Biggest Compliance Fines of All Time (Banking, GDPR, CCPA & CIPA)

What are compliance penalties? Compliance penalties are fines, sanctions, or legal judgments issued by regulators when a business violates applicable laws or regulations. They range from thousands of dollars for minor violations to billions for systemic financial fraud or data privacy breaches. The largest compliance fine in history is Bank of America's $30.6 billion settlement related to the 2008 subprime mortgage crisis.

Compliance risk used to be a problem for banks. The institutions on the wrong end of a regulator's enforcement action were household names:  JPMorgan, Deutsche Bank, Wells Fargo, and the fines were so large they registered as abstract numbers.

That changed. The compliance landscape now extends to any business that collects data from website visitors, sells to California residents, or operates in a jurisdiction covered by GDPR. The same regulatory logic that produced billion-dollar bank fines now applies to ecommerce stores using a TikTok pixel and SaaS companies ignoring Global Privacy Control signals.

This post covers four categories of compliance penalties: bank and financial regulatory fines, GDPR enforcement actions, CCPA penalties targeting ecommerce and online businesses, and the CIPA lawsuit wave that is currently hitting businesses of every size. Each category has its own enforcement bodies, fine structures, and risk profile.

Regulatory fines and penalties for banks (top 10)

Financial institutions face the steepest compliance penalties in history. The cases below were driven primarily by AML failures, fraud, and misconduct tied to the 2008 subprime mortgage crisis. They remain the largest regulatory fines ever issued against private companies.

For a dedicated breakdown of anti-money laundering fines specifically, see our full list of the biggest AML fines.

1. Bank of America: $30.6 Billion

The single largest compliance settlement in history, Bank of America's $30.6 billion in total fines spans multiple settlements tied to the subprime mortgage crisis. The bank paid $11 billion as part of a $25 billion agreement with the five largest US mortgage servicers, then $10.3 billion to Fannie Mae in 2013, then $9.3 billion to the Federal Housing Finance Agency in 2014. The core allegation across all three: Bank of America knowingly issued loans to unsuitable borrowers and misled investors about the quality of mortgage-backed securities.

2. JPMorgan Chase: $13 Billion

JPMorgan Chase agreed to a $13 billion settlement with the Department of Justice in 2013 for its role in selling defective residential mortgage-backed securities in the run-up to the 2008 financial crisis. The settlement also covered liabilities inherited from Bear Stearns and Washington Mutual, both of which JPMorgan acquired during the crisis. Of the total, $4 billion was designated for consumer relief.

3. BNP Paribas: $8.97 Billion

French banking giant BNP Paribas was ordered to pay $8.83 billion to the US government in 2015, plus $140 million in additional fines, after it was found to have processed billions of dollars in transactions on behalf of sanctioned countries including Sudan, Iran, and Cuba. The Department of Justice said BNP Paribas had "deliberately disregarded the law" and actively worked to conceal the transactions. The bank pleaded guilty to violating the International Emergency Economic Powers Act and the Trading with the Enemy Act.

4. Deutsche Bank: $7.2 Billion

Deutsche Bank agreed to a $7.2 billion settlement with the DOJ in 2016 for misleading investors in its sale of residential mortgage-backed securities ahead of the 2008 housing crash. Roughly $4.1 billion of that figure was set aside for consumer relief distributed over five years. Deutsche Bank was one of several major international banks that faced penalties for packaging and selling toxic assets while understating the underlying risk.

5. Goldman Sachs: $5.4 Billion

Goldman Sachs paid $5.4 billion to multiple global regulators in 2020 for its role in the Malaysian 1MDB scandal, in which billions of dollars were diverted from Malaysia's state investment fund by government officials and their associates. Goldman Sachs was accused of facilitating the money laundering that enabled the scheme. The bank additionally paid $1.4 billion directly to Malaysia as a restitution settlement.

6. Credit Suisse: $5.3 Billion

Credit Suisse settled for $5.28 billion with the DOJ in 2017 for its role in selling toxic residential mortgage-backed securities before the financial crisis. Approximately $2.48 billion was paid as a civil penalty, with $2.1 billion designated for consumer relief. Like Deutsche Bank and JPMorgan, Credit Suisse was found to have misrepresented the quality of the mortgage assets it was packaging and selling to investors.

7. Binance: $4.3 Billion

Cryptocurrency exchange Binance pleaded guilty in 2023 to running an ineffective anti-money laundering program and agreed to pay $4.3 billion to US regulators. Founder Changpeng Zhao stepped down as CEO as part of the settlement. Allegations included that Binance had knowingly facilitated transactions for sanctioned entities, including ransomware groups, North Korea, Iran, and terrorist organizations. The fine is the largest ever levied by the US Treasury Department and included a requirement for an independent compliance monitor.

