Regulatory Penalty Calculator

Estimate worst-case regulatory fines for your breach. Know the financial exposure before the regulators call.

📊 GDPR, HIPAA, CCPA 📍 50 US States 🔢 Real Penalty Data

What Are the Maximum Regulatory Penalties for a Data Breach?

GDPR carries the highest ceiling—€20 million or 4% of global revenue, whichever is greater. HIPAA penalties reach $50,000 per violation with a $1.5 million annual cap. California's CCPA can fine $7,500 per intentional violation, with private class-action exposure on top.

GDPR (EU/UK)

Tier 1 (Less serious): €10M or 2% revenue

Tier 2 (Most serious): €20M or 4% revenue

Whichever is higher. Factors: breach severity, data volume, company cooperation, prior violations.

HIPAA (US Healthcare)

Unknowing: $100 - $50K/violation

Willful Neglect: $10K - $50K/violation

Annual Max: $1.5M per category

Per violation, not per record. Categories: Reasonable cause, willful neglect (corrected/uncorrected).

California (CCPA/CPRA)

Intentional Violation: $7,500 per violation

Unintentional: $2,500 per violation

Private Right (CPRA): $100-$750 per record

Plus private right of action for certain data types. Class actions are common.

Other US States

New York: $20/record (max $250K)

Texas: $100 - $50K per violation

Massachusetts: $5,000 per violation

50+ states have breach notification laws. Most impose per-violation fines.

What Do Real Regulatory Penalties Look Like?

Real-world penalties confirm that regulators use their full authority. Meta's €1.2 billion GDPR fine and Equifax's $575 million multi-state settlement show that inadequate data protection carries consequences at the billion-dollar level, not just theoretical maximums.

Meta (Facebook) - GDPR

€1.2 billion fine for data transfers to US without adequate safeguards (2023)

€1.2B

Amazon - GDPR

€746 million fine for data processing violations (2021)

€746M

Anthem - HIPAA

$16 million HIPAA settlement for 79M record breach (2018)

$16M

Equifax - Multi-State Settlement

$575 million settlement with FTC, CFPB, states for 147M record breach (2019)

$575M

Regulatory Penalties: Frequently Asked Questions

How much is a GDPR fine for a data breach?

GDPR fines can reach €20 million or 4% of global annual revenue (whichever is higher) for the most serious violations. Lower-tier violations carry maximum fines of €10 million or 2% of revenue. Actual fines depend on severity, company cooperation, and mitigation efforts.

What is the penalty for HIPAA breach?

HIPAA penalties range from $100 to $50,000 per violation, with an annual maximum of $1.5 million per violation category. Willful neglect carries higher penalties. HHS OCR considers factors like harm caused, organization size, and past violations when determining fines.

How are state breach notification penalties calculated?

State penalties vary widely. California can fine up to $7,500 per violation. New York up to $20 per affected individual with $250,000 cap. Most states impose per-violation or per-record fines, with aggravating factors increasing amounts.