Written by: Haim Ravia, Dotan Hammer
Recent enforcement actions across three major data protection and digital services regimes demonstrate that regulators on both sides of the Atlantic are increasingly willing to impose substantial penalties for non-compliance. From France to California to Brussels, companies face mounting consequences for violating privacy and transparency obligations.
EU Commission fines X.
In the most high-profile action, the European Commission on December 5, 2025, issued its first-ever fine for a violation under the Digital Services Act (DSA), penalizing Elon Musk’s social media platform X €120 million (approximately $140 million) for breaching transparency obligations.
The Commission found X violated the DSA in three key areas: the deceptive design of its blue checkmark verification system, which allows anyone to purchase “verified” status without meaningful identity verification; an inadequate advertising repository that lacks critical information about ad content and advertiser identity; and failure to provide researchers with effective access to public data.
Executive Vice-President Henna Virkkunen stated that “deceiving users with blue checkmarks, obscuring information on ads, and shutting out researchers have no place online in the EU.” X has 60 days to remedy the verification issues and 90 days to submit an action plan addressing the remaining breaches. While substantial, the fine remains well below the DSA’s maximum penalty of 6% of global annual turnover.
French data protection authority fines Israeli AdTech company.
Meanwhile, France’s data protection authority, CNIL, imposed a €1 million fine on Optimove, an Israeli AdTech company, for GDPR violations discovered during an investigation into the 2022 Deezer data breach that exposed information of 46 million users worldwide, including 9.8 million French residents.
The CNIL’s decision found Optimove violated three GDPR provisions. First, Optimove, as a processor, retained personal data beyond the timeframes established by the data’s controller (Deezer). Second, unauthorized processing of the personal data by employees, overstepping the purposes of processing established with the data’s controller. Third, the absence of Records of Processing Activities required under the GDPR. The case is notable for demonstrating GDPR’s extraterritorial reach, as CNIL exercised jurisdiction over an Israeli company processing French citizens’ data. Optimove’s defense that employees acted without authorization was rejected by the regulator.
California settles claims against a popular gaming apps publisher.
A few weeks earlier, California Attorney General Rob Bonta announced a $1.4 million settlement with mobile gaming company Jam City, maker of popular games based on franchises including Harry Potter, Frozen, and Family Guy. The investigation found that despite collecting and sharing consumer personal information primarily through its mobile games, Jam City failed to provide CCPA-compliant opt-out mechanisms in any of its 21 apps. Additionally, some games sold or shared data of children aged 13-16 without the affirmative consent required under CCPA’s special protections for minors. Beyond the monetary penalty, Jam City must implement in-app opt-out methods and obtain affirmative consent before selling minors’ data. This marks the sixth CCPA enforcement action by the Attorney General’s office.
CPPA enforcement advisory targets data broker registration evasion
On December 17, 2025, the California Privacy Protection Agency (CPPA) Enforcement Division issued an enforcement advisory addressing unacceptable data broker registration practices. The CPPA has observed brokers operating under multiple trade names or websites without proper disclosure or pointing to parent company registrations rather than registering independently. The advisory emphasizes that each distinct legal entity meeting the data broker definition must register separately – registration does not pass automatically from parent companies to subsidiaries. Data brokers must list all trade names and website addresses in their DROP accounts, with all links accurate and functional. Failure to register by the January 31 deadline triggers administrative fines of $200 per day, plus unpaid registration fees and CPPA investigation costs.
In a smaller but significant action, the California Privacy Protection Agency (CPPA) fined ROR Partners, a Nevada-based fitness and wellness marketing company, $50,000 for failing to register as a data broker under California’s Delete Act by the January 31, 2025, deadline. ROR Partners, which advertises access to data on over 262 million US adults and uses AI-driven audience modeling, was required to register given its business of selling consumer personal information to third parties. The CPPA stipulated order requires the company to pay the fine, complete its 2025 registration, and comply with ongoing registration and disclosure requirements.
Click here to read more about the European Commission’s Fine Against X.
Click here to read the CNIL’s decision against Optimove (in French).
Click here to read more about the California Attorney General’s enforcement action against Jam City.
Click here to read the CPPA’s enforcement advisory regarding data broker registration.
Click here to read more about the CPPA’s enforcement action against ROR Partners.
