Where does the data come from?

Data is sourced from GDPRhub (community-driven GDPR case law wiki), CMS Enforcement Tracker (maintained by CMS law firm), and direct publications from Data Protection Authorities (DPAs) across Europe. Automated scrapers check these sources daily.

How many cookie fines have been issued in Europe?

As of 2026, 481 enforcement actions have been specifically classified as cookie consent related, with thousands more covering broader GDPR enforcement. The total value of tracked enforcement actions exceeds EUR 10.9 billion.

Can I use this data for research?

Yes. The database is open-source and the data is available for download on the Statistics page in CSV and JSON format. When citing, please use: Cookie Fines (cookiefines.eu). Note: the data is licensed under CC BY-NC-SA 4.0, so commercial use is not permitted and any derivative work must carry the same licence.

About Cookie Fines

Q: How often is the database updated?

The database is updated daily via automated scrapers. New enforcement actions are typically added within 24-48 hours of publication by the relevant DPA or court.

The most comprehensive open-source database tracking GDPR and ePrivacy enforcement actions across Europe.

What is Cookie Fines?

Cookie Fines is an open-source project that collects, categorizes, and analyzes enforcement actions related to cookie consent, tracking, and broader GDPR compliance across European jurisdictions.

We track over 4,851 enforcement actions spanning 33 countries, including fines, court rulings, CJEU precedents, complaints, warnings, and orders. Of these, 481 cases are specifically classified as cookie consent enforcement, making this the largest structured dataset of cookie-specific enforcement in the world.

Our goal is to provide transparency into how Data Protection Authorities (DPAs) enforce cookie and data protection regulations, helping businesses understand the real consequences of non-compliance and prioritize their privacy efforts.

Data Sources

All data is sourced from authoritative, publicly available enforcement databases and DPA publications:

GDPRhub

Primary

Community-driven wiki cataloguing GDPR decisions, case law, and enforcement actions across all EU/EEA member states. Our primary data source.

CMS Enforcement Tracker

Primary

Comprehensive GDPR fine database provided by CMS Law.Tax — one of Europe's largest law firms. Provides structured fine data with legal analysis. Data used under CC BY-NC-SA 4.0; attribution: enforcementtracker.com, provided by CMS Law.Tax.

CNIL (France)

DPA

French Data Protection Authority - the most active European DPA on cookie enforcement, responsible for landmark cases against Google and Meta.

AEPD (Spain)

DPA

Spanish Data Protection Authority - one of the most active DPAs in Europe by volume of enforcement actions.

Data Collection & Update Frequency

Data is collected and updated through a fully automated pipeline:

Automated scrapers run daily to check GDPRhub, CMS Enforcement Tracker, and individual DPA websites for new enforcement actions.
Deduplication engine matches new records against existing data using company name, country, date, and amount to prevent duplicates across sources.
Classification pipeline automatically categorizes each action by scope (cookie consent vs. broader GDPR), violation type, and enforcement severity.
AI verification (GPT-4o) provides cookie relevance scoring (0-100) for borderline cases, ensuring accurate scope classification.
Data normalization standardizes company names, authority references, GDPR article citations, and currency amounts across all sources.

New enforcement actions are typically added within 24-48 hours of publication by the relevant DPA or court.

Data Quality & Verification

100% summary coverage - all 4,851 records have full-text case summaries
Multi-source validation - records from GDPRhub and Enforcement Tracker are cross-referenced
AI-assisted classification - cookie relevance scores verified by GPT-4o for scope accuracy
10 classified violation types - cookie-specific violations tagged with severity ratings
Structured GDPR articles - article citations parsed and normalized across all records
Source URLs preserved - every record links back to its original DPA publication or GDPRhub page

Risk Calculator Methodology

Our risk calculator uses a data-driven percentile model based on real enforcement data, not theoretical revenue-based formulas.

How it works

We query all cookie-consent fines with a positive amount from the database (currently 252 cases across 15 countries).
We filter by your selected violations (95% of fines are tagged with specific violation types).
We narrow to your country if there are enough matching cases (3+), otherwise we use the full European dataset.
We calculate the statistical distribution and return the 25th-75th percentile range as the “likely” estimate, with the 10th-90th percentile as the extended range.

Why not a formula?

Formula-based calculators (using revenue x percentage x multipliers) typically over-estimate cookie fines by 10-50x. In reality, the majority of cookie fines are well under EUR 100,000 and most fines are fixed amounts, not percentages of revenue.

Limitations

Some countries have very few cookie-specific fines, making country-level estimates less reliable.
Revenue data is not available for most fined companies, so we cannot model revenue-based variation.
The database covers publicly reported enforcement actions; sealed settlements may not be included.

How to Cite This Database

This database is freely available for research and journalism (non-commercial use only), in accordance with the CC BY-NC-SA 4.0 licence of the underlying data sources. When citing, please use:

Cookie Fines. (2026). GDPR & ePrivacy Cookie Enforcement Dataset. Retrieved from https://cookiefines.eu

Data exports are available on the Statistics page. If you redistribute this data, you must do so under the same CC BY-NC-SA 4.0 licence.

Data Licence

All enforcement data in this database is published under the Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0) licence, in compliance with the licensing terms of our upstream data sources.

This means you may:

Share — copy and redistribute the data in any medium or format
Adapt — remix, transform, and build upon the data

Under the following conditions:

Attribution (BY) — you must give appropriate credit to both Cookie Fines and the original data source (GDPRhub or CMS Enforcement Tracker)
NonCommercial (NC) — you may not use the data for commercial purposes
ShareAlike (SA) — if you remix or build upon the data, you must distribute your contributions under the same CC BY-NC-SA 4.0 licence

The source code of this website is licensed separately under the MIT licence. The data licence (CC BY-NC-SA 4.0) applies to the enforcement data content only.

Disclaimer

This database is provided for informational and educational purposes only. It does not constitute legal, financial, or compliance advice. The risk calculator provides statistical estimates based on historical data and should not be relied upon as a prediction of actual enforcement outcomes.

Data is aggregated from publicly available sources and may contain inaccuracies. AI-generated summaries may not perfectly reflect official DPA decisions. Always consult with qualified legal professionals for specific compliance guidance.

Read our full Disclaimer and Privacy Policy.

Project Transparency

Cookie Fines is an independent, non-commercial, open-source project focused on increasing transparency in European data protection enforcement. The project is not affiliated with any DPA, law firm, or compliance vendor.

Data Freshness

Automated scrapers run daily. The database currently contains 4,851 enforcement actions across 33 countries, with the largest tracked fine being €1.2B against Meta Ireland (Ireland).

Methodology

All data passes through a 5-stage pipeline: scraping, deduplication, classification, AI verification (GPT-4o), and normalization. Each record includes a source URL linking to the original DPA publication or GDPRhub entry for independent verification.

Last database update: 6 March 2026 · Updated daily via automated pipeline