EuroComply
Zarejestruj się
Fine exposure

How much can my company be fined under ePrivacy?

ePrivacy carries penalties of up to Per member state (typically up to €20M). This page breaks down every fine tier by article, explains who is at risk, and shows live enforcement examples.

Maximum fine

Per member state (typically up to €20M)

Source: Directive 2002/58/EC

How ePrivacy penalties work

The ePrivacy Directive does not contain its own penalty provisions — enforcement is delegated entirely to Member States. However, where cookie and tracking violations also constitute GDPR violations (as they usually do, given cookies track personal data), DPAs can apply GDPR's Article 83 fines. This effectively means cookie non-compliance can attract the same maximum fines as the worst GDPR violations.

Fine tiers by article

GDPR Art. 83(5) (via ePrivacy overlap)

Cookie and tracking violations that also breach GDPR (most common)

€20,000,000

or 4% of global turnover

Applies to:

  • Cookie walls that make service access conditional on consent (CNIL decisions)
  • Pre-ticked cookie consent boxes (not freely-given consent)
  • Analytics cookies loading before consent (e.g. Google Analytics decisions in AT, SE)
  • Fingerprinting without consent
EUR-Lex — GDPR Art. 83(5) (via ePrivacy overlap)
National ePrivacy enforcement (non-GDPR violations)

Direct marketing, spam, and electronic communications privacy violations

Per member state — typically €50,000–€1,000,000+

Applies to:

  • Sending unsolicited commercial emails (spam) without consent
  • Cold-calling without prior consent or opt-out mechanism
  • Failure to provide an opt-out in marketing emails
EUR-Lex — National ePrivacy enforcement (non-GDPR violations)

Stacked exposure with other EU regulations

ePrivacy violations almost always stack with GDPR, since cookies typically process personal data. DPAs like CNIL and AEPD routinely apply GDPR penalties for cookie consent failures. The highest fines for cookie non-compliance have been in the tens of millions of euros.

Calculate your stacked fine exposure →

Frequently asked questions

What are the penalties for cookie consent violations?

Cookie consent violations are typically enforced under both ePrivacy (national law) and GDPR. Since cookies usually involve personal data, DPAs can apply GDPR Art. 83(5) fines up to €20M or 4% of global annual turnover. France's CNIL fined Google €150M and Meta €60M for cookie consent violations in 2022.

What is your stacked fine exposure across all EU regulations?

Calculate your combined risk across ePrivacy, GDPR, NIS2, AI Act, DORA, and more — free, no signup.

Open fine risk calculator — free
ePrivacy compliance guide

For informational purposes only. This is not legal advice — consult qualified legal counsel for advice specific to your situation.

Last updated: