This article highlights the most recent GDPR developments — from new EDPB guidelines to major cookie-related fines and cross-border data transfer updates.

What’s Changing in GDPR Enforcement and Compliance

By now, it’s clear that Europe’s privacy regulators haven’t slowed down. Transparency, user consent, and accountability still define how the GDPR is enforced. Over the past year, the European Data Protection Board (EDPB) has tried to make those rules work in step with the Digital Services Act (DSA)—an ongoing job that’s proving complicated.

National authorities have been busy too. Their investigations reach further than before, and the fines keep rising. Much of the focus sits on familiar ground: Cookie Consent, advertising transparency, and cross-border data transfers. These are the details that show whether a company really manages personal data responsibly.

Lately, regulators talk more about prevention than punishment. They expect businesses to build in safeguards—training staff, checking internal processes, monitoring risks—so problems are fixed early. It’s less dramatic than a big fine, but it’s how real compliance works in practice.

EDPB Guidelines on the Interplay Between the DSA and GDPR

On 12 September 2025, at a plenary session, the EDPB adopted guidelines on how the DSA and the GDPR work together. Both laws shape how platforms handle personal data—just not in the same way.

• The DSA looks at how platforms operate: accountability, transparency, user protection.
• The GDPR governs processing itself—how personal data is collected, stored, and used.

Key intersections the guidance calls out include:

• Notice-and-action systems — reporting and acting on illegal content.
• Recommender systems — how content is ranked or presented, including protections for minors and restrictions on profiling-based ads using special-category data.
• Content moderation — apply platform rules transparently while respecting user privacy.
• Targeted advertising — consent remains essential when personal data is used for ads.
• Profiling and algorithms — GDPR principles still apply even when processing falls under the DSA.

The text was out for public consultation until 31 October 2025, and the final version is now awaited. Once adopted, it will give platforms, advertisers, and service providers practical direction on meeting both data protection and digital transparency duties across the EU.

Major GDPR Fines Signal Stricter Cookie and Ad Enforcement

Regulators in Europe are paying closer attention to how websites handle consent and cookies.

Earlier in September, France’s Commission nationale de l’informatique et des libertés (CNIL) handed out two of the biggest GDPR penalties of the year — to SHEIN and Google — both focused on user consent and online advertising practices.

SHEIN fined €150 million for illegal cookies

On 1 September 2025, the CNIL fined SHEIN €150 million for breaking cookie and consent rules. Inspectors found that cookies were installed before users gave permission, banners didn’t explain enough about how data was used, and the “Reject all” option didn’t always work.

Key context:

• CNIL stressed that “Accept” and “Reject” buttons must be equally visible
• SHEIN has appealed but is required to update its cookie settings while the process continues

The ruling made one thing clear: consent must be freely given, informed, and easy to take back. Sites need to show who sets each cookie, why it’s used, and give people a fair choice to say yes or no.

Google fined €325 million for unauthorized advertising

Also on 1 September 2025, the CNIL fined Google €325 million for showing promotional ads in Gmail without prior consent and for using consent designs that steered users toward personalized ads. Because similar issues had been raised before, the regulator imposed a heavier fine.

Context:

• Around 74 million Gmail accounts were affected, and 53 million users saw the ads
• CNIL cited CPCE Article 34-5, which bans unsolicited electronic marketing
• Google was given six months to fix its consent systems or face €100,000 in daily fines

Together, the two decisions show that data authorities are moving beyond guidance and into steady enforcement. Whether a company runs a small website or a global platform, a clear, neutral consent flow is now the basic standard for GDPR compliance.

Under the GDPR, non-compliance can lead to significant financial penalties — up to €10 million or 2% of a company’s global annual turnover for less serious breaches, and up to €20 million or 4% of global turnover for more serious violations such as unlawful data processing or failure to respect user rights.

EU–U.S. Data Privacy Framework Upheld by the EU Court

The long-running debate over transatlantic data flows took another turn on 3 September 2025, when the EU General Court ruled in Latombe v. European Commission (Case T-553/23).

