      "finding": "During Google-account creation, advertising cookies were deposited on users' terminals without freely-given consent because the implications of the proposed \"cookie wall\" were not explained sufficiently for an informed choice; and inserting advertisements between messages in the Gmail inbox amounts to electronic prospecting under Article L. 34-5 CPCE, requiring prior consent that Google did not obtain.",
      "primarySourceUrl": "https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000052182222",
      "archiveUrl": null,
      "fineEur": 325000000,
      "notes": "Fine split: EUR 200M against Google LLC + EUR 125M against Google Ireland Limited. Six-month compliance deadline with EUR 100k/day astreinte for non-compliance. Cite when the scanner narrative covers a \"you must accept tracking to create the account\" pattern or when advertising units in a transactional surface trigger Article L. 34-5 prospecting obligations.",
      "url": "https://www.consentmark.com/precedent/cnil-san-2025-004"
    },
    {
      "slug": "cnil-san-2025-005",
      "regulator": "cnil",
      "caseRef": "SAN-2025-005",
      "date": "2025-09-01",
      "respondent": "INFINITE STYLES SERVICES CO. LIMITED",
      "finding": "Advertising and measurement cookies were deposited on users' terminals as soon as they arrived on shein.com, before any consent action was taken; this breached the prior-consent requirement of Article 82 of the French Data Protection Act (the national transposition of Article 5(3) ePrivacy), as the user had no opportunity to express or refuse consent before the read/write operation.",
      "primarySourceUrl": "https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000052182271",
      "archiveUrl": null,
      "fineEur": 150000000,
      "notes": "INFINITE STYLES SERVICES CO. LIMITED is the Irish subsidiary of the SHEIN group; the CNIL press release names SHEIN directly. Cite for the precedent that tag-fires-before-consent on a retail destination is a EUR-150M-scale Article 82 violation, not merely a paperwork breach.",
      "url": "https://www.consentmark.com/precedent/cnil-san-2025-005"
    },
    {
      "slug": "ico-23andme-2025-06",
      "regulator": "ico",
      "caseRef": "23andme-2025-06",
      "date": "2025-06-05",
      "respondent": "23andMe, Inc.",
      "finding": "Credential-stuffing attackers reused passwords from unrelated breaches to log into 23andMe accounts and, via the DNA-Relatives feature, exfiltrated the genetic and personal data of around 155,592 UK users; 23andMe had not mandated multi-factor authentication, took four days to shut compromised accounts and force resets, and notified the ICO ten days late, breaching Articles 5(1)(f), 32(1) and 33(1) UK GDPR.",
      "primarySourceUrl": "https://ico.org.uk/media2/kclbljpo/23andme-penalty-notice.pdf",
      "archiveUrl": null,
      "fineEur": 2700000,
      "notes": "EUR amount approximate. Joint enforcement with the Office of the Privacy Commissioner of Canada. Cite when a scanner finds a high- sensitivity service (genetics, health, financial) without mandatory MFA and without compromised-credential checking - the ICO frames optional MFA on a high-risk service as a 32(1) breach.",
      "url": "https://www.consentmark.com/precedent/ico-23andme-2025-06"
    },
    {
      "slug": "cnil-san-2025-001",
      "regulator": "cnil",
      "caseRef": "SAN-2025-001",
      "date": "2025-05-15",
      "respondent": "SOLOCAL MARKETING SERVICES",
      "finding": "Solocal Marketing Services carried out electronic prospecting campaigns directed at several million recipients without a freely- given, specific, informed and unambiguous consent for those communications, breaching Article L. 34-5 CPCE and Articles 6(1)(a) and 7 GDPR; the company also transferred the contacts to commercial partners without a documented legal basis for the onward processing.",
      "primarySourceUrl": "https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000051630617",
      "archiveUrl": "https://web.archive.org/web/20250520233425/https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000051630617",
      "fineEur": 900000,
      "notes": "Data-broker precedent. Cite when the scanner narrative needs the principle that a data broker cannot rely on the consent collected by an upstream form without evidence the form satisfied the freely-given and specific limbs. Pairs with SAN-2023-009 (Criteo) for the upstream-consent-cannot-be-assumed point.",
      "url": "https://www.consentmark.com/precedent/cnil-san-2025-001"
    },
    {
      "slug": "dpc-in-21-9-2",
      "regulator": "dpc",
      "caseRef": "IN-21-9-2",
      "date": "2025-04-30",
      "respondent": "TikTok Technology Limited",
      "finding": "TikTok transferred EEA user data to the People's Republic of China without verifying that the protections offered by Chinese law were essentially equivalent to those under EU law, breaching Article 46(1) GDPR; and failed to inform users about the transfers and the remote access by personnel in China, breaching the transparency obligation in Article 13(1)(f) GDPR.",
      "primarySourceUrl": "https://www.dataprotection.ie/sites/default/files/uploads/2025-10/Inquiry%20into%20TikTok%20Technology%20Limited%20April%202025.pdf",
      "archiveUrl": "https://web.archive.org/web/20260506173624/https://www.dataprotection.ie/sites/default/files/uploads/2025-10/Inquiry%20into%20TikTok%20Technology%20Limited%20April%202025.pdf",
      "fineEur": 530000000,
      "notes": "Distinct from IN-21-9-1 (the September 2023 children's design-patterns case). Composite fine is EUR 485M (Art 46(1)) plus EUR 45M (Art 13(1)(f)). Cite when the scanner narrative needs the precedent for transparency about international transfers and remote access by third-country personnel.",
      "url": "https://www.consentmark.com/precedent/dpc-in-21-9-2"
    },
    {
      "slug": "ico-advanced-2025-03",
      "regulator": "ico",
      "caseRef": "advanced-2025-03",
      "date": "2025-03-27",
      "respondent": "Advanced Computer Software Group Limited",
      "finding": "In August 2022 ransomware actors gained access to Advanced's systems through a customer-portal account that did not require multi-factor authentication, and exfiltrated personal information including sensitive health and care data of 79,404 UK individuals, causing widespread disruption to NHS services; Advanced failed to implement appropriate technical and organisational measures to ensure security of processing under Article 32(1) UK GDPR.",
      "primarySourceUrl": "https://ico.org.uk/media2/gdlfddgc/advanced-penalty-notice-20250327.pdf",
      "archiveUrl": null,
      "fineEur": 3700000,
      "notes": "EUR amount approximate. The original notice of intent in August 2024 was GBP 6.09M; reduced to GBP 3.07M via voluntary settlement. First ICO penalty issued to a processor-only entity under UK GDPR. Cite when a scanner finds a vendor or sub-processor without MFA on an admin or service account - the precedent is that this is itself a 32(1) breach independent of any subsequent compromise.",
      "url": "https://www.consentmark.com/precedent/ico-advanced-2025-03"
    },
    {
      "slug": "edpb-gl-01-2025",
      "regulator": "edpb",
      "caseRef": "GL-01-2025",
      "date": "2025-01-16",
