What Happens When You Don't Collect Consent: Real Fines & Case Studies
Think consent banners are optional? Think a simple cookie notice is enough? The regulators disagree — and they have the receipts. Since GDPR took effect in 2018, data protection authorities across Europe and beyond have issued over €4.5 billion in fines. Many of these were directly related to failures in collecting valid user consent.
Here are the real cases, the real numbers, and what they mean for your business.
The Biggest Consent-Related Fines in History
Meta (Facebook/Instagram) — Ireland, 2023
The Irish DPC found that Meta transferred EU user data to the US without valid legal mechanisms and proper consent. This remains the largest GDPR fine ever issued. Meta was also fined €390 million in January 2023 for forcing users to accept personalized advertising as a condition of using Facebook and Instagram — a clear violation of the "freely given" consent requirement.
Amazon — Luxembourg, 2021
Amazon was fined for processing personal data for targeted advertising without proper consent from users. The Luxembourg data protection authority (CNPD) determined that Amazon's advertising targeting system did not comply with GDPR consent requirements.
Google — France (CNIL), 2022
The CNIL fined Google because its cookie consent mechanism on google.fr and youtube.com made it easy to accept all cookies with one click, but required multiple clicks to reject them. This asymmetric design — making rejection harder than acceptance — was ruled a violation of the "freely given" consent principle.
TikTok — Ireland, 2023
TikTok was fined for processing children's personal data without adequate consent and transparency measures. The DPC found that children's accounts were set to public by default and that the platform's privacy settings were not sufficiently accessible.
Criteo — France (CNIL), 2023
The ad-tech company was fined for collecting browsing data of millions of users via tracking cookies without proving that valid consent had been obtained. The CNIL found that Criteo could not demonstrate a valid consent chain from the websites where cookies were placed.
It's Not Just Big Tech: Small Business Fines
Don't think fines are only for tech giants. Data protection authorities across Europe regularly fine small and medium businesses for consent violations:
- Spanish AEPD: Regularly issues fines of €2,000 to €60,000 to small businesses for dropping cookies without consent or missing cookie policies.
- Italian Garante: Fined a small e-commerce site €20,000 for using Google Analytics without valid consent transfer mechanisms.
- French CNIL: Fined a health website €150,000 for collecting sensitive data via forms without explicit consent.
- Austrian DSB: Ruled that the use of Google Analytics without consent was illegal, setting a precedent that affected thousands of businesses.
- Belgian DPA: Fined IAB Europe €250,000 for TCF consent string issues, demonstrating that even the consent framework itself is subject to enforcement.
Beyond Fines: The Hidden Costs
Financial penalties are just the tip of the iceberg. The real damage often includes:
- Reputational harm: GDPR fines are public record. Your brand gets associated with privacy violations in news coverage and search results.
- Loss of advertising revenue: Without a certified CMP, Google may restrict ad serving in the EEA. Publishers have reported 30-70% revenue drops when their consent setup is non-compliant.
- Legal costs: Defending against complaints, responding to DPA investigations, and restructuring data practices can cost hundreds of thousands in legal fees.
- Operational disruption: DPAs can order you to stop processing data entirely until compliance is achieved — effectively shutting down your online business.
- Class action risk: GDPR enables collective legal action. Consumer organizations in Austria, France, and Germany have filed class actions against companies for consent violations.
The Most Common Consent Mistakes That Lead to Fines
- Pre-ticked consent boxes: GDPR explicitly prohibits this. Consent must be an affirmative action.
- Cookie walls: Blocking access to content unless users accept all cookies is not "freely given" consent.
- Asymmetric buttons: Making "Accept" prominent while hiding or minimizing "Reject" violates the freely given principle.
- Bundled consent: Combining consent for multiple purposes into a single "Accept" action denies users the specific choice they are entitled to.
- No withdrawal mechanism: If users cannot easily change or withdraw consent, your entire consent collection is invalid.
- Missing consent records: Without timestamped logs showing who consented, when, and to what, you cannot prove compliance during an audit.
- Tracking before consent: Loading analytics, ad pixels, or marketing scripts before the user makes a choice is the most common — and most easily detected — violation.
How Regulators Detect Non-Compliance
Data protection authorities don't just wait for complaints. They actively scan websites using automated tools that detect:
- Cookies being set before any consent interaction
- Missing or incomplete consent banners
- Invalid or expired consent strings
- Tracking scripts firing before consent is recorded
- Asymmetric banner designs that favor acceptance
The French CNIL, for example, has scanned thousands of websites and issued dozens of fines based purely on automated detection — without any user complaint.
What Proper Consent Looks Like in 2026
To avoid fines and protect your business, your consent implementation must:
- Block all non-essential cookies and scripts until explicit consent is given
- Provide equal visual weight to Accept and Reject options
- Allow granular choice by cookie category (analytics, marketing, functional)
- Store consent records with timestamps and user identifiers
- Support IAB TCF 2.3 for programmatic advertising
- Integrate Google Consent Mode V2 for compliant ad serving
- Allow easy withdrawal of consent at any time
- Display in the user's language
How FlexyConsent Protects You
FlexyConsent is built specifically to prevent the violations described above:
- Automatic script blocking: No tracking fires until consent is given
- Compliant banner design: Equal Accept/Reject buttons, no dark patterns
- Audit-ready logs: Every consent decision recorded with timestamps
- Google Certified CMP: Meets Google's requirements for EEA ad serving
- IAB TCF 2.3: Valid consent strings for programmatic advertising
- Consent Mode V2: Native Google integration for measurement continuity
- 43 languages: Automatic localization for global visitors
- Geo-targeting: Region-appropriate banners for GDPR, CCPA, LGPD, and more
Don't wait for the fine. FlexyConsent makes compliance effortless — protect your business, your revenue, and your reputation today.
Start Free Trial