Does GDPR apply to US companies with no physical presence in the EU?

Yes. GDPR applies to any organization that processes the personal data of EU residents, regardless of where the organization is established, if the processing is related to offering goods or services to EU residents or monitoring their behavior. A US e-commerce company shipping to Germany, or a US app with German users, is subject to GDPR. This is established in Article 3(2) and has been enforced against US companies including Google, Meta, and numerous smaller tech firms.

Can GDPR fines be insured?

Regulatory fines are generally insurable in the UK and some EU member states but may not be insurable in Germany, France, and other jurisdictions where insuring regulatory penalties is considered against public policy. US organizations can typically insure GDPR fines under cyber policies with regulatory coverage endorsements. Check with a licensed broker in the relevant jurisdiction before assuming coverage applies.

What is the 30-day cure period under CCPA?

Before the CPPA can issue a fine for many CCPA violations, it must provide the business with a 30-day written notice specifying the alleged violations. If the business cures the violation within 30 days and provides a written attestation of cure and future compliance, no fine can be imposed for that specific violation. This cure period does not apply to security breach violations under the private right of action, which can proceed directly to litigation.

How are GDPR fines calculated in practice -- is the maximum ever imposed?

Regulators have significant discretion in GDPR fine calculations under Article 83, which requires considering factors including nature and gravity of the violation, intentionality, measures to mitigate damage, degree of responsibility, cooperation with the supervisory authority, categories of data affected, and prior violations. In practice, fines average 2-8% of the theoretical maximum for first-time violations with cooperation. The maximum is reserved for willful, repeated violations by organizations that failed to cooperate with the investigation.

Cybersecurity & Compliance

GDPR/CCPA Fine Exposure Calculator

Calculate maximum regulatory fine exposure under GDPR (€20M or 4% revenue) and CCPA ($2,663-$7,988 per violation). Model fines based on violation type, data volume, revenue, and aggravating factors for 2026 enforcement rates.

Data Subjects Affected

Number of individuals affected by violation

Violation Severity

Cooperation with Authorities

Prior Violations

Embed This Calculator on Your Website

Add this free calculator to your blog, website, or CMS with a simple copy-paste embed code.

Introduction

Meta was fined 1.2 billion euros under GDPR in 2023 -- the largest privacy fine in history -- for transferring EU user data to the United States in violation of Standard Contractual Clauses. Amazon was fined 746 million euros in 2021 for behavioral advertising consent failures. These are not outliers: the European Data Protection Board's fine tracker shows 1,900+ GDPR fines totaling over 4 billion euros since enforcement began. CCPA statutory damages under the California Privacy Rights Act (CPRA) reached 50+ settlements in 2024, with individual fines ranging from $25,000 to $2.3 million. Most organizations dramatically underestimate their fine exposure because they calculate only the per-violation minimum -- missing the per-consumer multiplication that drives fines into seven and eight figures for mid-size companies. This calculator models fine exposure under GDPR, CCPA, and HIPAA based on the number of data subjects affected, violation type, and annual global revenue to show the realistic upper bound of regulatory penalty risk.

What This Calculator Does

This calculator estimates maximum fine exposure under GDPR (tiered at 2% or 4% of global annual turnover), CCPA/CPRA (per-consumer statutory damages for unredressed violations), and HIPAA (per-violation categories with annual caps) based on number of data subjects affected, violation category, and annual global revenue. It outputs a penalty range from minimum to maximum for each applicable regulation and a combined worst-case exposure figure.

The Formula

GDPR Fine (Tier 1) = MIN(10,000,000 euros, 2% of Global Annual Turnover) | GDPR Fine (Tier 2) = MIN(20,000,000 euros, 4% of Global Annual Turnover) | CCPA Statutory Damages = Affected Consumers x $100-$750 per consumer (unintentional/intentional) | HIPAA Fine = Violation Count x Per-Violation Rate (by culpability tier)

GDPR fines use a two-tier system: less serious violations (data security failures, processor agreements, DPO requirements) carry up to 10 million euros or 2% of global annual turnover, whichever is higher. The most serious violations (lawful basis failures, consent violations, data subject rights violations, cross-border transfer failures) carry up to 20 million euros or 4% of turnover. CCPA damages apply per consumer per incident for failures to cure within 30 days. HIPAA tiers range from $137/violation (reasonable cause unknown) to $68,928/violation (willful neglect not corrected), capped at $2,067,813 per year per violation category. All caps reset annually.

Step-by-Step Example

Identify the regulatory frameworks that apply

Organization: US-based SaaS company, $50M annual revenue, 200,000 EU users (GDPR applies), 80,000 California residents (CCPA applies), no PHI (HIPAA does not apply). Both GDPR and CCPA analysis required. Note: GDPR applies to any organization processing EU personal data regardless of where the organization is located.

Calculate GDPR maximum exposure

Violation: failure to maintain adequate security measures leading to breach of 200,000 EU user records (Tier 1 violation, Article 32). Maximum fine: higher of 10 million euros or 2% of $50M global revenue ($1M). 10 million euros exceeds $1M. GDPR Tier 1 maximum: 10 million euros (~$10.8M USD). If violation also involves unauthorized cross-border transfers (Tier 2): maximum rises to 20 million euros or 4% global revenue ($2M), whichever is greater = 20 million euros (~$21.6M USD).

Calculate CCPA maximum exposure

CCPA unintentional violation: $100 per consumer x 80,000 California residents = $8,000,000. CCPA intentional violation: $750 per consumer x 80,000 = $60,000,000. Practical note: CCPA fines require a notice-and-cure period before enforcement action. Most first violations result in a 30-day cure notice; if not cured, fines escalate. California AG has levied fines averaging $450,000-$1.5M per enforcement action for mid-size companies.

Combine and model realistic scenarios

Conservative scenario (regulator negotiates, first offense, strong cooperation): GDPR 5% of maximum = $540K, CCPA enforcement at $600K. Total: $1.14M. Expected scenario: GDPR 15% of max + CCPA enforcement: $1.62M + $600K = $2.22M. Worst case: GDPR maximum + CCPA intentional: $21.6M + $60M = $81.6M. The range illustrates why fine exposure analysis cannot rely on minimum estimates.

Real-World Use Cases

Privacy Counsel Quantifying Board-Level Risk

A company's privacy counsel is preparing a board presentation on GDPR compliance investment. The calculator shows maximum GDPR exposure at 4% of $200M global revenue = 8 million euros (~$8.6M). Compliance program investment required: $1.2M. The board approves the program based on an 8.6x potential loss vs. 1x investment ratio -- a straightforward risk-adjusted decision.

CISO Sizing Cyber Insurance for Regulatory Coverage

A healthcare-adjacent SaaS company with 400,000 user accounts across EU and California runs the calculation: combined GDPR + CCPA maximum exposure of $18.2M. Current cyber policy sub-limits regulatory fines at $2M. The CISO uses the calculation to negotiate a $10M regulatory coverage endorsement, adding $12,000 annually to the premium -- far less than the uninsured gap.

Startup Due Diligence -- Privacy Risk Assessment

An investor runs the calculator during due diligence on a fintech startup with 50,000 EU users and 25,000 California residents but no formal privacy program. GDPR maximum exposure: 10 million euros. CCPA exposure: $1.25M-$18.75M. The investor requires a privacy program implementation roadmap as a condition of closing, with an escrow holdback of $500,000 against undisclosed privacy liability.

Comparison

Regulation	Maximum Fine	Per-Record/Consumer Rate	Trigger	Enforcement Body
GDPR (Tier 1)	10M euros or 2% revenue	N/A -- turnover-based	Security, processor failures	National DPAs, EDPB
GDPR (Tier 2)	20M euros or 4% revenue	N/A -- turnover-based	Consent, cross-border transfers	National DPAs, EDPB
CCPA (unintentional)	$100-$750 per consumer	$100-$750	Security breach, rights violations	CA Attorney General, CPPA
CCPA (intentional)	Up to $7,500 per consumer	$7,500	Knowing violations	CA Attorney General, CPPA
HIPAA (unknown)	$137-$68,928 per violation	Per-violation	No knowledge of violation	HHS Office for Civil Rights
HIPAA (willful)	$68,928 max per violation	Per-violation	Willful neglect	HHS OCR + DOJ referral

Common Mistakes to Avoid

Calculating GDPR fines using only the per-million-euro minimum rather than the revenue-based maximum. A company with $500M in annual revenue has a maximum GDPR Tier 2 exposure of $20M -- far above the 20 million euro ceiling that typically headlines the calculation. The regulation specifies the higher of the two thresholds, not the lower.
Treating CCPA as a pure per-consumer calculation and assuming enforcement requires the maximum. California enforcement actions have typically resulted in negotiated settlements significantly below the mathematical maximum. However, class action litigation under CCPA's private right of action for data breaches applies the per-consumer statutory damages directly, without the AG's negotiation dynamic. Model both separately.
Ignoring the GDPR one-stop-shop mechanism for multi-country EU operations. Companies with an EU establishment (even one employee) typically have a lead supervisory authority under the one-stop-shop mechanism. Cases that start with local DPAs can be escalated to the lead authority, which has broader investigative powers and has levied the largest fines. Compliance posture must satisfy the lead authority's standards, not just the local DPA.

Frequently Asked Questions

Accuracy and Disclaimer

Fine exposure estimates are based on 2026 regulatory guidance from the European Data Protection Board, California Privacy Protection Agency, and HHS Office for Civil Rights. Actual regulatory fines are determined by investigating authorities based on specific violation circumstances. This calculator models maximum statutory exposure only and should not be interpreted as a prediction of actual enforcement outcomes. Consult a qualified privacy attorney for jurisdiction-specific compliance advice.

Conclusion

Regulatory fine modeling feeds directly into data breach cost planning. Use our Data Breach Cost Estimator to combine fine exposure with notification, legal, and remediation costs for a complete breach financial model. Organizations selecting cyber insurance coverage should compare total fine exposure against policy limits using our Cyber Insurance Premium Estimator -- many policies sub-limit regulatory fines well below the maximum penalty calculated here.

Related Cybersecurity & Compliance Calculators

Cybersecurity & Compliance

Data Breach Cost Estimator

Estimate total data breach costs using IBM/Ponemon 2026 methodology. Calculate per-record costs, response expenses, regulatory fines, and business disruption based on industry, breach size, and containment speed. Average global breach cost: $4.88M.

Use Calculator Cybersecurity & Compliance

Cyber Insurance Premium Estimator

Estimate annual cyber insurance premiums based on coverage amount, company revenue, industry risk factors, security maturity, and claims history. Calculate cost for $1M-$10M+ coverage limits with deductible options for 2026.

Use Calculator Cybersecurity & Compliance

Risk Quantification Calculator (FAIR Model)

Calculate Annual Loss Expectancy (ALE) using FAIR methodology. Input threat event frequency, vulnerability probability, and asset value to quantify cyber risk financially. Model loss event frequency and magnitude for risk prioritization.

Use Calculator Cybersecurity & Compliance

Penetration Testing Cost Estimator

Estimate penetration testing costs based on scope (web app, network, API, cloud), methodology (black/grey/white box), compliance requirements (PCI, HIPAA, SOC 2), and organization size. 2026 ranges: $5K-$75K+ depending on complexity.

Use Calculator

You May Also Find Useful

Finance & Accounting

GDPR/CCPA Fine Exposure Calculator

Embed This Calculator on Your Website

Introduction

What This Calculator Does

The Formula

Step-by-Step Example

Real-World Use Cases

Privacy Counsel Quantifying Board-Level Risk

CISO Sizing Cyber Insurance for Regulatory Coverage

Startup Due Diligence -- Privacy Risk Assessment

Comparison

Common Mistakes to Avoid

Frequently Asked Questions

Accuracy and Disclaimer

Conclusion

Related Cybersecurity & Compliance Calculators

Data Breach Cost Estimator

Cyber Insurance Premium Estimator

Risk Quantification Calculator (FAIR Model)

Penetration Testing Cost Estimator

You May Also Find Useful

Tax Calculator

Salary to Hourly Calculator

Commission Calculator