8. Wells Fargo: $3.7 Billion

The Consumer Financial Protection Bureau settled with Wells Fargo for $3.7 billion in 2022 over allegations of widespread mismanagement across auto loans, mortgages, and deposit accounts. The CFPB found that customer payments were misapplied, incorrect interest charges were levied, and in severe cases consumers lost vehicles or homes as a result of bank errors. The settlement includes a $1.7 billion civil penalty and over $2 billion in direct restitution to affected customers.

9. Wells Fargo: $3 Billion

In a separate matter, Wells Fargo agreed to pay $3 billion to the DOJ and SEC in 2020 over its fake accounts scandal, in which employees opened millions of unauthorized banking and credit accounts under real customer names without consent. The scheme was driven by extreme internal sales quotas. Wells Fargo admitted that between 2002 and 2016, it had collected millions of dollars in fees from accounts customers never opened.

10. TD Bank: $2.6 Billion

Toronto-Dominion Bank provisioned $2.6 billion in 2024 ahead of expected US regulatory penalties following a federal probe into its AML compliance program. The investigation centered on branch employees who accepted bribes to facilitate the movement of funds linked to Colombian drug trafficking networks. Some analysts projected the total exposure could reach $4 billion. The case marked one of the most significant AML enforcement actions against a Canadian bank.

GDPR fines: The global data privacy benchmark

The General Data Protection Regulation, enforceable since May 2018, introduced fines of up to €20 million or 4% of global annual turnover, whichever is higher. It remains the largest source of data privacy enforcement globally, with total GDPR fines exceeding €4 billion across all cases to date.

The five entries below are the largest GDPR penalties on record. For the complete ranked list of 50+ GDPR enforcement actions, see our full breakdown of the biggest GDPR fines.

1. Meta: €1.2 Billion ($1.3 Billion)

The Irish Data Protection Commission issued a €1.2 billion fine against Meta in May 2023 for unlawfully transferring EU user data to US servers without adequate protections. The transfer violated GDPR Chapter V requirements, which mandate that data moved outside the EU must receive equivalent protection to that within the EU. It is the largest GDPR fine ever issued and the largest data privacy fine in European history.

2. Amazon: €746 Million ($886 Million)

Luxembourg's National Commission for Data Protection fined Amazon €746 million in 2021 for violations related to its advertising targeting system and how it processed personal data for behavioral advertising without a valid legal basis. Amazon disputed the decision, asserting that no data breach had occurred and no customer data had been improperly disclosed. The case reinforced that GDPR enforcement covers data processing practices, not just breaches.

3. Meta/Instagram: €405 Million

The Irish DPC fined Meta €405 million in 2022 over Instagram's handling of children's data. The investigation found that Instagram's default settings exposed the phone numbers and email addresses of users aged 13 to 17, and that the platform had allowed children to operate business accounts which made their contact details public. The case was one of several GDPR actions focused specifically on how platforms handle minors' personal information.

4. WhatsApp/Meta: €225 Million

The Irish DPC fined WhatsApp €225 million in 2021 for failing to be transparent about how it processed user data and shared information between WhatsApp and other Meta companies. The fine addressed GDPR transparency requirements under Articles 13 and 14, which require companies to clearly explain what data they collect, how it is used, and with whom it is shared.

5. TikTok: €345 Million

Ireland's DPC fined TikTok €345 million in 2023 for failures in how it processed children's data. The investigation found that TikTok had used privacy settings that defaulted to public for accounts belonging to users under 18, and that the platform's "Family Pairing" feature allowed adults to link to children's accounts without verification. The case underscored that children's data processing is a primary enforcement priority for European regulators.

CCPA enforcement fines against ecommerce companies

CCPA enforcement began in earnest in 2022 and has focused heavily on ecommerce and consumer brands. The California Attorney General and the California Privacy Protection Agency have made clear that missing opt-out mechanisms and failure to honor Global Privacy Control signals are primary enforcement triggers.

Unlike the GDPR, the CCPA does not use a tiered fine structure tied to revenue. Penalties are $2,500 per unintentional violation and $7,500 per intentional violation, with no cap on total exposure. For a business with millions of California visitors and no opt-out mechanism in place, the theoretical exposure is significant.

1. Sephora: $1.2 Million

In 2022, California Attorney General Rob Bonta fined Sephora $1.2 million in the first-ever CCPA enforcement action. Sephora was found to have failed to disclose that it was selling customer personal data and to have failed to process consumer opt-out requests submitted via the Global Privacy Control. The AG's office found that Sephora had not treated GPC signals as valid opt-out requests, which under CCPA they are required to do. Sephora was also ordered to conform its service provider agreements to CCPA requirements and to provide clear disclosures about data sales.

For a fuller account of Sephora's data practices, see our breakdown of the biggest data breach fines.