      "respondent": "European Data Protection Board",
      "finding": "Pseudonymised data which could be attributed to an individual by the use of additional information remains information relating to an identifiable natural person and is therefore personal data within the meaning of Article 4(1) GDPR. Pseudonymisation can support Article 5, Article 25 and Article 32 compliance but does not, by itself, take the data outside the GDPR's material scope.",
      "primarySourceUrl": "https://www.edpb.europa.eu/system/files/2025-01/edpb_guidelines_202501_pseudonymisation_en.pdf",
      "archiveUrl": null,
      "fineEur": 0,
      "notes": "[Type: guidance] Non-enforcement guideline (public consultation draft). Cite when the scanner narrative covers a controller arguing that a hashed-email join key or pseudonymous device-ID is not personal data - the EDPB's position is unambiguously that pseudonymous data is personal data so long as re-identification is reasonably feasible. Companion to DPC Apple IN-20-39-1.",
      "url": "https://www.consentmark.com/precedent/edpb-gl-01-2025"
    },
    {
      "slug": "dpc-in-18-10-1",
      "regulator": "dpc",
      "caseRef": "IN-18-10-1",
      "date": "2024-12-12",
      "respondent": "Meta Platforms Ireland Limited",
      "finding": "After the September 2018 incident in which user access tokens granted attackers entry to circa 29 million Facebook accounts, Meta omitted required information from its breach notification (Article 33(3)), failed to document the breach adequately (Article 33(5)), and failed to ensure data protection by design and by default (Articles 25(1) and 25(2)) - the tokens granted broader access than necessary, contrary to the minimisation-by-default obligation.",
      "primarySourceUrl": "https://www.dataprotection.ie/sites/default/files/uploads/241212_IN-18-10-1_Redacted.pdf",
      "archiveUrl": null,
      "fineEur": 251000000,
      "notes": "Companion decision IN-18-11-1 was issued the same day; the combined EUR 251M fine spans both inquiries. Cite when the scanner narrative needs to argue that an over-scoped credential or token is itself an Article 25 by-design breach, independent of whether attackers later exploited it.",
      "url": "https://www.consentmark.com/precedent/dpc-in-18-10-1"
    },
    {
      "slug": "cnil-san-2024-019",
      "regulator": "cnil",
      "caseRef": "SAN-2024-019",
      "date": "2024-11-14",
      "respondent": "ORANGE SA",
      "finding": "Orange displayed commercial advertisements between users' email messages in its webmail interface, a form of electronic prospecting requiring prior consent under Article L. 34-5 CPCE that Orange did not obtain; and continued to read information stored on users' terminals through cookies after the user had withdrawn consent, in breach of Article 82 of the French Data Protection Act.",
      "primarySourceUrl": "https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000050760620",
      "archiveUrl": "https://web.archive.org/web/20250115153852/https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000050760620",
      "fineEur": 50000000,
      "notes": "Anchors two distinct principles in one decision: ad units in a webmail inbox are prospecting under Article L. 34-5; and a consent-withdrawal signal must stop downstream reads as well as future writes. The consent-withdrawal limb is the more novel of the two, because it reaches the post-CMP-update flow.",
      "url": "https://www.consentmark.com/precedent/cnil-san-2024-019"
    },
    {
      "slug": "dpc-in-18-08-3",
      "regulator": "dpc",
      "caseRef": "IN-18-08-3",
      "date": "2024-10-22",
      "respondent": "LinkedIn Ireland Unlimited Company",
      "finding": "LinkedIn unlawfully processed third-party (non-member) and member personal data for behavioural analysis and targeted advertising; consent was not valid, legitimate interests did not apply, and contractual necessity was not satisfied - infringing Articles 6(1), 5(1)(a) and the transparency duties in Articles 13 and 14 GDPR.",
      "primarySourceUrl": "https://dataprotection.ie/sites/default/files/uploads/2024-12/LinkedIn-Final-Decision-IN-18-08-3-Redacted.pdf",
      "archiveUrl": "https://web.archive.org/web/20250312220407/https://dataprotection.ie/sites/default/files/uploads/2024-12/LinkedIn-Final-Decision-IN-18-08-3-Redacted.pdf",
      "fineEur": 310000000,
      "notes": "The DPC press release (24 October 2024) is the public-facing summary; the redacted final decision PDF is the citable primary source.",
      "url": "https://www.consentmark.com/precedent/dpc-in-18-08-3"
    },
    {
      "slug": "ico-psni-2024-10",
      "regulator": "ico",
      "caseRef": "psni-2024-10",
      "date": "2024-10-04",
      "respondent": "Chief Constable of the Police Service of Northern Ireland",
      "finding": "A spreadsheet released as part of a freedom-of-information response contained a hidden tab disclosing the surnames, initials, ranks and roles of all 9,483 PSNI officers and staff to the public internet; the controller had not implemented appropriate technical and organisational measures to identify the hidden data before release, breaching Articles 5(1)(f), 32(1) and 32(2) UK GDPR.",
      "primarySourceUrl": "https://ico.org.uk/media2/migrated/4031177/psni-penalty-notice.pdf",
      "archiveUrl": "https://web.archive.org/web/20260105045413/https://ico.org.uk/media2/migrated/4031177/psni-penalty-notice.pdf",
      "fineEur": 870000,
      "notes": "EUR amount approximate (round-trip from GBP 750k at the enforcement-date FX rate). The ICO public-sector approach reduced the indicative fine from GBP 5.6M to GBP 750k. Cite when the scanner narrative covers an inadvertent-disclosure-via-publication pattern - the hidden-tab issue is the data-protection equivalent of a spreadsheet-row-level-access misconfiguration.",
      "url": "https://www.consentmark.com/precedent/ico-psni-2024-10"
    },
    {
      "slug": "dpc-in-19-4-1",
      "regulator": "dpc",
      "caseRef": "IN-19-4-1",
      "date": "2024-09-26",
      "respondent": "Meta Platforms Ireland Limited",
      "finding": "Meta inadvertently stored the passwords of \"hundreds of millions\" of Facebook users in plaintext on internal systems, breaching Articles 5(1)(f) and 32(1) GDPR for failing to ensure appropriate security of processing; and failed to notify the personal data breach within 72 hours and to document it adequately, breaching Articles 33(1) and 33(5) GDPR.",
      "primarySourceUrl": "https://www.dataprotection.ie/sites/default/files/uploads/2024-12/Meta-Final-Decision-IN-19-4-1-Redacted.pdf",
      "archiveUrl": "https://web.archive.org/web/20250519055655/https://www.dataprotection.ie/sites/default/files/uploads/2024-12/Meta-Final-Decision-IN-19-4-1-Redacted.pdf",
      "fineEur": 91000000,
      "notes": "Composite fine: EUR 8M (Art 33(1)) + EUR 8M (Art 33(5)) + EUR 75M (Art 5(1)(f) and 32(1)). The decision turns on the security of processing principle rather than on any external access to the passwords - relevant when arguing that an internal-only data flow still triggers Article 32 obligations.",
      "url": "https://www.consentmark.com/precedent/dpc-in-19-4-1"
    },
    {
      "slug": "ico-bonne-terre-limited-2024-09",
      "regulator": "ico",
