In the years since the General Data Protection Regulation (GDPR) came into force in 2018, there have been some dramatic headlines about fines levied on companies for violating its requirements.
For the most part these headlines have involved influential tech platforms with potentially billions of users. However, organizations of all sizes have been penalized for not adequately obtaining user consent for processing personal data, not meeting the requirements of their chosen legal basis, experiencing a data breach, or other issues.
Apps developers and publishers haven’t been in the news as much, even though our research showed that 90 percent of apps available in the EU that we looked at were not compliant with the GDPR. One exception was France’s data protection authority CNIL, which fined Apple and Voodoo Games in 2023 for using an advertising identifier without users’ consent.
There have been other fines levied by data protection authorities around Europe for apps’ GDPR violations. That regulation and other laws do not distinguish between websites and apps with regards to compliance requirements. We take a look at several examples to explore what happened, what the penalties were, and how to do business compliantly.
What are the requirements for legal data processing under the GDPR?
The GDPR applies to organizations that process the personal data of EU residents, whether or not the company is located in the EU. That processing could be to enable apps to function, to deliver personalized advertising, or to provide analytics data to improve performance, for example.
Companies need to abide by “lawfulness of processing”, i.e. meet the requirements of a relevant legal basis to justify their collection and processing of personal data.
Art. 6 GDPR covers these six legal bases:
- explicit, informed consent from the data subject
- performing a contract with the data subject
- compliance with a legal obligation to which the data controller is subject
- protecting the vital interests of the data subject or of another natural person
- in the public interest, or if the data controller is exercising official authority
- legitimate interests pursued by the controller or by a third party
Consent is a common choice of legal basis, though the GDPR requires user consent to be “freely given, specific, informed and unambiguous”. As we will see, this is where a number of companies have violated the law.
Organizations are also required to collect, store, and document users’ consent choices securely, and provide important information to users about data processing, their rights, and other factors.
Meeting these requirements on a website in a way that’s clear, compliant, and user-friendly can be challenging, and managing it in apps on small mobile screens elevates the challenge, especially when companies both need to comply with GDPR requirements and need access to quality data for advertising, analytics, and other purposes.
Who is responsible for GDPR enforcement?
GDPR enforcement is a collective effort across several authorities within the EU and is mainly in the hands of national Data Protection Authorities (DPA) within each EU member state. These supervisory authorities, established under Chapter 6 GDPR, are independent public authorities.
They have the power to handle complaints, investigate compliance, and issue fines or other penalties for established violations. DPAs also issue guidelines and provide resources on GDPR compliance.
These groups work together to ensure that the GDPR’s requirements are consistently applied across the EU, and are supported by the European Data Protection Board (EDPB), which increases collaboration and cooperation among DPAs and advises on key matters of data privacy and protection.
What are the fines and penalties for GDPR violations?
Some data privacy laws around the world provide a “cure period” if an organization has been found to have violated the law. This enables them to correct the issue and ensure it won’t happen again while avoiding fines and other penalties.
The GDPR does not require provision of a cure period, though arrangements are at the discretion of EU member countries’ data protection authorities. GDPR enforcement is handled at a national level, and countries can also add their own specific data privacy and protection requirements.
Art. 83 GDPR covers penalties for violations. These include:
- warnings or reprimands
- temporary or permanently imposed restrictions on data processing
- ordering the erasure of personal data
- suspending international data transfers to third countries
- imposing administrative fines
- imposing criminal penalties
Administrative fines are probably the most well known GDPR penalty and what tends to make the headlines. There are two levels of administrative fines, depending on severity of the infraction.
Tier one administrative fines
The first tier of GDPR fines are most commonly used for first time or less severe infractions. They can be up to EUR 10 million or two percent of global annual revenue for the preceding financial year, whichever is higher.
Tier two administration fines
The second tier GDPR fines are generally for repeat violators or more severe infractions. They can be up to EUR 20 million or four percent of global annual revenue for the preceding financial year, whichever is higher.
The smallest GDPR fines have been “three-digit amounts”. To date, as of early 2025, the largest GDPR fine has been levied on Meta, parent company of Facebook, Instagram, and WhatsApp, for EUR 1.2 billion.
