Enforcement Tracker

    Enforcement Tracker


    The OneTrust privacy team tracks, categorizes, and indexes enforcement decisions around the globe. An “enforcement decision” includes both regulatory actions by a data protection authority (e.g. CNIL, Garante, FTC, etc.) and judicial decisions (e.g. U.S. District Court, CJEU, etc.). Some decisions include a monetary penalty and others require some sort of conforming behavior (e.g. provide notice, cease misrepresentation, etc.) while others have no penalty at all. We will continue to update this page with the most recent and relevant enforcement information from across regions, industries, and time periods.

    Last Updated: May 18, 2019

  • Recent Decisions

    The first quarter of 2019 has already seen a flurry of enforcement activity resulting in more than $100,000,00 in fines across the world. Check out the table below to learn more:

     Entity Name 
    Infraction Date
    Fine Amount (USD)
     SCL Elections Ltd (aka Cambridge Analytica) 
     Integrated Health Information Systems 
     Cottage Health 
     Tik Tok 
  • Global Enforcement In Review

    Globally across every sector and region, the average fine amount in 2018 was nearly $9.3 million. Many of the largest fines came in response to breaches that occurred in 2015-2016 (see below). Of the non-monetary penalties, most required the infracting party to either cease the infracting behavior or provide some further information to data subjects (e.g. publish notice). Interestingly the United States, United Kingdom, and Italy remain at the top of the list in terms of fine amounts.

    Further Reading

    United States

    United Kingdom



  • Region

    The United States, the United Kingdom, and Singapore led the pack in 2018 in terms of issuing the greatest number of enforcement decisions. With the GDPR going into effect in May 2018, we began to see enforcement actions increase around Europe, notably in France. Among the countries in Asia, Singapore was the most active in enforcement both in 2018 and in 2017.

    2019 has already produced two major enforcement actions, one in France and the other in the United States–we are interested in what the regional breakdown will look like this year.

    Further Reading

    1. UK: Information Commissioner’s Office Annual Report 2017-2018
    2. France: “2017 The CNIL In a Nutshell”
    3. Italy: Garante’s “Annual Report 2017” 
  • Sector

    77% of the enforcement decisions in 2018 involved a fine. The graph below illustrates the different levels (bands) of these penalties across various sectors. The Consumer Discretionary sector (retail, hospitality, marketing) saw the most enforcement actions last year; and Non Profits the least. The Healthcare sector’s floor for fine amounts was the highest ($100K – $1M) among all sectors with fines in two bands, indicative of the heightened risk and scrutiny in the healthcare industry. The Information Technology sector (software, internet, social-media, etc) had the most Band 1 fines of any sector and tied with the Consumer Discretionary sector for the most Band 5 fines. Interestingly, while the Education and Finance sectors saw an equal number of enforcement decisions, the finance sector on average faced a higher fine amount.

  • Frequency

    Comparing enforcement action history from 2017 to 2018 we can see several interesting trends and observations.

    • Globally, enforcement decisions per year seem to be behaving in a cyclical or wavelike pattern.
    • In 2017, Q2 and Q3 were very active quarters. This may explained in part by the UK’s Information Commissioner’s Office (ICO) action against 11 UK charities in April 2017. Q2 and Q3 were active quarters in 2018 as well.
    • November was the most active month in 2018 with a total of 15 enforcement actions globally.


Want to learn more? Login to the full DataGuidance platform.