      "caseRef": "bonne-terre-limited-2024-09",
      "date": "2024-09-02",
      "respondent": "Bonne Terre Limited (trading as Sky Betting and Gaming)",
      "finding": "Between 10 January and 3 March 2023, Sky Betting and Gaming shared users' personal data with advertising technology companies via cookies set the moment a user reached the SkyBet website, before any option to accept or reject advertising cookies was presented - unlawful, non-transparent and unfair processing under UK GDPR.",
      "primarySourceUrl": "https://ico.org.uk/action-weve-taken/enforcement/2024/09/bonne-terre-limited/",
      "archiveUrl": "https://web.archive.org/web/20260225040127/https://ico.org.uk/action-weve-taken/enforcement/2024/09/bonne-terre-limited/",
      "fineEur": 0,
      "notes": "Reprimand only - the ICO did not impose a monetary penalty. fine_eur is zero by design; the narrative cites this case for the precedent that pre-consent ad-cookie firing is unlawful, not for the fine size. ICO reprimands do not carry formal case-reference numbers; bonne-terre-limited-2024-09 is the URL-slug from ico.org.uk/action-weve-taken/enforcement/2024/09/bonne-terre-limited/, not an official ICO case identifier.",
      "url": "https://www.consentmark.com/precedent/ico-bonne-terre-limited-2024-09"
    },
    {
      "slug": "edpb-op-08-2024",
      "regulator": "edpb",
      "caseRef": "OP-08-2024",
      "date": "2024-04-17",
      "respondent": "European Data Protection Board",
      "finding": "\"In most cases, it will not be possible for large online platforms to comply with the requirements for valid consent if they confront users only with a binary choice between consenting to processing of personal data for behavioural advertising purposes and paying a fee.\" Large online platforms should give significant consideration to an additional free alternative without behavioural advertising.",
      "primarySourceUrl": "https://www.edpb.europa.eu/system/files/2024-04/edpb_opinion_202408_consentorpay_en.pdf",
      "archiveUrl": null,
      "fineEur": 0,
      "notes": "[Type: guidance] Non-enforcement opinion under Article 64(2) GDPR. Cite when the scanner narrative needs the principle that a paid- alternative-only model is not, by itself, sufficient to make behavioural-advertising consent freely given. Companion to Guidelines 05/2020 already in this registry.",
      "url": "https://www.consentmark.com/precedent/edpb-op-08-2024"
    },
    {
      "slug": "dpc-in-20-37-1",
      "regulator": "dpc",
      "caseRef": "IN-20-37-1",
      "date": "2024-03-08",
      "respondent": "Groupon Ireland Operations Limited",
      "finding": "Groupon demanded photographic government-issued identification to verify the identity of a complainant who had requested access and erasure, despite less intrusive alternatives being available, breaching the data-minimisation principle in Article 5(1)(c) GDPR; Groupon also continued to process the complainant's personal data after the erasure request without a valid Article 6(1) basis, breaching Article 17(1) GDPR.",
      "primarySourceUrl": "https://www.dataprotection.ie/sites/default/files/uploads/2024-06/Final-Decision-Groupon-International-Limited-March-2024-EN.pdf",
      "archiveUrl": null,
      "fineEur": 0,
      "notes": "Reprimand under Article 58(2)(b) GDPR; no administrative fine. Cite alongside the Twitter IN-19-6-1 reprimand for the principle that identity verification must be proportionate - a controller cannot collect more personal data than necessary as a precondition to honouring an Article 15 or Article 17 request.",
      "url": "https://www.consentmark.com/precedent/dpc-in-20-37-1"
    },
    {
      "slug": "dpc-in-20-39-1",
      "regulator": "dpc",
      "caseRef": "IN-20-39-1",
      "date": "2024-03-07",
      "respondent": "Apple Distribution International Limited",
      "finding": "Apple retained a hashed version of a complainant's email address after processing an Article 17 erasure request and did not inform the data subject of the retention, the legal basis or the recipients of the data, breaching the transparency obligations in Article 13(1)(c) and 13(1)(d) GDPR; the retention itself was lawful under Article 6(1)(f) but the non-disclosure was not.",
      "primarySourceUrl": "https://www.dataprotection.ie/sites/default/files/uploads/2024-08/Inquiry-into-Apple-Distribution-International-Limited-Final-Decision-March-2024-EN.pdf",
      "archiveUrl": null,
      "fineEur": 0,
      "notes": "Reprimand under Article 58(2)(b) GDPR; no administrative fine. Cite when a service hashes an email or identifier post-erasure for suppression-list purposes and does not surface the retention in its privacy notice - the hashing does not exempt the controller from Article 13 transparency.",
      "url": "https://www.consentmark.com/precedent/dpc-in-20-39-1"
    },
    {
      "slug": "cnil-san-2024-002",
      "regulator": "cnil",
      "caseRef": "SAN-2024-002",
      "date": "2024-01-31",
      "respondent": "DE PARTICULIER A PARTICULIER (PAP)",
      "finding": "PAP retained user account data and inactive-user data beyond the period necessary for the purposes for which they were processed, breaching Article 5(1)(e) GDPR; failed to provide complete information to data subjects in breach of Article 13; did not frame its relationship with a processor with the contractual safeguards required by Article 28; and stored credentials without an appropriately strong hashing function and in plain text in some logs, breaching Article 32.",
      "primarySourceUrl": "https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000049128617",
      "archiveUrl": "https://web.archive.org/web/20250331054141/https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000049128617",
      "fineEur": 100000,
      "notes": "Real-estate-classifieds publisher (pap.fr). Cite when the scanner narrative needs the precedent that inactive-user retention beyond a documented period is itself an Article 5(1)(e) breach, and that weak credential storage triggers Article 32 even when no external compromise occurred.",
      "url": "https://www.consentmark.com/precedent/cnil-san-2024-002"
    },
    {
      "slug": "dpc-in-20-38-1",
      "regulator": "dpc",
      "caseRef": "IN-20-38-1",
      "date": "2024-01-31",
      "respondent": "Airbnb Ireland UC",
      "finding": "Airbnb required a copy of a government-issued identity document both to complete account registration and to process the user's erasure request, despite the complainant having provided minimal personal data before requesting deletion; the collection breached Article 5(1)(c) GDPR (data minimisation) and lacked a valid Article 6(1) basis, in particular as a precondition to action an Article 17 request.",
      "primarySourceUrl": "https://www.dataprotection.ie/sites/default/files/uploads/2024-04/Inquiry-into-Airbnb-Ireland-UC-31-January-2024-EN_0.pdf",
      "archiveUrl": null,
      "fineEur": 0,
      "notes": "Reprimand under Article 58(2)(b) GDPR; no administrative fine. Cite alongside the Twitter IN-19-6-1 and Groupon IN-20-37-1 reprimands for the pattern that universal ID-document collection at signup or rights- request time is not proportionate without a documented risk basis.",
      "url": "https://www.consentmark.com/precedent/dpc-in-20-38-1"
    },
    {
