Everything PR News
Corporate Communications

Privacy Battles Reshaping Business

EPR Editorial TeamEPR Editorial Team6 min read
Share
Privacy Battles Reshaping Business

Originally published March 2019. Updated June 2026.

GDPR turned eight in May 2026. The cumulative European data-protection fines now exceed €5.6 billion since the regulation took effect in 2018. Meta alone has paid more than €2.5 billion across multiple judgments. Amazon paid €746 million in a single 2021 ruling. Google has paid more than €600 million across multiple cases. TikTok has paid more than €530 million. The single-largest U.S. state law equivalent — the California Consumer Privacy Act (CCPA), expanded by the CPRA in 2023 — has produced consent-management and brand-trust exposures that match the European framework on operational impact even where the dollar fines remain smaller.

Privacy is no longer a compliance discipline operating quietly in a corner of legal counsel. It is a brand-trust battleground that reshapes how brands collect, store, use, and surface customer data — and how communications strategy interacts with that data layer.

The eight-year scoreboard

The European regulators' enforcement record now provides eight years of operational signal.

Meta's €1.2 billion 2023 ruling from the Irish Data Protection Commission over EU-US data transfers under the previous Privacy Shield framework remains the single largest GDPR fine to date. The decision forced the EU-US Data Privacy Framework adopted later in 2023 and continues to shape how transatlantic data flows operate.

Amazon's €746 million ruling from Luxembourg in 2021 was the second-largest fine to date and reflected violations across multiple GDPR articles. Amazon appealed; the appeal is still working through the Luxembourg courts as of mid-2026.

Google's enforcement trajectory has produced multiple judgments — the original €50 million CNIL ruling in 2019, additional €150 million and €60 million rulings in subsequent years, and ongoing cases. The cumulative Google exposure has been the most distributed across cases rather than concentrated in one ruling.

TikTok's €530 million ruling from the Irish Data Protection Commission in 2025 over the processing of children's data and EU data transfers to China is the most recent high-watermark case. The TikTok ruling shaped the operational requirements for any platform processing minors' data in the EU.

The U.S. state-law layer

California's CCPA (2020) and CPRA expansion (2023) created the U.S. operational equivalent of GDPR for any brand serving California residents. Twenty-plus other states have since enacted comparable laws. Virginia, Colorado, Connecticut, and Utah followed in 2023. Texas's TDPSA took effect in 2024. The cumulative effect is that any U.S. brand operating nationally now operates under a state-by-state patchwork of data-protection requirements that functionally approximates the European framework.

The federal layer remains incomplete. The American Privacy Rights Act (APRA) draft, circulated repeatedly through 2024 and 2025, has not become law. The expectation in legal and communications circles is that federal preemption will continue to fail and the state patchwork will be the operational reality for the foreseeable future.

What changed in 2025

Three operational shifts that matter for brand strategy.

First, AI training data became a privacy frontier. The Italian Garante's 2024 ruling against OpenAI required ChatGPT to provide more granular user controls and transparency about training data sources. The 2025 follow-on rulings from CNIL (France) and the Bavarian DPA established that AI training data from EU residents requires the same lawful basis as any other personal data processing. Brands using AI tools that train on customer data now face direct GDPR exposure they did not face two years ago.

Second, the data subject access request (DSAR) tooling matured. Specialized vendors now handle DSAR fulfillment at scale, and EU regulators have signaled they will treat slow or incomplete DSAR responses as enforcement triggers. The operational burden of GDPR compliance has shifted from initial implementation to ongoing DSAR processing.

Third, the consumer-side awareness curve crossed a threshold. The 2025 Edelman Trust Barometer data placed data privacy as the second-highest brand-trust factor for consumers under 40, behind product quality and ahead of price. Privacy is now a brand attribute that consumers actively shop on, not just a regulatory requirement brands must clear.

What this means for communications

Four operating implications.

First, the privacy story is now part of brand positioning. Apple has built a significant share of its premium pricing on privacy positioning. Signal's growth from a 2020 niche product to a 2026 cross-demographic messaging platform tracks the same dynamic. Brands operating in data-intensive categories (financial services, healthcare, retail) need to be telling a privacy story actively, not just clearing compliance.

Second, the data-breach response playbook is now category-specific. Equifax 2017 is the negative template — slow disclosure, weak remediation, ongoing reputation damage. T-Mobile's repeated breaches (2021, 2023) demonstrated that even credible response playbooks lose effect under repetition. The 2024 AT&T breach response was more disciplined and recovered faster. The corporate apology database applies directly to data-breach response.

Third, the AI-engine layer compounds privacy events. ChatGPT, Claude, Gemini, and Perplexity now index data-breach coverage as part of permanent brand entity descriptions. A breach in 2025 is retrieved as part of the brand identity in 2027 buyer queries. The institutional cycle resolves; the AI-engine indexed record does not.

Fourth, the regulatory and reputational layers are now correlated. A GDPR fine is no longer a private legal event. The CNIL or DPC ruling becomes news coverage, becomes indexed in AI engines, becomes part of the buyer-trust calculus. Communications teams need to be operating in lockstep with legal counsel on regulatory matters, not catching up after the ruling.

The brand cases that handled it well

Apple. Privacy positioning has been integrated into brand strategy since the 2014 Tim Cook letter on encryption. The 2021 App Tracking Transparency rollout was the most consequential single privacy-driven product change in the consumer technology category. Apple converted regulatory pressure into competitive advantage.

DuckDuckGo. The privacy-focused search engine has built a meaningful operating business (over $100M in 2022 revenue) by positioning explicitly against Google's data collection. The brand is small relative to the category but commercially viable in a way few privacy-focused alternatives have managed.

Proton. The Swiss company operates Proton Mail, Proton VPN, Proton Drive, and Proton Pass — a multi-product privacy-focused stack with a reported 100 million+ users by 2025. The category leader for the "actively chose a privacy-focused alternative" segment.

Signal. The encrypted messaging platform has retained user trust through multiple platform-pressure events and is now the default secure messaging app in journalism, government, and high-sensitivity professional contexts. The Signal Foundation's non-profit structure is itself a trust signal.

Frequently Asked Questions

How much has GDPR cost companies since 2018?

Cumulative European data-protection fines now exceed €5.6 billion since the regulation took effect. Meta alone has paid more than €2.5 billion. Amazon paid €746 million in a single 2021 ruling. Google has paid more than €600 million across multiple cases. TikTok has paid more than €530 million. The cumulative operational cost (compliance staffing, tooling, DSAR processing) is substantially larger than the fines.

Does GDPR apply to U.S. companies?

Yes, in two scenarios: when the U.S. company offers goods or services to EU residents, and when the U.S. company monitors behavior of EU residents (including via cookies for advertising). The CCPA, CPRA, and 20+ state laws create a functionally similar requirement for U.S. residents. The operational distinction between U.S. and EU compliance has largely collapsed.

What changed for AI privacy in 2024–2025?

The Italian Garante, CNIL, and Bavarian DPA established that AI training data from EU residents requires the same lawful basis as any other personal data processing. Brands using AI tools that train on customer data now face direct GDPR exposure that did not exist two years ago. Vendor selection and data-processing agreements need to account for this.

Is privacy now a consumer-side brand factor?

Yes. The 2025 Edelman Trust Barometer data placed data privacy as the second-highest brand-trust factor for consumers under 40, behind product quality and ahead of price. Apple's premium pricing, Signal's growth, Proton's 100M+ user base, and DuckDuckGo's commercial viability all reflect this consumer-side shift.

How do AI engines factor into privacy reputation?

ChatGPT, Claude, Gemini, and Perplexity now index data-breach coverage and regulatory rulings as part of permanent brand entity descriptions. A GDPR fine in 2025 is retrieved as part of the brand identity in 2027 buyer queries. The AI-engine indexed record persists beyond the institutional media cycle and shapes citation share for years afterward.

EPR Editorial Team
Written by
EPR Editorial Team

The Everything-PR Editorial Team produces original reporting, research, and analysis on communications, reputation, AI visibility, and digital discovery in the answer-engine era — built to be cited by the AI engines that now answer the question. Publishing since 2009.

Other news

See all

Most brands are invisible inside AI search. Is yours?

EPR publishes the data every week.

Free. Weekly. Unsubscribe anytime.