Judges rejected a challenge brought by French MEP Philippe Latombe, leaving the EU–U.S. Data Privacy Framework (DPF) in place.

At issue was the Commission Implementing Decision (EU) 2023/1795 of 10 July 2023—the act that recognises U.S. safeguards as “adequate” under Article 45 GDPR and lets certified American firms handle EU personal data.

Latombe had claimed those safeguards were still too weak because of U.S. intelligence powers. The court didn’t see it that way. Judges said the Commission had examined the new U.S. limits in detail and that the framework provides a level of protection close enough to the EU standard.

Three points stood out in the judgment:

• The Framework aligns with EU fundamental-rights protections.
• The U.S. Data Protection Review Court (DPRC) offers a workable route for complaints.
• Earlier EDPB reservations didn’t outweigh the Commission’s analysis.

For now, the DPF remains the legal bridge for data transfers to certified U.S. organisations.

That said, privacy groups are preparing an appeal to the CJEU, arguing that the court still gave Washington too much benefit of the doubt.

Companies shouldn’t wait for that fight to finish. Keep an eye on the case, but keep a safety net too—Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs)—so data can keep moving if the decision is overturned.

And for EU businesses relying on U.S.-based analytics, cloud or marketing providers, one quick step saves a lot of trouble later: confirm those vendors are DPF-certified or can prove equivalent safeguards before any transfer.

Data Breach Trends: Human Error and Cyberattacks Dominate

Across Europe, data breach statistics for 2025 paint a picture that’s starting to feel familiar. Most incidents still come down to two things — human mistakes and cyberattacks. Regulators keep saying the same thing too: no system is secure if the people using it aren’t alert.

In H1 2025, Lithuania’s State Data Protection Inspectorate (VDAI) found that:

• 57% of reported breaches came from employee errors — emails sent to the wrong people, lost laptops, files left open for anyone to see.
• 32% were the result of cyber incidents, from phishing to full-on ransomware hits.
• Everything else fell into smaller categories, like technical malfunctions or insider misuse.

That pattern isn’t unique to Lithuania. The EDPB and ENISA have seen nearly identical trends across the EU. Cyberattacks are getting sharper, but the quiet, everyday slip-ups still lead the charts.

The truth is, security isn’t just a technical problem — it’s a human one. Most breaches start with a moment of distraction. Training staff, writing clear internal rules, and actually testing those procedures can stop most cases before they ever need reporting.

The VDAI also reminded companies of one non-negotiable rule: if a breach might risk people’s rights, it has to be reported within 72 hours.

That deadline isn’t just paperwork — it’s how authorities measure readiness. Regulators now look not only at how quickly an organization discloses an incident, but how seriously it tried to prevent it in the first place.

National Highlights Reflecting EU-Wide Patterns

Not every GDPR decision makes headlines. Across Europe, data protection authorities keep handling smaller, real-world cases that show how enforcement works beyond the big tech stories. Some are easy to miss — but they say a lot about where regulators are focusing their time.

• Greece (mid-2025): The Hellenic DPA fined a youth association €10,000 after it shared sensitive data about minors and ignored access requests. The lesson was plain: even small community groups have to treat children’s data lawfully and stay cooperative when authorities start asking questions.
• Lithuania (summer 2025): VDAI published short guidance explaining what isn’t a personal data breach — examples included unopened misdelivered mail or records about deceased persons. The point wasn’t to lower the bar, but to remind controllers to weigh actual risk before filing a report.
• Creditinfo ransomware case – 25 July 2025: When Creditinfo was hit by ransomware, it triggered a VDAI investigation into how companies manage third-party risk. The breach made clear that vendors’ security controls are part of every controller’s GDPR responsibility.

These smaller actions don’t come with nine-figure fines, yet they show the same trend: GDPR enforcement in 2025 reaches every corner of the map. Regulators are watching schools, charities, and vendors as closely as the tech giants.