      "slug": "cnil-san-2023-024",
      "regulator": "cnil",
      "caseRef": "SAN-2023-024",
      "date": "2023-12-29",
      "respondent": "YAHOO EMEA LIMITED",
      "finding": "Around twenty advertising cookies were deposited on the user's terminal on yahoo.com despite no expressed consent, and Yahoo! Mail users who withdrew consent were told they would lose access to the service - both breaches of Article 82 of the French Data Protection Act.",
      "primarySourceUrl": "https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000048967251",
      "archiveUrl": "https://web.archive.org/web/20241208085753/https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000048967251",
      "fineEur": 10000000,
      "notes": "Cite the Legifrance deliberation rather than the cnil.fr press summary - the EN press release at cnil.fr/en/cookies-cnil-fined-yahoo-eu10-million 301-redirects to a generic landing page (verified dead 2026-05-22), whereas Legifrance is the French government's official legal gazette and carries the full deliberation text under CNILTEXT000048967251. CNIL is the lead authority on cookie enforcement under ePrivacy; quote this case whenever a scan finds advertising tags firing before consent.",
      "url": "https://www.consentmark.com/precedent/cnil-san-2023-024"
    },
    {
      "slug": "aepd-ps-00002-2023",
      "regulator": "aepd",
      "caseRef": "PS-00002-2023",
      "date": "2023-10-25",
      "respondent": "ENDESA ENERGIA, S.A.",
      "finding": "Endesa failed to implement appropriate security measures to protect customer data, allowing access credentials to its commercial platform to be offered for sale on third-party advertising channels and exposing the personal data of up to 4.8 million electricity and 1.2 million gas customers; the AEPD found composite breaches of Articles 5(1)(f), 32, 33, 34 and 44 GDPR (security, breach notification, notification to data subjects and international transfers).",
      "primarySourceUrl": "https://www.aepd.es/documento/ps-00002-2023.pdf",
      "archiveUrl": null,
      "fineEur": 6100000,
      "notes": "Composite fine: EUR 2.5M (Art 5(1)(f)) + EUR 1.5M (Art 32) + EUR 800k (Art 33) + EUR 800k (Art 34) + EUR 500k (Art 44). Cite as the AEPD's flagship security-of-processing precedent - the underlying incident was credential resale, not external system compromise, so the finding turns on the absence of detection and revocation rather than the attack vector.",
      "url": "https://www.consentmark.com/precedent/aepd-ps-00002-2023"
    },
    {
      "slug": "dpc-in-21-9-1",
      "regulator": "dpc",
      "caseRef": "IN-21-9-1",
      "date": "2023-09-01",
      "respondent": "TikTok Technology Limited",
      "finding": "TikTok's public-by-default account settings and the Family Pairing feature failed to provide age-appropriate protection for users aged 13-17, breaching Articles 5(1)(a), 5(1)(c), 5(1)(f), 12(1), 13(1)(e), 24(1), 25(1) and 25(2) GDPR; consent flows for child users were not presented in an objective, neutral way.",
      "primarySourceUrl": "https://www.dataprotection.ie/sites/default/files/uploads/2023-09/Inquiry%20into%20TikTok%20Technology%20Limited%20-%20September%202023%20EN.pdf",
      "archiveUrl": "https://web.archive.org/web/20231017224852/https://www.dataprotection.ie/sites/default/files/uploads/2023-09/Inquiry%20into%20TikTok%20Technology%20Limited%20-%20September%202023%20EN.pdf",
      "fineEur": 345000000,
      "notes": "Decision followed EDPB Binding Decision 2/2023 (Art. 65) on dispute resolution. The DPC's decisions index lists the case reference as IN-21-9-1 (not IN-21-9-7 as earlier note material had it). Cite alongside BD-02-2023 when the substantive issue is design patterns nudging child consent, not the cookie banner mechanics.",
      "url": "https://www.consentmark.com/precedent/dpc-in-21-9-1"
    },
    {
      "slug": "edpb-bd-02-2023",
      "regulator": "edpb",
      "caseRef": "BD-02-2023",
      "date": "2023-08-02",
      "respondent": "TikTok Technology Limited",
      "finding": "Two TikTok pop-up notifications shown to users aged 13-17 failed to present privacy options in an objective, neutral way and so breached the fairness principle in Article 5(1)(a) GDPR; the EDPB directed the Irish DPC to include findings on these dark-pattern design practices in its final decision.",
      "primarySourceUrl": "https://www.edpb.europa.eu/our-work-tools/our-documents/binding-decision-board-art-65/binding-decision-22023-dispute-submitted_en",
      "archiveUrl": "https://web.archive.org/web/20251210212756/https://www.edpb.europa.eu/our-work-tools/our-documents/binding-decision-board-art-65/binding-decision-22023-dispute-submitted_en",
      "fineEur": 0,
      "notes": "Binding decisions do not themselves impose fines; the accompanying DPC final decision (1 September 2023) imposed the EUR 345 million penalty. fine_eur is zero on this entry by convention - the citable significance is the EDPB framing of dark-pattern unfairness, not the monetary outcome.",
      "url": "https://www.consentmark.com/precedent/edpb-bd-02-2023"
    },
    {
      "slug": "cnil-san-2023-009",
      "regulator": "cnil",
      "caseRef": "SAN-2023-009",
      "date": "2023-06-15",
      "respondent": "CRITEO SA",
      "finding": "Criteo processed user navigation data for behavioural-advertising retargeting without verifying that the consent collected by its partner publishers met the freely-given, specific, informed and unambiguous standard, breaching Article 6(1)(a) and 7 GDPR; provided insufficient information to data subjects under Articles 12 and 13; and failed to give effect to access and erasure requests under Articles 15 and 17 across the data-broker network.",
      "primarySourceUrl": "https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000047707063",
      "archiveUrl": "https://web.archive.org/web/20241128150640/https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000047707063",
      "fineEur": 40000000,
      "notes": "The flagship adtech-retargeting precedent under GDPR. Cite when a scanner finds third-party retargeting or behavioural-advertising tags firing without an evidenced upstream consent signal - the principle here is that the downstream processor cannot rely on the publisher's consent banner without verifying it carries through.",
      "url": "https://www.consentmark.com/precedent/cnil-san-2023-009"
    },
    {
      "slug": "dpc-in-20-8-1",
      "regulator": "dpc",
      "caseRef": "IN-20-8-1",
      "date": "2023-05-12",
      "respondent": "Meta Platforms Ireland Limited",
      "finding": "Meta Ireland's transfers of Facebook user personal data from the EU/EEA to the United States, made on the basis of updated Standard Contractual Clauses, did not address the risks identified by the Court of Justice in Schrems II and so breached Article 46(1) GDPR; the DPC ordered suspension of future transfers and a six-month deadline to cease unlawful processing and storage in the US.",
      "primarySourceUrl": "https://www.dataprotection.ie/sites/default/files/uploads/2023-06/12.05.2023%20Decision%20IN-20-8-1%20Meta%20Platform%20Ireland%20Limited%20%28Facebook%29%20data%20transfers.pdf",
      "archiveUrl": "https://web.archive.org/web/20250918030541/https://www.dataprotection.ie/sites/default/files/uploads/2023-06/12.05.2023%20Decision%20IN-20-8-1%20Meta%20Platform%20Ireland%20Limited%20%28Facebook%29%20data%20transfers.pdf",
      "fineEur": 1200000000,
      "notes": "Decision followed EDPB Binding Decision 1/2023 (Art. 65) on dispute resolution. Largest GDPR fine on record at time of adoption. Cite when the scan shows US-hosted analytics or ad-tech processing EU personal data without a working Article 46 transfer mechanism - the underlying problem is the SCC inadequacy, not the cookie banner.",
      "url": "https://www.consentmark.com/precedent/dpc-in-20-8-1"
    },
    {
      "slug": "ico-tiktok-2023-04",
      "regulator": "ico",
      "caseRef": "tiktok-2023-04",
      "date": "2023-04-04",
      "respondent": "TikTok Information Technologies UK Limited and TikTok Inc.",
      "finding": "Between May 2018 and July 2020, TikTok processed the personal data of up to 1.4 million UK children under 13 who used the platform without parental consent; failed to provide adequate information to users about how their data would be collected, used and shared; and failed to ensure the personal data of UK users was processed lawfully, fairly and in a transparent manner - breaching Articles 5(1)(a), 8 and 12 UK GDPR.",
      "primarySourceUrl": "https://ico.org.uk/action-weve-taken/enforcement/tiktok-information-technologies-uk-limited-and-tiktok-inc/",
      "archiveUrl": "https://web.archive.org/web/20240619175635/https://ico.org.uk/action-weve-taken/enforcement/tiktok-information-technologies-uk-limited-and-tiktok-inc/",
      "fineEur": 14500000,
      "notes": "Native fine GBP 12.7M; EUR figure is the round-trip conversion at the enforcement-date FX rate and is approximate. Cite for the children's- data precedent under UK GDPR, parallel to the DPC's TikTok IN-21-9-7 EU-level enforcement.",
      "url": "https://www.consentmark.com/precedent/ico-tiktok-2023-04"
    },
    {
      "slug": "edpb-gl-09-2022",
      "regulator": "edpb",
      "caseRef": "GL-09-2022",
      "date": "2023-03-28",
      "respondent": "European Data Protection Board",
      "finding": "Under Article 33(1) GDPR the controller must notify the supervisory authority \"without undue delay and, where feasible, not later than 72 hours after having become aware of it\". A controller is \"considered to have become aware\" once it has a \"reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised\", not at the moment of the underlying compromise.",
      "primarySourceUrl": "https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf",
      "archiveUrl": "https://web.archive.org/web/20260506171220/https://www.edpb.europa.eu/system/files/2023-04/edpb_guidelines_202209_personal_data_breach_notification_v2.0_en.pdf",
      "fineEur": 0,
      "notes": "[Type: guidance] Non-enforcement guideline. Cite when the scanner narrative covers a delayed-notification finding - the EDPB's \"reasonable degree of certainty\" test is what supervisory authorities apply when computing whether the 72-hour clock was breached (compare DPC IN-19-4-1 Meta and ICO 23andMe-2025-06).",
      "url": "https://www.consentmark.com/precedent/edpb-gl-09-2022"
    },
    {
      "slug": "dpc-in-20-7-2",
      "regulator": "dpc",
      "caseRef": "IN-20-7-2",
      "date": "2023-02-27",
      "respondent": "Bank of Ireland Group plc",
      "finding": "A series of ten personal data breaches in the Bank of Ireland 365 mobile banking application resulted in unauthorised users gaining access to other customers' accounts; Bank of Ireland failed to implement appropriate technical and organisational measures to ensure the integrity and confidentiality of personal data, breaching Article 5(1)(f) GDPR and the security-of-processing obligation in Article 32(1) GDPR.",
      "primarySourceUrl": "https://www.dataprotection.ie/sites/default/files/uploads/2023-03/Final%20Decision%20IN-20-7-2%20Bank%20of%20Ireland%20%28BOI%29%20365.pdf",
      "archiveUrl": "https://web.archive.org/web/20260428141316/https://www.dataprotection.ie/sites/default/files/uploads/2023-03/Final%20Decision%20IN-20-7-2%20Bank%20of%20Ireland%20%28BOI%29%20365.pdf",
      "fineEur": 750000,
      "notes": "EUR 750k administrative fine plus reprimand and compliance order. Cite when the scanner narrative covers an authenticated-app authorisation bug that surfaces another customer's data in-session - the DPC frames this as Article 32(1) security, not Article 25 design.",
      "url": "https://www.consentmark.com/precedent/dpc-in-20-7-2"
    },
    {
      "slug": "edpb-gl-03-2022",
      "regulator": "edpb",
      "caseRef": "GL-03-2022",
      "date": "2023-02-14",
      "respondent": "European Data Protection Board",
      "finding": "Interface design choices that \"influence users in a way that infringes on the fairness, transparency or data-protection-by-design principles of the GDPR\" constitute deceptive design patterns; the Guidelines identify six categories - overloading, skipping, stirring, obstructing, fickle, and left in the dark - and state that these patterns, where they steer users towards a specific decision contrary to their data protection interests, breach Articles 5(1)(a), 12, 13, 24 and 25 GDPR.",
      "primarySourceUrl": "https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032022-deceptive-design-patterns-social-media_en",
      "archiveUrl": "https://web.archive.org/web/20240519080404/https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-032022-deceptive-design-patterns-social-media_en",
      "fineEur": 0,
      "notes": "[Type: guidance] Non-enforcement guideline. Cite when the scanner observes a deliberately-asymmetric consent UI - the EDPB has assigned these specific category names (\"obstructing\" for reject-behind-settings, \"stirring\" for emotional-colour nudging, \"skipping\" for default opt-in) so the narrative can name the pattern rather than paraphrase it. The EDPB Cookie Banner Taskforce Report 02/2023 cross-references this taxonomy when grading specific complaints.",
      "url": "https://www.consentmark.com/precedent/edpb-gl-03-2022"
    },
    {
      "slug": "dpc-in-18-5-6",
      "regulator": "dpc",
      "caseRef": "IN-18-5-6",
      "date": "2023-01-12",
      "respondent": "WhatsApp Ireland Limited",
      "finding": "WhatsApp could not lawfully rely on Article 6(1)(b) GDPR (necessity for performance of a contract) as the legal basis for processing personal data for service-improvement and security purposes; the forced-acceptance presentation of the May 2018 Terms of Service did not provide a freely-given consent under Article 6(1)(a) either, breaching the lawfulness and transparency principles of Article 5 GDPR.",
      "primarySourceUrl": "https://www.dataprotection.ie/sites/default/files/uploads/2023-04/WhatsApp%20FINAL%20DECISION%20%28adoption%20version%29%20Redacted.pdf",
      "archiveUrl": "https://web.archive.org/web/20240529211629/https://www.dataprotection.ie/sites/default/files/uploads/2023-04/WhatsApp%20FINAL%20DECISION%20(adoption%20version)%20Redacted.pdf",
      "fineEur": 5500000,
      "notes": "The DPC initially accepted WhatsApp's contractual-necessity argument for service improvements; the EDPB Article 65 binding decision required the position to be reversed. Cite when a service uses a forced-acceptance Terms of Service to bundle marketing-or-analytics processing into \"necessary for the service\".",
