GDPR in 2026: Enforcement Has Entered a Mature Phase

Since the GDPR came into force in May 2018, the total value of fines issued has exceeded €4 billion. However, it is only from 2022–2023 that a clear qualitative shift has become apparent: supervisory authorities have moved from isolated, symbolic penalties to systematic proceedings targeting fundamental data protection principles. 2025 and the early months of 2026 have brought further landmark decisions that are setting the direction of enforcement for years to come.

Key Enforcement Trends in 2025–2026

1. Cookies and Consent — Still Leading

Cookie consent mechanisms remain the most frequent subject of proceedings. CNIL (France), Garante (Italy), APD (Belgium), and UODO (Poland) conducted coordinated inspection campaigns on cookie banners in 2025. Key findings:

• Dark patterns: The absence of an equivalent reject button on the first screen of the cookie banner is treated as a violation of Art. 7 GDPR (conditions for valid consent). EDPB Guidelines 3/2022 and a 2024 CNIL decision have consolidated this interpretation.
• Pre-ticked boxes: Pre-checked checkboxes or default-active cookie categories are classified as invalid consent — regardless of the banner's wording.
• Inability to withdraw consent: Authorities consistently impose fines where withdrawal of consent is harder than giving it (Art. 7(3) GDPR).

2. Data Transfers to the US — Continuing Tension

Despite the adoption of the EU-US Data Privacy Framework (DPF) in July 2023, supervisory authorities continue to scrutinise data transfers to the US. In 2025:

• Several European supervisory authorities challenged transfers to US cloud providers that are not certified under the DPF or use sub-processors outside the DPF.
• Authorities are scrutinising situations where DPF certification covers the main entity but the transfer effectively reaches a group entity in the US not covered by the certification.
• Google Analytics remains the subject of proceedings in several countries — despite the introduction of Google Analytics 4 and IP anonymisation options.

3. Data Subject Rights — Enforcement Escalating

Authorities are increasingly initiating proceedings for violations of rights under Arts. 15–22 GDPR:

• Right of access (Art. 15): Failure to respond within 30 days or providing incomplete responses — particularly regarding the identification of data recipients.
• Right to erasure (Art. 17): Fines for refusing to delete data after withdrawal of consent, where no other legal basis exists.
• Automated decision-making (Art. 22): Growing interest in AI-based credit scoring, recruitment, and insurance systems — especially in the context of the AILD and EU AI Act.

4. Data Security and Breaches — Higher Fines for Systemic Failures

Authorities have moved away from the "fine for the breach itself" approach toward assessing whether the organisation implemented appropriate technical and organisational measures (Art. 32 GDPR). In 2025, record fines in this area involved:

• Storing passwords in plaintext or with weak algorithms (MD5, SHA-1).
• Absence of MFA for accounts with access to sensitive data.
• Unrestricted internal access to personal data (violation of the access minimisation principle).
• Delays in notifying the supervisory authority of breaches (exceeding 72 hours — Art. 33 GDPR).

5. AI Liability and Profiling

In 2025, supervisory authorities began systematically examining the use of AI in personal data processing. Key areas:

• Large language models (LLMs) trained on personal data without a legal basis or without fulfilling information obligations towards individuals whose data was used for training.
• Recommendation and advertising targeting systems — assessment of whether the profiling applied requires consent or may be based on legitimate interest (balancing test).
• Deepfakes and synthetic content — questions about the legal basis for generating images of individuals without their consent.

Largest Fines in 2025 (Overview)

2025 saw further significant decisions by EU supervisory authorities. The most prominent proceedings involved:

• Data transfers to third countries by large technology platforms — a continuation of cases initiated by the Irish DPC's decision in 2023.
• Violation of the data minimisation principle by the financial sector — collecting data beyond the purpose arising from the contract.
• Processing of special category data (health data) without a clear legal basis under Art. 9 GDPR by health application providers.

What Does This Mean for Your Website in 2026?

Based on enforcement trends, priority areas to check on your website:

• Cookie banner: The reject button (or equivalent option) must be on the first screen and equally prominent as the accept button. Verify that withdrawing consent is as easy as giving it.
• Google Analytics / third-party scripts: Verify that data transfers to the US have a valid legal basis (DPF, SCCs), and update the privacy policy accordingly.
• Contact form: Verify that the information obligation (Art. 13) is met each time data is collected — retention period, data subject rights, DPO contact details (if appointed).
• AI on the website: Chatbots and recommendation systems require a separate clause in the privacy policy — legal basis, profiling, right to object or to explanation.
• Record of processing activities: Art. 30 GDPR — ensure all data processing operations from the website are included, including new integrations (CRM, marketing automation, chatbots).