Regulatory Penalties Reference

📊 DatasetVerified Jun 25, 2026

A structured reference to the published penalty thresholds for the four regimes most relevant to a data breach: the EU/UK GDPR, US HIPAA, California's CCPA/CPRA, and PCI DSS. Each entry shows the statutory or contractual figures, the basis on which they apply, and a link to the primary text. These are the published maximum exposure ceilings, not a prediction of what any regulator will actually impose in a given case.

⚠️ Important — published thresholds, not legal advice. The amounts below are published statutory and contractual thresholds — the maximum exposure a regime defines, shown for informational and planning purposes only. Actual penalties depend on the facts, the regulator's discretion, mitigating factors and the specific jurisdiction, and are very often far below these ceilings. This is not legal advice. For any real obligation or enforcement question, consult qualified counsel.

GDPR — EU/UK GDPR (Article 83)

GDPR (EU/UK GDPR) — administrative fine tiers
Tier	Cap	% of worldwide annual turnover
Lower tier	€10,000,000	2%
Upper tier	€20,000,000	4%

Basis. Up to the HIGHER of the cap or the % of worldwide annual turnover. The fine is the higher of the fixed cap or the percentage of turnover, so larger organizations are exposed to the percentage figure while smaller ones are effectively bounded by the cap. Estimate your own figure with the GDPR fine estimator. Primary source: GDPR Article 83.

HIPAA — US health data (HHS OCR civil money penalties)

HIPAA (US health data — HHS OCR) — civil money penalty tiers (per violation)
Tier	Culpability	Min / violation	Max / violation	Annual cap
Tier 1	No knowledge	$141	$71,162	$2,134,831
Tier 2	Reasonable cause	$1,424	$71,162	$2,134,831
Tier 3	Willful neglect (cured)	$14,232	$71,162	$2,134,831
Tier 4	Willful neglect (uncured)	$71,162	$2,134,831	$2,134,831

Basis. Civil money penalty per violation, subject to an annual cap per identical provision. The four tiers reflect the degree of culpability, from "no knowledge" up to "willful neglect (uncured)", and the per-violation amounts are inflation-adjusted published figures. Estimate exposure by tier and number of violations with the HIPAA penalty estimator. Primary source: HHS OCR / 45 CFR §160.404.

CCPA / CPRA — California private right of action

CCPA/CPRA (California — private right of action) — statutory damages
Measure	Per consumer, per incident
Statutory damages (range)	$100 – $750

Basis. Statutory damages per consumer per incident for certain breaches (or actual damages, if greater). Exposure scales with the number of affected California consumers, so even a modest per-consumer figure becomes significant at scale. Estimate it with the CCPA/CPRA exposure calculator. Primary source: Cal. Civ. Code §1798.150.

PCI DSS — card-brand / acquirer non-compliance

PCI DSS non-compliance (card brands / acquirer) — fines and reissuance
Measure	Range
Monthly non-compliance fine	$5,000 – $100,000 / month
Forced card reissuance	$3 – $10 / card

Basis. Acquirer/brand fines (monthly, tiered) plus forced card reissuance and forensic costs. Contractual, not statutory; ranges are widely reported. Unlike the statutory regimes above, PCI fines are contractual — levied by the card brands through your acquirer — and the ranges are widely reported rather than fixed in law. Estimate the monthly fines plus per-card reissuance with the PCI non-compliance cost calculator. Primary source: PCI Security Standards Council (and acquirer agreements).

How to use this reference

These four regimes capture the bulk of the regulatory and contractual exposure an organization faces after a data breach, but they work very differently. GDPR sets a turnover-linked ceiling and applies the higher of a fixed cap or a percentage; HIPAA scales by the number of violations and degree of culpability, subject to an annual cap per identical provision; the CCPA's private right of action multiplies a per-consumer figure across everyone affected; and PCI DSS penalties are contractual fines and reissuance costs rather than statutory fines. Because the structures differ, the same breach can trigger several of these at once, each computed on its own basis. Treat the figures as the outer bounds of exposure, then use the matching calculator under compliance cost to model a realistic figure for your facts. Every figure shown is overridable in those tools.

Thresholds verified on Jun 25, 2026 against the primary sources listed above. Published maximum exposure, informational only — not legal advice. Every value shown is overridable in the tools.

Sources & primary references

Disclaimer. BreachCostLab provides cost and risk estimates for informational purposes only, based on published industry benchmarks (e.g. IBM/Ponemon Cost of a Data Breach, Verizon DBIR) and publicly available statutory figures as of the verification date shown (Jun 25, 2026). These figures are estimates for planning, not a prediction of the cost of any specific incident, and are not legal, financial, insurance, or compliance advice. Actual breach costs vary widely; for regulatory obligations consult qualified counsel. Always verify current figures with the cited sources.