      "url": "https://www.consentmark.com/precedent/dpc-in-18-5-6"
    },
    {
      "slug": "dpc-in-18-5-5",
      "regulator": "dpc",
      "caseRef": "IN-18-5-5",
      "date": "2022-12-31",
      "respondent": "Meta Platforms Ireland Limited",
      "finding": "Meta Ireland could not rely on the contract legal basis (Article 6(1)(b) GDPR) to process Facebook users' personal data for behavioural advertising; the processing therefore lacked any valid lawful basis and breached transparency obligations under Articles 12 and 13(1)(c).",
      "primarySourceUrl": "https://www.dataprotection.ie/sites/default/files/uploads/2023-04/Meta%20FINAL%20DECISION%20(ADOPTED)%2031-12-22%20-%20IN-18-5-5%20(Redacted).pdf",
      "archiveUrl": "https://web.archive.org/web/20260414181401/https://www.dataprotection.ie/sites/default/files/uploads/2023-04/Meta%20FINAL%20DECISION%20%28ADOPTED%29%2031-12-22%20-%20IN-18-5-5%20%28Redacted%29.pdf",
      "fineEur": 210000000,
      "notes": "Decision followed EDPB Binding Decision 3/2022 (Art. 65 GDPR) on dispute resolution. Cite alongside Article 5(3) ePrivacy when the substantive issue is lawful basis for tracking, not the cookie banner mechanics.",
      "url": "https://www.consentmark.com/precedent/dpc-in-18-5-5"
    },
    {
      "slug": "cnil-san-2022-027",
      "regulator": "cnil",
      "caseRef": "SAN-2022-027",
      "date": "2022-12-29",
      "respondent": "TIKTOK TECHNOLOGY LIMITED and TIKTOK INFORMATION TECHNOLOGIES UK LIMITED",
      "finding": "On tiktok.com, users could accept cookies in a single click but had to navigate multiple steps to refuse them, breaching the symmetry-of- refusal limb of Article 82 of the French Data Protection Act; the information provided about the purposes of the cookies was also incomplete, undermining the informed-consent limb of the same article.",
      "primarySourceUrl": "https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000046977994",
      "archiveUrl": "https://web.archive.org/web/20240229200426/https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000046977994/",
      "fineEur": 5000000,
      "notes": "Joint sanction against TikTok Technology Limited (Ireland) and TikTok Information Technologies UK Limited - EUR 2.5M each. Cite alongside SAN-2021-024 (Facebook) and SAN-2022-023 (Microsoft Bing) for the pan-platform \"no equivalent refuse\" pattern.",
      "url": "https://www.consentmark.com/precedent/cnil-san-2022-027"
    },
    {
      "slug": "cnil-san-2022-023",
      "regulator": "cnil",
      "caseRef": "SAN-2022-023",
      "date": "2022-12-19",
      "respondent": "MICROSOFT IRELAND OPERATIONS LIMITED",
      "finding": "Advertising cookies were deposited on users' terminals when they arrived on bing.com without their prior consent, and the consent interface did not offer a \"refuse\" mechanism with the same simplicity as the \"accept\" mechanism, breaching the freely-given and equivalent- refusal limbs of Article 82 of the French Data Protection Act.",
      "primarySourceUrl": "https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000046768989",
      "archiveUrl": "https://web.archive.org/web/20250209183135/https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000046768989",
      "fineEur": 60000000,
      "notes": "Bing (Microsoft search engine) precedent. Cite alongside SAN-2021-024 (Facebook), SAN-2021-023 (Google) and SAN-2022-027 (TikTok) for the pan-platform asymmetric-refuse pattern; the EUR 60M scale signals that the CNIL does not treat the asymmetry as a paperwork failing.",
      "url": "https://www.consentmark.com/precedent/cnil-san-2022-023"
    },
    {
      "slug": "dpc-in-21-4-2",
      "regulator": "dpc",
      "caseRef": "IN-21-4-2",
      "date": "2022-11-25",
      "respondent": "Meta Platforms Ireland Limited",
      "finding": "Facebook Search, the Messenger Contact Importer and the Instagram Contact Importer, as deployed between May 2018 and September 2019, failed to implement appropriate technical and organisational measures to ensure data protection by design and by default, breaching Articles 25(1) and 25(2) GDPR; the design enabled unauthenticated enumeration of personal data tied to phone numbers and email addresses, a \"data scraping\" pattern Meta had not designed-out.",
      "primarySourceUrl": "https://www.dataprotection.ie/sites/default/files/uploads/2022-12/Final%20Decision_IN-21-4-2_Redacted.pdf",
      "archiveUrl": null,
      "fineEur": 265000000,
      "notes": "Cite when the scanner narrative covers a feature that exposes more data per-request than the minimum needed to render its UI - the Article 25 by-design and by-default obligations bite even if no individual access is itself \"unauthorised\". Companion finding to the earlier April-2021 Facebook data leak coverage.",
      "url": "https://www.consentmark.com/precedent/dpc-in-21-4-2"
    },
    {
      "slug": "ico-easylife-2022-10",
      "regulator": "ico",
      "caseRef": "easylife-2022-10",
      "date": "2022-10-04",
      "respondent": "Easylife Ltd",
      "finding": "Easylife profiled customers based on items purchased from its non-health catalogue to make assumptions about their medical conditions and then used those profiles to market health products, processing special- category data within Article 9 UK GDPR without an Article 9(2) lawful basis; also made 1,345,732 unsolicited direct marketing calls to individuals registered with the Telephone Preference Service in breach of regulation 21 PECR.",
      "primarySourceUrl": "https://ico.org.uk/action-weve-taken/enforcement/easylife-limited-mpn/",
      "archiveUrl": "https://web.archive.org/web/20240617084322/https://ico.org.uk/action-weve-taken/enforcement/easylife-limited-mpn/",
      "fineEur": 1500000,
      "notes": "Native fine GBP 1.35M (combined GBP 1.35M GDPR penalty and GBP 130k PECR penalty). Cite when the scanner narrative needs the precedent that inferring health-related profiles from on-site behaviour triggers Article 9 even if the inputs are not themselves health data - directly relevant to ad-tech audiences built on purchase signals.",
      "url": "https://www.consentmark.com/precedent/ico-easylife-2022-10"
    },
    {
      "slug": "dpc-in-20-7-4",
      "regulator": "dpc",
      "caseRef": "IN-20-7-4",
      "date": "2022-09-02",
      "respondent": "Meta Platforms Ireland Limited",
      "finding": "Instagram child users (aged 13-17) who operated business accounts had their phone numbers and email addresses exposed publicly, and child personal accounts defaulted to public visibility, breaching Articles 5(1)(a), 5(1)(c), 6(1), 12(1), 24(1), 25(1), 25(2) and 35(1) GDPR; the DPC issued a reprimand and ordered remedial action alongside the fine.",
      "primarySourceUrl": "https://www.dataprotection.ie/sites/default/files/uploads/2022-09/02.09.22%20Decision%20IN%2009-09-22%20Instagram.pdf",
      "archiveUrl": "https://web.archive.org/web/20260316112924/https://www.dataprotection.ie/sites/default/files/uploads/2022-09/02.09.22%20Decision%20IN%2009-09-22%20Instagram.pdf",
      "fineEur": 405000000,
