GDPR fines are no longer just for big tech — what small businesses need to know
The myth: “GDPR fines only hit large companies”
For years, the conventional wisdom among small business owners was simple: GDPR enforcement targets Google, Meta, and Amazon. A 10-person e-commerce shop selling handmade ceramics to Dutch customers? Not on anyone’s radar.
That was true — until recently. Between January 2025 and March 2026, EU data protection authorities issued over 400 fines to businesses with fewer than 50 employees. The median fine was EUR 8,500. The largest was EUR 180,000, levied against a Portuguese online retailer with 12 employees.
What changed
Three factors converged:
1. DPAs received new funding and tools
After years of underfunding, several EU data protection authorities received significant budget increases. The Dutch Autoriteit Persoonsgegevens (AP) doubled its enforcement staff in 2024. The French CNIL launched an automated scanning program that checks 10,000 websites per month for cookie compliance.
These tools don’t distinguish between large and small businesses. They scan URLs.
2. Complaint-driven enforcement scaled up
Most GDPR enforcement against SMBs starts with a complaint. Privacy advocacy groups — notably noyb (None of Your Business, founded by Max Schrems) — have filed thousands of standardized complaints against websites with cookie consent violations.
noyb’s approach is systematic: they spider a list of websites, test cookie consent, and file complaints for every violation found. In 2025 alone, noyb filed complaints against over 700 websites across 15 EU countries. Many of these were SMBs.
3. The ePrivacy Directive got teeth
Cookie consent violations fall under both the GDPR (for personal data processing) and the ePrivacy Directive (for storing information on a user’s device). Several member states updated their ePrivacy implementations in 2024-2025, explicitly authorizing their DPAs to issue administrative fines for cookie violations.
France led the way. The CNIL fined a 20-person marketing agency EUR 40,000 for setting Google Analytics cookies without valid consent. The agency argued it was “just using the standard GA4 setup.” The CNIL responded that the standard setup was itself non-compliant.
Real examples from 2025-2026
| Country | Business size | Violation | Fine |
|---|---|---|---|
| France | 15 employees | GA4 cookies set before consent | EUR 40,000 |
| Netherlands | 8 employees | No cookie banner at all | EUR 12,500 |
| Portugal | 12 employees | Contact form data retained indefinitely | EUR 180,000 |
| Italy | 22 employees | Meta Pixel firing after rejection | EUR 15,000 |
| Belgium | 5 employees | No privacy policy, no DPO contact | EUR 8,000 |
What makes SMBs vulnerable
Large companies have compliance teams, DPOs, and legal counsel on retainer. They still get fined, but they have processes to detect and fix issues.
Small businesses typically have none of that. Common vulnerabilities:
- Template websites with pre-installed analytics scripts that fire before consent
- Plugins and themes that load third-party resources (fonts, CDNs, social widgets) without consent management
- CMP misconfiguration — the banner says “Reject all” but the implementation doesn’t actually block non-essential cookies
- No cookie policy or an outdated one that doesn’t reflect actual data processing
- Retention failures — customer data, form submissions, and email lists kept indefinitely with no purge schedule
How to protect your business
The good news: compliance for a small website is achievable without a legal team. Here’s the minimum:
1. Audit what your website actually does
Don’t guess. Run an automated scan that shows which cookies are set, which scripts load, and which third-party services receive data. Elgarde’s free scan does this in under 30 seconds.
2. Fix the cookie consent flow
Ensure your CMP actually blocks non-essential scripts when users reject. Test this yourself: open your website in an incognito window, reject all cookies, and check the browser’s DevTools (Application tab → Cookies, Network tab → filter for third-party domains).
3. Publish a compliant privacy policy
Your privacy policy must accurately describe what data you collect, why, how long you keep it, and who you share it with. It must name your DPA and explain how users can exercise their rights. Generic templates from 2018 are usually outdated.
4. Set up data retention
If you collect contact form submissions, newsletter signups, or customer data, you need a retention schedule. “We keep everything forever” is not compliant. Set automatic deletion periods and document them.
5. Monitor continuously
Compliance is not a one-time project. A WordPress plugin update, a new analytics script, or a changed CMP configuration can introduce violations overnight. Consider automated monitoring that alerts you when something breaks.
Check your website’s compliance — free scan, results in 30 seconds, no registration required.
Check your website's compliance
Free scan — no registration required. See your compliance grade in 30 seconds.
Scan now