Cookie consent fines aren't just for big tech anymore. European DPAs issued over 2,000 GDPR fines in 2024-2025, with cookie consent among the most common violations. Fines range from €5,000 for small businesses to €746M for Amazon. US enforcement under CCPA is accelerating on the same trajectory. The cost of a CMP ($50-350/mo) is a fraction of even the smallest fine, making compliance the obvious financial choice.
There's a persistent myth that cookie consent enforcement only targets big tech companies. That was arguably true in 2018-2019, during the GDPR's early days. In 2026, it's demonstrably false. European data protection authorities issued over 2,000 GDPR fines in 2024-2025 alone, and cookie consent is one of the most common violation categories. US enforcement under state privacy laws is following the same trajectory.
The headline fines everyone knows
These get the press coverage:
| Company | Fine | Authority | Year | Violation |
|---|---|---|---|---|
| Amazon | €746M | CNPD (Luxembourg) | 2021 | Processing personal data without proper consent |
| Meta (WhatsApp) | €225M | DPC (Ireland) | 2021 | Transparency and consent failures |
| €150M | CNIL (France) | 2022 | Making cookie rejection harder than acceptance | |
| Meta (Facebook) | €60M | CNIL (France) | 2022 | No easy mechanism to refuse cookies |
| Criteo | €40M | CNIL (France) | 2023 | Processing data without valid consent |
| TikTok | €5M | CNIL (France) | 2023 | Non-compliant cookie consent mechanism |
| Microsoft | €60M | CNIL (France) | 2022 | Cookie deposit without consent on Bing |
Notice a pattern? France's CNIL has been the most aggressive enforcer of cookie consent specifically. But they're not alone.
The fines you don't hear about
What doesn't make headlines is the steady stream of smaller fines hitting mid-size and small businesses:
- Germany's state DPAs have issued dozens of cookie-related fines ranging from €5,000 to €300,000
- Spain's AEPD has fined companies as small as local retailers for cookie consent violations
- Italy's Garante has issued fines specifically for pre-checked cookie consent boxes and missing reject buttons
- Belgium's APD fined a news website €50,000 for using non-compliant cookie walls
- The Dutch DPA fined a medical website €440,000 for sharing health data via cookies without consent
The US is catching up fast
European fines get the most attention, but US enforcement is accelerating:
- California AG and CPPA have ramped up CCPA enforcement, with fines of $2,500-$7,500 per violation (per consumer, per incident)
- Sephora paid $1.2 million in 2022 (the first major CCPA settlement) for failing to honor opt-out requests and selling data without disclosure
- Multiple states now require honoring Global Privacy Control (GPC), and failure to do so is a per-visitor violation
- Class action lawsuits under CCPA's private right of action for data breaches are increasingly common
- With 20 states now having privacy laws, the compliance surface area has exploded
The math on US fines is particularly scary: $7,500 per intentional violation × thousands of affected consumers = potential fines in the millions, even for mid-size businesses.
Beyond fines: the hidden costs
Fines are the obvious cost. But non-compliance has other consequences that can be even more expensive:
Legal costs
Responding to a DPA investigation or a CCPA complaint requires legal counsel. Even if you're not fined, the legal fees for responding to an investigation typically run $20,000-$100,000+ depending on complexity and jurisdiction.
Lost data and degraded advertising
Without proper consent management, you can't legally use analytics data from EU visitors or run targeted advertising to them. Google Consent Mode v2 enforcement means websites without proper consent lose conversion tracking, remarketing capabilities, and audience insights for EU traffic.
Reputation damage
GDPR fines are public. They show up in Google searches for your company name. For B2B companies, being on a GDPR enforcement list can cost deals. Enterprise customers increasingly require privacy compliance evidence during procurement.
Operational disruption
Some DPAs can issue processing bans, ordering you to stop collecting data entirely until you're compliant. This can shut down your advertising, analytics, and personalization overnight.
The cost of compliance vs. the cost of a fine
Let's put this in perspective:
| Compliance Cost | Non-Compliance Risk | |
|---|---|---|
| CMP tool | $49-$349/mo ($588-$4,188/yr) | - |
| Legal review | $2,000-$5,000 one-time | - |
| Implementation time | 1-4 hours | - |
| Total year 1 | $2,600-$9,200 | - |
| Minimum GDPR fine | - | €10,000-€50,000 |
| Average mid-size fine | - | €50,000-€500,000 |
| Legal defense costs | - | $20,000-$100,000+ |
| Lost ad data (annual) | - | $10,000-$100,000+ in degraded campaigns |
The math isn't close. A year of full compliance costs less than the legal fees alone for responding to a single DPA investigation.
How to get compliant today
The good news: getting compliant is straightforward and fast. Here's the minimum viable compliance stack:
- Implement a consent management platform. This handles cookie consent, script blocking, and consent records
- Enable Google Consent Mode v2. Most CMPs support this out of the box
- Run a cookie scan. Know what cookies your site sets and categorize them correctly
- Add geo-targeting. Show GDPR banners in the EU, CCPA opt-out in California
- Honor GPC signals. Required by California, Colorado, Connecticut, Texas, Oregon, and growing
- Update your privacy policy. Disclose what data you collect, why, and how users can exercise their rights
- Set up a process for consumer rights requests: access, deletion, correction
The bottom line
Cookie consent enforcement is no longer theoretical, no longer limited to big tech, and no longer limited to Europe. The cost of compliance is a rounding error compared to the cost of getting caught. The only question is whether you'd rather spend $50/month now or $50,000+ later.