      "notes": "The DPC's filename embeds an internal date (09-09-22) that does not match the formal case reference (IN-20-7-4); the decisions index page is the authoritative source for the case ref. Cite when the scan involves a platform with public-by-default settings for users under 18.",
      "url": "https://www.consentmark.com/precedent/dpc-in-20-7-4"
    },
    {
      "slug": "aepd-ps-00037-2022",
      "regulator": "aepd",
      "caseRef": "PS-00037-2022",
      "date": "2022-07-18",
      "respondent": "OPEN BANK, S.A.",
      "finding": "openbank.es presented an initial cookie banner with an \"Accept\" button but no equivalent option to reject non-strictly-necessary cookies at the same interaction level, requiring users to navigate to a \"Cookie settings\" panel to refuse - the asymmetric design fell short of the unambiguous and freely-given consent standard required by Article 22.2 LSSI in line with Article 4(11) and 7 GDPR.",
      "primarySourceUrl": "https://www.aepd.es/documento/ps-00037-2022.pdf",
      "archiveUrl": "https://web.archive.org/web/20240127061511/https://www.aepd.es/documento/ps-00037-2022.pdf",
      "fineEur": 30000,
      "notes": "Cite alongside CNIL SAN-2022-031 (Meta Facebook) for symmetry-of- refusal as a pan-EU principle, not a French-only quirk. AEPD has been explicit since at least 2020 that \"Accept\" without a same-level \"Reject\" is non-compliant under LSSI Article 22.2.",
      "url": "https://www.consentmark.com/precedent/aepd-ps-00037-2022"
    },
    {
      "slug": "dpc-in-19-6-1",
      "regulator": "dpc",
      "caseRef": "IN-19-6-1",
      "date": "2022-04-27",
      "respondent": "Twitter International Company",
      "finding": "Twitter required photographic identification to verify the identity of a complainant requesting erasure under Article 17, despite the complainant being authenticated to the account, breaching Articles 5(1)(c) and 6(1) GDPR; Twitter also failed to process the erasure within the statutory period in Article 17(1) and did not inform the data subject of the action taken within one month as required by Article 12(3) GDPR.",
      "primarySourceUrl": "https://www.dataprotection.ie/sites/default/files/uploads/2022-06/Twitter%20International%20Company%20%20-%20Decision%20for%20publishing.pdf",
      "archiveUrl": null,
      "fineEur": 0,
      "notes": "Reprimand under Article 58(2)(b) GDPR; no administrative fine. The earliest of the DPC's \"no ID-document for rights requests\" reprimands - companion to Groupon IN-20-37-1 and Airbnb IN-20-38-1. Cite when a service requires a passport image for a rights request from an authenticated user.",
      "url": "https://www.consentmark.com/precedent/dpc-in-19-6-1"
    },
    {
      "slug": "aepd-ps-00477-2021",
      "regulator": "aepd",
      "caseRef": "PS-00477-2021",
      "date": "2022-03-09",
      "respondent": "VODAFONE ESPAÑA, S.A.U.",
      "finding": "vodafone.es deposited cookies on user terminals before any consent action and provided information about cookies through a banner that did not enable users to refuse them with the same ease as accepting - infringing Article 22.2 of Law 34/2002 (LSSI), the Spanish national transposition of Article 5(3) of the ePrivacy Directive.",
      "primarySourceUrl": "https://www.aepd.es/documento/ps-00477-2021.pdf",
      "archiveUrl": "https://web.archive.org/web/20240127061533/https://www.aepd.es/documento/ps-00477-2021.pdf",
      "fineEur": 70000,
      "notes": "Cite when the scanner finds pre-consent cookies on a Spanish-jurisdiction site - the AEPD has been issuing PS/00xxx/202x cookie sanctions since the LSSI 2020 amendment aligned Spanish law with the EDPB's strict reading of valid consent.",
      "url": "https://www.consentmark.com/precedent/aepd-ps-00477-2021"
    },
    {
      "slug": "cnil-san-2021-024",
      "regulator": "cnil",
      "caseRef": "SAN-2021-024",
      "date": "2021-12-31",
      "respondent": "FACEBOOK IRELAND LIMITED",
      "finding": "Facebook deposited cookies on the terminals of users visiting facebook.com without their prior consent and offered no equivalent \"refuse\" option alongside the \"accept\" option at the first interaction; users had to click through to a secondary panel to refuse, breaching the freely-given and equivalent-refusal limbs of Article 82 of the French Data Protection Act.",
      "primarySourceUrl": "https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000044840532",
      "archiveUrl": "https://web.archive.org/web/20241111172550/https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000044840532",
      "fineEur": 60000000,
      "notes": "Issued the same day as SAN-2021-023 (Google EUR 150M) under the same factual pattern. Cite for the principle that \"accept in one click, refuse in several clicks\" is itself the violation - the CNIL does not require that no consent be obtained, only that the path to refusal match the path to acceptance.",
      "url": "https://www.consentmark.com/precedent/cnil-san-2021-024"
    },
    {
      "slug": "cnil-san-2021-023",
      "regulator": "cnil",
      "caseRef": "SAN-2021-023",
      "date": "2021-12-31",
      "respondent": "GOOGLE LLC and GOOGLE IRELAND LIMITED",
      "finding": "Cookies were deposited on the terminals of users visiting google.fr without their prior consent, and the consent interface did not offer an equivalent refusal control alongside the acceptance control at the first interaction; users had to navigate to a secondary panel to refuse, breaching the freely-given and equivalent-refusal limbs of Article 82 of the French Data Protection Act.",
      "primarySourceUrl": "https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000044840062",
      "archiveUrl": "https://web.archive.org/web/20241230173721/https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000044840062",
      "fineEur": 150000000,
      "notes": "Fine split: EUR 90M against Google LLC + EUR 60M against Google Ireland Limited. Companion to SAN-2021-024 (Facebook) and SAN-2022-023 (Microsoft Bing). The 2025-09-01 Google decision (SAN-2025-004) is the follow-on under the same Article 82 framework.",
      "url": "https://www.consentmark.com/precedent/cnil-san-2021-023"
    },
    {
      "slug": "edpb-gl-07-2020",
      "regulator": "edpb",
      "caseRef": "GL-07-2020",
      "date": "2021-07-07",
      "respondent": "European Data Protection Board",
      "finding": "The notions of controller and processor are functional - they aim to allocate responsibilities according to the actual roles of the parties. A controller is the body which \"determines the purposes and means\" of the processing; a processor processes \"on behalf of the controller\". Where an entity defines what data is collected, for what purpose, with whom it is shared and for how long, it acts as a controller regardless of its self-description.",
      "primarySourceUrl": "https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-072020-concepts-controller-and-processor-gdpr_en",
      "archiveUrl": null,
      "fineEur": 0,
      "notes": "[Type: guidance] Non-enforcement guideline. Cite when the scanner narrative covers a vendor (analytics, tag-management, email-tracking) that self-classifies as Article 28 processor while in fact determining the purposes of processing - the AEPD Mailtrack PS-00388-2022 decision applies this guideline directly.",
      "url": "https://www.consentmark.com/precedent/edpb-gl-07-2020"
