Data Breach Regulatory Fine Calculator
Introduction: What this calculator does
Regulatory penalties after a data breach can be assessed in very different ways depending on the legal framework. This calculator provides a simplified estimate of potential maximum administrative fines under two commonly discussed regimes:
- GDPR (EU/EEA): fines are capped using a “whichever is higher” approach—either a percentage of worldwide annual turnover or a fixed euro amount, depending on the tier.
- CCPA/CPRA (California): civil penalties are often discussed as per violation amounts ($2,500 or $7,500), which can be approximated by multiplying by the number of affected consumer records.
Important: outputs are high-level estimates intended for planning and context, not a prediction of what a regulator will actually assess in a real case.
Inputs explained
Annual global revenue (GDPR)
For GDPR tiers, the relevant baseline is the organization’s worldwide annual revenue/turnover (typically the prior financial year). The calculator uses this to compute the percentage-based cap.
Affected records
This is the number of impacted individuals/consumers (or records) involved in the incident. For CCPA/CPRA penalty estimates, the calculator treats this value as the count of potential “violations” for a rough upper-bound style estimate.
Regulation and severity
Select the tier/severity that best matches the scenario you’re exploring. For GDPR, the “lower” vs “upper” tier corresponds to different statutory maximums. For CCPA, “unintentional” vs “intentional” corresponds to different per-violation penalty ceilings.
Formulas used (simplified statutory maxima)
GDPR maximum fine (tiered cap)
GDPR administrative fines are commonly summarized as the maximum of a percentage cap and a fixed euro cap:
- F = estimated maximum fine (EUR)
- p = percentage cap (0.02 for “lower tier”, 0.04 for “upper tier”)
- R = annual global revenue/turnover (EUR)
- M = fixed cap (€10,000,000 for lower tier, €20,000,000 for upper tier)
CCPA/CPRA civil penalty estimate (per-record approximation)
This calculator uses a straightforward multiplication model:
F = c × N
- F = estimated civil penalties (USD)
- c = per-violation amount ($2,500 unintentional; $7,500 intentional)
- N = affected records
How to interpret the results
- GDPR output is a cap-style maximum: it shows the higher of “% of revenue” or “fixed amount” for the selected tier. Real-world outcomes often land below the cap based on case-specific factors.
- CCPA/CPRA output is a scaling estimate: multiplying per-violation amounts by record counts can produce very large numbers. Enforcement practice, settlement, prosecutorial discretion, cure periods (where applicable), and how “violation” is counted can materially change the outcome.
- Currencies are not converted: GDPR results are in EUR (€); CCPA/CPRA results are in USD ($). If you need a single currency view, convert externally using your preferred FX source and date.
Worked example
Assume:
- Annual global revenue: €50,000,000
- Affected records: 10,000
Example A: GDPR upper tier (4% or €20M, whichever is higher)
- Percentage cap: 4% × €50,000,000 = €2,000,000
- Fixed cap: €20,000,000
- Maximum (higher of the two): €20,000,000
Interpretation: at this revenue level, the fixed cap dominates; the upper-tier statutory maximum is €20M, even though 4% of revenue is smaller.
Example B: CCPA/CPRA intentional ($7,500 per record)
- Penalty estimate: $7,500 × 10,000 = $75,000,000
Interpretation: the per-record model scales rapidly with record count. Actual assessed penalties may differ depending on enforcement approach and how violations are counted.
Assumptions and limitations (read before relying on the estimate)
- Statutory maxima only: For GDPR, the calculator expresses the statutory maximum cap for the chosen tier, not a likely fine. For CCPA/CPRA, it applies the headline per-violation amounts as a simple multiplier.
- Not legal advice; enforcement is discretionary: Real determinations can incorporate severity, duration, negligence/intent, categories of data, mitigation, cooperation, prior history, and proportionality.
- “Per record” is an approximation for CCPA/CPRA: Whether each affected record equals a separate “violation,” and how violations are aggregated, can vary by facts and enforcement posture.
- Consumer statutory damages not included: The model does not include potential private litigation exposure (e.g., statutory damages ranges), class action settlement dynamics, or contractual claims.
- No currency conversion: GDPR uses EUR and CCPA/CPRA uses USD; the calculator does not normalize currencies.
- No caps from ability-to-pay or negotiated outcomes: Settlements, corrective action plans, and practical collection considerations are not modeled.
Quick comparison
| Framework | What the calculator models | Primary driver(s) | Output currency |
|---|---|---|---|
| GDPR (Lower tier) | max(2% × revenue, €10M) | Revenue-based cap vs fixed cap | EUR (€) |
| GDPR (Upper tier) | max(4% × revenue, €20M) | Revenue-based cap vs fixed cap | EUR (€) |
| CCPA/CPRA (Unintentional) | $2,500 × affected records | Record/violation count | USD ($) |
| CCPA/CPRA (Intentional) | $7,500 × affected records | Record/violation count | USD ($) |
Sources (starting points)
- GDPR administrative fines are commonly discussed in relation to Article 83 (tiered maximums).
- CCPA/CPRA civil penalties are commonly summarized using $2,500 (unintentional) and $7,500 (intentional) figures in public guidance and commentary.
For compliance decisions, consult primary legal text and qualified counsel for your jurisdiction and facts.
How to use this calculator
- Enter Annual global revenue (€) using the unit or time period shown by the field.
- Enter Affected records using the unit or time period shown by the field.
- Enter Regulation and severity using the unit or time period shown by the field.
- Run the calculation and compare the output with a second scenario before acting on it.
Arcade Mini-Game: Data Breach Regulatory Fine Calculator Calibration Run
Use this quick arcade run to practice separating useful scenario inputs from common planning mistakes before you rely on the calculator output.
Start the game, then use your pointer or arrow keys to catch useful inputs and avoid bad assumptions.