Calculate your risk

Is your website exposed to privacy fines?

Find out your real exposure in 2 minutes. Based on actual DPA enforcement decisions — not theoretical legal maximums.

Calculate my fine risk
2 minutes No registration GDPR · UK GDPR · CCPA · LGPD
€6.2B
total fines issued in Europe since 2018
2,800+
enforcement cases concluded by DPAs
€2.36M
average fine per individual case
60%
of all fines issued since January 2023

Source: CMS GDPR Enforcement Tracker · DLA Piper GDPR Fines and Data Breach Survey 2025

Calculate your exposure in 2 minutes

Answer 8 questions about your situation. Receive a personalised estimate based on real enforcement data.

Real enforcement

Not just Meta and Google.
Authorities sanction every sector.

When GDPR fines are mentioned, the focus goes to the billions imposed on big tech. But these numbers distort reality: the vast majority of enforcement cases involve ordinary businesses — e-commerce sites, media outlets, agencies, SMEs of every kind.

Spain is the European country with the most enforcement cases: over 932 published cases, most against small local businesses. In Italy, the Garante adopted 468 corrective and sanctioning measures in 2024, totalling over €24 million in fines, involving SMEs and professionals alongside large companies. In France, the CNIL imposed a €750,000 fine on vanityfair.fr in November 2025 for cookies placed before consent — a repeated violation after a prior formal notice. In September 2025, Shein received €150 million from the same authority for the same type of infringement.

The common thread is not company size, but the violation: tracking scripts active without consent, missing or non-compliant cookie banners, advertising pixels firing before the user has chosen. These are widespread technical issues — and authorities verify them actively, including through sample checks on smaller sites.

Media / Magazine · France
Cookies placed before consent. Refusal mechanism not equivalent to acceptance. Repeated violation after prior formal notice.
€750,000
CNIL · November 2025 · vanityfair.fr
E-commerce · France
Advertising cookies placed without consent, even before the banner was displayed. No equivalent reject mechanism.
€150,000,000
CNIL · September 2025 · shein.com
SMEs and professionals · Italy
In 2024 the Garante adopted 468 corrective and sanctioning measures totalling over €24 million. SMEs and professionals are among the subjects involved alongside large companies.
€24M total 2024
Garante Privacy · Annual Report 2024
Most sanctioned violations

Some of the most frequent
causes of enforcement action

Not all GDPR violations carry the same likelihood of being sanctioned. European authorities focus their inspections on three specific areas — which affect almost all websites that use marketing and analytics tools.

No cookie banner or non-compliant banner
Without a banner that allows users to reject as easily as they accept, any active tracking script — Google Analytics, Meta Pixel, Hotjar — is potentially unlawful. The banner must precede script activation, not follow it.
Typical fines observed
€5,000 – €100,000+
Tracking pixels and scripts without consent
Meta Pixel, Google Ads, remarketing scripts: if they fire before the user has chosen from the cookie banner, every session recorded is data collected without a legal basis. The Garante includes cookie tools among its 2025 inspection priorities, with checks carried out by the Guardia di Finanza.
Typical fines observed
€20,000 – €200,000
No data processing agreements with vendors
GDPR Art. 28 requires a written data processing agreement with every vendor handling data on your behalf: hosting, CRM, newsletter tools, analytics platforms. The absence is an independent procedural violation — sanctionable separately from other breaches.
Estimated additional risk
€5,000 – €25,000

Frequently asked questions

How are privacy compliance fines calculated?
Privacy compliance fines are calculated based on several factors, including those set out in EDPB Guidelines 4/2022: the nature and severity of the violation, the organisation's turnover, the number of individuals affected, whether the violation was intentional or negligent, measures taken to mitigate harm, and cooperation with the authority. The legal maximum is €20 million or 4% of global annual turnover, whichever is higher. In practice, fines for SMEs are often well below the maximum but remain significant.
Do privacy compliance fines apply to small businesses?
Yes. European supervisory authorities have sanctioned many SMEs with fines ranging from €5,000 to €100,000 or more, primarily for cookie and tracking violations. Spain has published over 932 enforcement cases — the majority against small local businesses, not large tech groups.
What is a cookie consent banner and why is it mandatory?
A cookie consent banner is the mechanism through which a website obtains user consent before activating tracking scripts and advertising cookies. It is mandatory under applicable privacy regulations. The banner must allow users to refuse as easily as they accept — a simple 'OK' without a visible 'Reject' option is not compliant. It must appear on first visit, before any non-essential script is executed.
Do I need a Data Protection Officer (DPO)?
A DPO is mandatory for public bodies, organisations that process sensitive data on a large scale, and those that carry out systematic monitoring of individuals (Art. 37 of applicable privacy regulations). For SMEs with standard activities it is not required, but is recommended as an accountability tool. An external DPO can be appointed — they do not need to be an employee.
What is the difference between GDPR and the other regulations covered by the calculator?
GDPR applies to any organisation that processes data of EU users, regardless of where it is based. UK GDPR is the post-Brexit British version, almost identical but enforced by the ICO. CCPA/CPRA applies to businesses collecting data from California residents above certain thresholds. LGPD is Brazil's privacy law. A website can be subject to multiple regulations simultaneously — the calculator supports multiple selection.
How accurate is the calculator?
The calculator provides indicative estimates, not certain amounts. Estimates are based on EDPB Guidelines 4/2022 on fine calculation, real decisions published by European supervisory authorities, and multipliers calibrated by sector, turnover and specific risk factors. Actual fines depend on the discretion of the competent authority. This tool does not constitute legal advice. For a complete assessment, consult a qualified privacy professional.
Methodological note. The calculator's estimates are based on EDPB Guidelines 4/2022 for administrative fine calculation, real decisions published by the Garante, CNIL, AEPD and the CMS Law GDPR Enforcement Tracker. Risk multipliers (sector, aggravating factors, agency role) are derived from statistical analysis of real cases. Values produced are indicative and may differ significantly from fines in an actual enforcement proceeding. Always consult a professional before making decisions based on these estimates.

Contact Us

Have questions about GDPR compliance or need a personalised assessment? Get in touch with our team.

Contact Form EN
Warning: your cookie preferences do not allow form submission. Click here to review your preferences.

By submitting this form, I declare that I have read the privacy policy and authorize the Data Controller to reply to me as specified in points a and b of the privacy policy.