    },
    {
      "slug": "cnil-san-2020-013",
      "regulator": "cnil",
      "caseRef": "SAN-2020-013",
      "date": "2020-12-07",
      "respondent": "AMAZON EUROPE CORE",
      "finding": "When a user visited amazon.fr - including by following an advertisement link from a third-party site - a substantial number of advertising cookies were deposited on the terminal without any action on the user's part, and before any information was provided; the banner shown did not describe the purposes of those cookies or how to refuse them, in breach of Article 82 of the French Data Protection Act.",
      "primarySourceUrl": "https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042635729",
      "archiveUrl": "https://web.archive.org/web/20241208090125/https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042635729",
      "fineEur": 35000000,
      "notes": "Companion to SAN-2020-012 (Google). Cite together when the scanner narrative needs to anchor \"ad cookies on arrival without consent is unlawful\" against multiple respondents and not against a single one.",
      "url": "https://www.consentmark.com/precedent/cnil-san-2020-013"
    },
    {
      "slug": "cnil-san-2020-012",
      "regulator": "cnil",
      "caseRef": "SAN-2020-012",
      "date": "2020-12-07",
      "respondent": "GOOGLE LLC and GOOGLE IRELAND LIMITED",
      "finding": "Advertising cookies were automatically deposited on the user's terminal on google.fr without prior consent, and the information notice did not explain the purposes of all cookies or the means available to refuse them - a breach of Article 82 of the French Data Protection Act (the French transposition of Article 5(3) ePrivacy).",
      "primarySourceUrl": "https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042635706",
      "archiveUrl": "https://web.archive.org/web/20240530121148/https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042635706",
      "fineEur": 100000000,
      "notes": "The fine is split between the two respondents (EUR 60M against Google LLC and EUR 40M against Google Ireland Limited); fine_eur records the aggregate. CNIL is the lead authority on cookie enforcement under ePrivacy; quote this case whenever a scan finds advertising tags firing before consent on a French-language surface.",
      "url": "https://www.consentmark.com/precedent/cnil-san-2020-012"
    },
    {
      "slug": "ico-marriott-2020-10",
      "regulator": "ico",
      "caseRef": "marriott-2020-10",
      "date": "2020-10-30",
      "respondent": "Marriott International, Inc.",
      "finding": "An attacker placed a web shell on a Starwood guest-reservations system in or around July 2014 and maintained undetected access through Marriott's 2016 acquisition until September 2018, exfiltrating up to 339 million guest records (including 7 million UK records); Marriott failed to implement appropriate security measures to protect the personal data and to assess the Starwood IT estate adequately on acquisition, breaching Article 5(1)(f) and Article 32 GDPR.",
      "primarySourceUrl": "https://ico.org.uk/media2/migrated/2618524/marriott-international-inc-mpn-20201030.pdf",
      "archiveUrl": null,
      "fineEur": 21000000,
      "notes": "EUR amount approximate (round-trip from GBP 18.4M at the enforcement- date FX rate). The original notice of intent was GBP 99.2M; the pandemic-period discount and other mitigating factors reduced the final. Cite when the scanner narrative needs the precedent that acquisition due-diligence on the security posture of an acquired estate is a controller obligation, not just commercial good practice.",
      "url": "https://www.consentmark.com/precedent/ico-marriott-2020-10"
    },
    {
      "slug": "ico-ba-2020-10",
      "regulator": "ico",
      "caseRef": "ba-2020-10",
      "date": "2020-10-16",
      "respondent": "British Airways plc",
      "finding": "Between 22 June and 5 September 2018 a Magecart-style skimming attacker injected code into the BA website and mobile app payment pages and exfiltrated names, addresses, payment-card data and BA log- in credentials of approximately 429,612 customers and staff; British Airways failed to implement appropriate technical and organisational measures to secure the processing, breaching Article 5(1)(f) and Article 32 GDPR.",
      "primarySourceUrl": "https://ico.org.uk/media2/migrated/2618421/ba-penalty-20201016.pdf",
      "archiveUrl": null,
      "fineEur": 23000000,
      "notes": "EUR amount approximate (round-trip from GBP 20M at the enforcement- date FX rate). The original notice of intent was GBP 183.39M; the pandemic-period discount and other mitigating factors reduced the final to GBP 20M. The skimming-via-third-party-script pattern is directly relevant to scanner findings about supply-chain scripts on the payment page.",
      "url": "https://www.consentmark.com/precedent/ico-ba-2020-10"
    },
    {
      "slug": "cnil-delib-2020-092",
      "regulator": "cnil",
      "caseRef": "DELIB-2020-092",
      "date": "2020-09-17",
      "respondent": "Commission Nationale de l'Informatique et des Libertés",
      "finding": "The controller must offer users the option to accept and to refuse read/write operations on their terminal with the same degree of simplicity (Article 2.4, \"Modalités du refus\"); withdrawing consent must be as easy as giving it, and the means of withdrawal must be signposted before consent is collected (Article 3, \"Retrait et gestion du consentement\").",
      "primarySourceUrl": "https://www.legifrance.gouv.fr/cnil/id/CNILTEXT000042398022",
      "archiveUrl": null,
      "fineEur": 0,
      "notes": "[Type: guidance] Non-enforcement recommendation. CNIL's own description of a compliant cookie banner (symmetric accept/refuse, easy withdrawal, granular per-purpose consent). Original in French; `finding` paraphrases Article 2.4 + Article 3 in English. Companion binding text: Délibération 2020-091 (lignes directrices).",
      "url": "https://www.consentmark.com/precedent/cnil-delib-2020-092"
    },
    {
      "slug": "edpb-gl-05-2020",
      "regulator": "edpb",
      "caseRef": "GL-05-2020",
      "date": "2020-05-04",
      "respondent": "European Data Protection Board",
      "finding": "Valid consent requires \"a clear affirmative action\" by which the data subject signifies agreement; \"the use of pre-ticked opt-in boxes is invalid under the GDPR\" and \"silence or inactivity on the part of the data subject, as well as merely proceeding with a service\" cannot be regarded as an active indication of choice (paragraphs 75 and 79).",
      "primarySourceUrl": "https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-052020-consent-under-regulation-2016679_en",
      "archiveUrl": null,
      "fineEur": 0,
      "notes": "[Type: guidance] Non-enforcement document. Use this entry as the regulator-language anchor for the \"consent-gated done right\" zone of the scanner narrative - it defines what a compliant pattern looks like in the EDPB's own words. The verbatim quotes in `finding` come from paragraphs 75 (\"clear affirmative act ... active motion or declaration\") and 79 (\"pre-ticked opt-in boxes ... invalid\") of the consolidated v1.1 PDF hosted on edpb.europa.eu.",
      "url": "https://www.consentmark.com/precedent/edpb-gl-05-2020"
    }
  ]
}