How CMPs Help Stay GDPR Compliant

As regulators narrow their focus on Cookie Consent and transparency, Consent Management Platforms (CMPs) have become central to staying compliant. They’re no longer just pop-up banners — they record consent, control tracking, and help prove that an organization meets GDPR standards.

CMPs also simplify what used to be manual work. They automate consent handling, updates, and regional rules so teams spend less time fixing tags and more time staying compliant.

Key ways CMPs support compliance in 2025 include:

1. Automatic blocking of third-party scripts — analytics, ads, and other tracking tools stay paused until valid consent is collected, preventing unlawful data collection before consent.
2. Customizable and transparent banners — designed in line with EDPB guidance, offering clear “Accept” and “Reject” choices without dark patterns or confusing layouts.
3. Consent records built for audits — exportable logs that show who gave consent, when, and for what purposes. These serve as evidence if a DPA requests documentation during an inspection.
4. Privacy Policy and Cookie Policy Generator — keeps public disclosures aligned with actual cookie scans and vendor activity, ensuring transparency as sites evolve.
5. Integration with Google Consent Mode v2 and IAB TCF 2.2 — ensures ad and analytics tags automatically adjust to each user’s consent preferences.
6. Automated scans and reports — recurring cookie sweeps detect new scripts or vendors and track consent rates over time, helping teams stay ahead of compliance changes.
7. geo-targeting and multilingual support — banners adapt to local privacy laws and languages, covering GDPR in the EU, CCPA in California, LGPD in Brazil, and more.
8. Shared and self-hosted options — allow organizations or agencies to manage multiple sites from one setup while keeping full control of data and performance.

Platforms like CookieScript, a Google-certified CMP, combine these capabilities into one system — from automatic scanning to policy generation — showing how CMPs have evolved: not just ensuring compliance today, but keeping it measurable and auditable as the rules continue to shift.

In spring 2025, CookieScript received its fourth consecutive G2 badge, recognizing it as the Best Consent Management Platform.

In Conclusion

GDPR enforcement in 2025 has become more practical and predictable. Regulators are focused on execution — verifying consent, checking records, and holding companies accountable for how data is handled, not just what’s written in their policies.

The message for 2026 is simple: maintain proof, automate where possible, and keep transparency real. Organizations that can show clear consent flows and reliable compliance processes will stay out of the spotlight — and ahead of the next round of audits.

Frequently Asked Questions

What does GDPR actually require for valid cookie consent?

To meet GDPR standards, consent must be freely given, specific, informed, and unambiguous. In practice, that means users should be able to clearly accept or reject cookies — no tricks or hidden buttons. CookieScript handles this automatically with customizable banners that block cookies until valid consent is recorded and stored as proof.

How can an organization prove consent if the DPA asks for it?

Every click matters under GDPR. CookieScript keeps detailed consent logs that show who gave consent, when, and for what purpose. The records can be exported at any time, giving teams clear documentation to present during audits or inspections.

How often should websites review their cookies?

Cookies tend to change — especially when new tools or plugins are added. With CookieScript’s automated monthly scans, sites get updated reports that show new cookies or trackers. It keeps your consent banner and policy aligned with what’s really running on your site.

What if cookies load before the user says yes?

That’s one of the fastest ways to violate GDPR and eprivacy rules. CookieScript prevents this by automatically blocking third-party scripts — like analytics and ad tags — until the visitor gives valid consent. Nothing loads early, and no data is collected prematurely.

How can global websites stay compliant across different regions and languages?

Not every visitor sees the same rules. CookieScript’s geo-targeting and multilingual features automatically show the right banner for the right region, covering GDPR in Europe, CCPA in California, and LGPD in Brazil, all in the visitor’s language.

How can privacy policies stay accurate as websites evolve?

It’s easy for disclosures to fall out of date when cookies or vendors change. CookieScript’s Privacy Policy and Cookie Policy Generator solves this by syncing policies with scan data — so whenever something new appears, your public documentation updates automatically.