2. Honda/Tilted Pixel: $632,000

In 2024, the California AG settled with Honda and its adtech vendor Tilted Pixel for $632,000 over CCPA violations tied to Honda's data sharing practices with third-party advertising technology vendors. The investigation found that Honda's website was sharing personal information with adtech companies without adequate disclosure and without providing consumers a meaningful opt-out. The Tilted Pixel settlement was notable for holding a data vendor accountable alongside the brand, signaling that downstream adtech partners are not insulated from CCPA liability.

3. DoorDash: $375,000

The California AG fined DoorDash $375,000 in 2024 for selling customer personal data to a marketing cooperative without providing adequate notice or an opt-out mechanism. DoorDash contributed customer data including names, addresses, and order histories to the cooperative, which then used that data for targeted marketing. Consumers had no meaningful way to prevent the sharing. The case reinforced that "selling" data under CCPA includes indirect data-sharing arrangements, not just direct monetization.

4. Todd Snyder: $345,000

The California AG settled with fashion retailer Todd Snyder for $345,000 in 2024 over failure to honor Global Privacy Control signals. Todd Snyder's website was processing the personal data of California visitors for targeted advertising even when those visitors had activated GPC in their browsers, which constitutes a valid opt-out request under CCPA. The settlement is important precedent for any ecommerce brand: GPC signal compliance is not optional, and the AG is actively testing for it.

A note on enforcement trajectory: The CPPA, which gained independent enforcement authority in 2023, has signaled it will substantially increase the pace of CCPA enforcement actions in 2025 and 2026. GPC signal compliance, data broker registrations, and adtech data flows are stated enforcement priorities. Businesses with California-facing websites that have not audited their opt-out mechanisms are at material risk.

Is your website honoring CCPA opt-out signals automatically? See how Enzuzo handles CCPA compliance for ecommerce and SaaS businesses.

CIPA Lawsuits: The Compliance Risk Most Businesses Do Not See Coming

The California Invasion of Privacy Act is a 1967 wiretapping statute that is now being applied to standard website tracking technologies including pixels, analytics tools, session replay software, and third-party scripts. CIPA carries statutory damages of $5,000 per violation with no proof of actual harm required and includes a private right of action, meaning plaintiffs' attorneys can file without involving a regulator.

As of August 2025, more than 1,500 CIPA lawsuits had been filed in an 18-month period, targeting businesses across ecommerce, hospitality, healthcare, media, and consumer goods. The cases center on a single theory: that embedding a third-party tracking script on a website without prior consent constitutes unlawful interception of user communications under California law.

Senate Bill 690, which would have carved out routine commercial tracking from CIPA's scope, failed to advance in the 2025 California legislative session, leaving businesses fully exposed to the existing patchwork of inconsistent court rulings.

The exposure math: 10,000 California visitors multiplied by $5,000 per violation produces $50 million in theoretical exposure. Courts have not awarded anywhere near this in practice, but plaintiffs' attorneys use this number to pressure six-figure settlements before cases reach trial.

IHOP

The Los Angeles County Superior Court overruled IHOP's demurrer in October 2024 and allowed the CIPA case against the restaurant chain to proceed. The plaintiff alleged that IHOP had installed TikTok's tracking script on its website, which functioned as a trap-and-trace device by capturing incoming visitor data and transmitting it to TikTok without consent. The court found that the TikTok software constituted a "new technique" for eavesdropping of the type CIPA was intended to cover. The case is ongoing.

MSC Cruises

A CIPA trap-and-trace claim against MSC Cruises survived demurrer in the Los Angeles Superior Court and is proceeding toward trial. The complaint alleges that MSC's website used third-party tracking technology to collect visitor data without consent, in violation of California Penal Code Section 638.51. The case follows the same factual pattern as IHOP: a third-party script embedded on the website captures user data before any consent mechanism is presented.

Taylor Farms

Plaintiffs' firm Tauler Smith LLP prevailed at a pre-trial hearing in a CIPA trap-and-trace action against Taylor Farms, a large produce distribution company. The complaint alleged that Taylor Farms used trap-and-trace software on its website to collect customer data without permission. The case illustrates that CIPA exposure is not limited to consumer-facing ecommerce brands — any business with a public website and California visitors is in scope.

Converse

Converse has been targeted by CIPA claims twice. The first involved a chatbot vendor whose software allegedly intercepted user chat communications. The second alleged that a TikTok SDK embedded on the Converse website collected and transmitted visitor data for third-party profiling. Both cases were ultimately dismissed, but the Ninth Circuit affirmed dismissal only after the cases went through full litigation. Defending a CIPA claim to dismissal costs six figures in legal fees even when the defendant prevails.