GDPR fines for app publishers
Over the past several years, data protection authorities around the world have increasingly turned their attention to mobile apps privacy compliance. The California Attorney General announced increased focus on mobile apps compliance in 2023. In September 2024, France’s CNIL published recommendations to enable better privacy compliance in apps, with increased enforcement beginning in 2025.
Let’s look at some notable enforcement actions that European DPAs have levied on prominent mobile apps and platforms.
Norwegian Data Protection Authority Datatilsynet vs. Grindr
Norway’s Datatilsynet fined social networking and online dating app Grindr approximately EUR 6.5 million in 2021 for disclosing user data to third parties for behavioral advertising without a legal basis. The data shared included:
- GPS location
- IP address
- Advertising ID
- Age
- Gender
- Status as a Grindr user
The DPA also considered that use of Grindr is sensitive personal information, as it strongly indicates the user’s sexual orientation or preferences, which would merit additional protections under the law.
The Norwegian Consumer Council filed a complaint against Grindr in 2020. The company claimed to have collected valid consent information from users to enable sharing their personal data with advertising partners.
However, the consents were not valid as users did not have consent choices — e.g. to opt out of sharing data with third parties for advertising — and had to accept the privacy policy in its entirety to be able to use the app. Additionally, users were not properly notified about the app’s sharing of personal data. Both of these issues violated the GDPR’s requirements.
Italian Data Protection Authority Garante vs. Clubhouse
In December 2022, Italian DPA Garante fined social audio chat app Clubhouse EUR 2 million for multiple GDPR infractions:
- Lack of transparency about the use of users’ personal data and information about connections among users
- Storage and sharing or user-generated audio without users’ consent
- Indefinite retention periods for recordings
- Not identifying an accurate legal basis prior to profiling users and sharing their account information
Clubhouse was also required to adopt measures to comply with the GDPR, in addition to being prohibited from further processing of personal data for marketing or profiling purposes without obtaining informed and explicit user consent.
Clubhouse is owned by Alpha Exploration, which is a US company with no EU presence, however, Clubhouse services were available to users in the EU, making the app subject to GDPR compliance.
Irish Data Protection Commission vs. WhatsApp
Ireland’s Data Protection Commission fined instant messaging and VoIP service WhatsApp EUR 5.5 million in 2023. As noted earlier, WhatsApp’s parent company is US-based Meta, which also owns Facebook and Instagram, among other platforms and services.
WhatsApp Ireland was given six months from when the decision was handed down to bring their data processing operations into compliance with the GDPR.
In advance of the GDPR coming into effect on May 25, 2018, WhatsApp Ireland updated its Terms of Service, forcing users to click “agree and continue “ to accept the new terms to be able to access the app.
Users were forced to accept the terms in whole and consent to processing of their personal data for security and service improvement purposes. They had no granular consent options. Declining the terms prevented users from accessing the app’s services entirely. The initial complaint was filed by a German WhatsApp user.
WhatsApp also didn’t provide users with adequate information about the legal basis for data processing, preventing clear understanding of how their personal data was being used or shared, or for what purposes.
WhatsApp had considered users’ acceptance of the updated Terms of Service to be entering into a contract with the company. Fulfilling a contract is an acceptable legal basis under the GDPR, and the company took the position that processing users’ personal data for delivering its services was necessary to perform that contract.
The complaint, however, argued that by requiring users’ acceptance of the updated Terms of Service, the company was forcing user consent, and thus consent was their legal basis, not contract fulfillment. However, the conditions of the consent invalidated it under the GDPR, as it was not adequately informed or voluntary.
Usercentrics helps you stay GDPR-compliant and growing monetization
Increased GDPR enforcement for apps compliance and ever more savvy users mean that it’s not worth risking trying to get around data privacy requirements. Especially since there are robust, user-friendly tools like Usercentrics App CMP that streamline consent management. Collect consent compliantly on your apps and get the data you need to grow your monetization, without getting in your users’ way.
Usercentrics delivers an SDK that enables fast setup. Access over 2,200 pre-built legal templates for your data processing services, and use the App Scanner to seamlessly detect and integrate your vendors, SSPs, and SDKs. Our expert team is also here for you every step of the way with expert guidance and detailed documentation.
Learn more about how Usercentrics can help grow your business. Check out our case study with Homa Games and how they achieved a 10% increase in Ad LTV with user consent and achieved and maintained privacy compliance.
