Data Breach Regulatory Fine Calculator
What this calculator does
Regulatory penalties after a data breach can be assessed in very different ways depending on the legal framework. This calculator provides a simplified estimate of potential maximum administrative fines under two commonly discussed regimes:
- GDPR (EU/EEA): fines are capped using a “whichever is higher” approach—either a percentage of worldwide annual turnover or a fixed euro amount, depending on the tier.
- CCPA/CPRA (California): civil penalties are often discussed as per violation amounts ($2,500 or $7,500), which can be approximated by multiplying by the number of affected consumer records.
Important: outputs are high-level estimates intended for planning and context, not a prediction of what a regulator will actually assess in a real case.
Inputs explained
Annual global revenue (GDPR)
For GDPR tiers, the relevant baseline is the organization’s worldwide annual revenue/turnover (typically the prior financial year). The calculator uses this to compute the percentage-based cap.
Affected records
This is the number of impacted individuals/consumers (or records) involved in the incident. For CCPA/CPRA penalty estimates, the calculator treats this value as the count of potential “violations” for a rough upper-bound style estimate.
Regulation and severity
Select the tier/severity that best matches the scenario you’re exploring. For GDPR, the “lower” vs “upper” tier corresponds to different statutory maximums. For CCPA, “unintentional” vs “intentional” corresponds to different per-violation penalty ceilings.
Formulas used (simplified statutory maxima)
GDPR maximum fine (tiered cap)
GDPR administrative fines are commonly summarized as the maximum of a percentage cap and a fixed euro cap:
- F = estimated maximum fine (EUR)
- p = percentage cap (0.02 for “lower tier”, 0.04 for “upper tier”)
- R = annual global revenue/turnover (EUR)
- M = fixed cap (€10,000,000 for lower tier, €20,000,000 for upper tier)
CCPA/CPRA civil penalty estimate (per-record approximation)
This calculator uses a straightforward multiplication model:
F = c × N
- F = estimated civil penalties (USD)
- c = per-violation amount ($2,500 unintentional; $7,500 intentional)
- N = affected records
How to interpret the results
- GDPR output is a cap-style maximum: it shows the higher of “% of revenue” or “fixed amount” for the selected tier. Real-world outcomes often land below the cap based on case-specific factors.
- CCPA/CPRA output is a scaling estimate: multiplying per-violation amounts by record counts can produce very large numbers. Enforcement practice, settlement, prosecutorial discretion, cure periods (where applicable), and how “violation” is counted can materially change the outcome.
- Currencies are not converted: GDPR results are in EUR (€); CCPA/CPRA results are in USD ($). If you need a single currency view, convert externally using your preferred FX source and date.
Worked example
Assume:
- Annual global revenue: €50,000,000
- Affected records: 10,000
Example A: GDPR upper tier (4% or €20M, whichever is higher)
- Percentage cap: 4% × €50,000,000 = €2,000,000
- Fixed cap: €20,000,000
- Maximum (higher of the two): €20,000,000
Interpretation: at this revenue level, the fixed cap dominates; the upper-tier statutory maximum is €20M, even though 4% of revenue is smaller.
Example B: CCPA/CPRA intentional ($7,500 per record)
- Penalty estimate: $7,500 × 10,000 = $75,000,000
Interpretation: the per-record model scales rapidly with record count. Actual assessed penalties may differ depending on enforcement approach and how violations are counted.
Quick comparison
| Framework | What the calculator models | Primary driver(s) | Output currency |
|---|---|---|---|
| GDPR (Lower tier) | max(2% × revenue, €10M) | Revenue-based cap vs fixed cap | EUR (€) |
| GDPR (Upper tier) | max(4% × revenue, €20M) | Revenue-based cap vs fixed cap | EUR (€) |
| CCPA/CPRA (Unintentional) | $2,500 × affected records | Record/violation count | USD ($) |
| CCPA/CPRA (Intentional) | $7,500 × affected records | Record/violation count | USD ($) |
Assumptions and limitations (read before relying on the estimate)
- Statutory maxima only: For GDPR, the calculator expresses the statutory maximum cap for the chosen tier, not a likely fine. For CCPA/CPRA, it applies the headline per-violation amounts as a simple multiplier.
- Not legal advice; enforcement is discretionary: Real determinations can incorporate severity, duration, negligence/intent, categories of data, mitigation, cooperation, prior history, and proportionality.
- “Per record” is an approximation for CCPA/CPRA: Whether each affected record equals a separate “violation,” and how violations are aggregated, can vary by facts and enforcement posture.
- Consumer statutory damages not included: The model does not include potential private litigation exposure (e.g., statutory damages ranges), class action settlement dynamics, or contractual claims.
- No currency conversion: GDPR uses EUR and CCPA/CPRA uses USD; the calculator does not normalize currencies.
- No caps from ability-to-pay or negotiated outcomes: Settlements, corrective action plans, and practical collection considerations are not modeled.
Sources (starting points)
- GDPR administrative fines are commonly discussed in relation to Article 83 (tiered maximums).
- CCPA/CPRA civil penalties are commonly summarized using $2,500 (unintentional) and $7,500 (intentional) figures in public guidance and commentary.
For compliance decisions, consult primary legal text and qualified counsel for your jurisdiction and facts.