Entravision

International media company Entravision was sued under CIPA's trap-and-trace provision after a plaintiff alleged that its website used TikTok software to record and gather personal data from every visitor, which then transmitted that data to TikTok's servers without consent. The case follows the same theory as IHOP and MSC Cruises and reflects the breadth of industries now being targeted by CIPA plaintiffs.

What triggers a CIPA demand letter: The most common trigger is a TikTok Pixel, Meta Pixel, or session replay script loading before the user has given consent. Plaintiffs' firms use automated scanning tools to identify websites running these scripts without a consent mechanism. A cookie banner that loads after the scripts fire does not resolve the underlying liability.

Is your website exposed to a CIPA demand letter? Speak with an Enzuzo CIPA expert to understand your options and reduce your liability. 

Examples of corporate compliance violations: what these fines have in common

Across all four categories above, the violations that triggered these penalties share a consistent pattern. They are not primarily the result of deliberate bad actors. They are operational gaps that regulators and plaintiffs' attorneys are now actively scanning for.

The most common compliance violations that trigger regulatory fines and CIPA lawsuits:

Missing or non-functional consent mechanisms. GDPR requires opt-in consent before non-essential cookies fire. CCPA requires a functioning opt-out mechanism for data sales. CIPA requires consent before third-party tracking scripts capture visitor data. A cookie banner that loads after scripts have already fired does not satisfy any of these requirements.

Failure to honor opt-out signals. Both Sephora and Todd Snyder were fined specifically for failing to process Global Privacy Control signals as valid opt-out requests. GPC is a browser-level signal that California residents can activate to opt out of data sales across all websites they visit. Ignoring it is now an enforcement priority for the California AG.

Third-party tracking without disclosure. The DoorDash and Honda cases both involved sharing user data with adtech vendors or marketing cooperatives without telling users it was happening. Under CCPA, sharing data with a third party that uses it for its own purposes constitutes a "sale" and requires disclosure and opt-out.

Inadequate AML programs. The bank fines above were not exclusively cases of deliberate fraud. HSBC, BNP Paribas, and TD Bank all had AML programs that existed on paper but failed to detect or escalate suspicious transactions in practice. Regulators increasingly treat AML program failures as standalone violations, separate from the underlying misconduct.

Failure to report or disclose. Uber's $148 million fine stemmed not from the 2016 data breach itself but from the company's 14-month delay in disclosing it. Yahoo faced SEC penalties for a similar delay. Timely disclosure requirements exist under GDPR (72 hours), most US state privacy laws, and SEC rules for public companies.

The common thread: these were not problems that required new products or major investment to fix. They required operational visibility into what data was being collected, how it was being shared, and whether consent mechanisms were functioning correctly.

Protect your business from a costly compliance mistake

Enzuzo is a consent management platform that handles cookie consent, CCPA opt-out, Google Consent Mode v2, and DSAR requests for ecommerce, SaaS, and agency businesses. It is the operational layer that closes the gaps described in every section of this post.

Start free, no credit card required. Or book a 20-minute demo to see how Enzuzo works for your specific setup.

Additional resources: Consent management platform · CCPA compliance software

FAQs

What is the largest compliance fine in history?

Bank of America holds the record with approximately $30.6 billion in total settlements tied to the 2008 subprime mortgage crisis, paid across three separate agreements with the DOJ, Fannie Mae, and the Federal Housing Finance Agency between 2012 and 2014.

What is the largest GDPR fine ever issued? T

he largest GDPR fine on record is the €1.2 billion penalty issued against Meta by Ireland's Data Protection Commission in May 2023, for unlawfully transferring EU user data to US servers without adequate protections.

What was the first CCPA enforcement action? T

he first CCPA enforcement action was against Sephora in 2022. The California Attorney General fined Sephora $1.2 million for failing to disclose that it was selling customer personal data and for failing to honor opt-out requests submitted via the Global Privacy Control.

What is CIPA and why does it matter for businesses with websites?

CIPA is the California Invasion of Privacy Act, a 1967 wiretapping statute now being applied to third-party tracking technologies on websites. Plaintiffs' attorneys argue that embedding tracking scripts such as Meta Pixel or TikTok Pixel without prior user consent constitutes unlawful interception of communications. CIPA provides for $5,000 per violation in statutory damages without requiring proof of harm. Any business with California website visitors running third-party tracking tools is potentially in scope.

Does a cookie banner protect a business from CIPA liability?

Only if the cookie banner prevents third-party scripts from firing before the user gives consent. A banner that loads after the scripts have already activated does not resolve the underlying liability. The correct implementation blocks all non-essential scripts by default until the user opts in.

What triggers a CCPA enforcement action?

The California AG's enforcement actions to date have focused on three primary triggers: failure to disclose data sales to consumers, failure to provide a working opt-out mechanism, and failure to honor Global Privacy Control signals as valid opt-out requests. The CPPA has indicated these will remain enforcement priorities through 2026.