A data protection authority (DPA) is an independent public body charged with enforcing privacy and data protection laws within its jurisdiction. Every EU and EEA member state has at least one. So do Brazil, the United Kingdom, South Africa, Canada, Japan, South Korea, Singapore, and dozens of other countries. If your website collects personal data from visitors in any of these regions, a DPA has the legal power to investigate how you handle that data - and to punish you if you get it wrong.
What a Data Protection Authority Actually Does
DPAs perform three core functions: supervision, complaint handling, and guidance. Under the GDPR, Article 57 lays out a long list of responsibilities, but they boil down to watching how organisations process personal data, giving people a route to complain when something goes wrong, and publishing advice so businesses can get it right before problems arise.
Supervision means active monitoring. A DPA can audit your data processing operations, demand documentation such as your records of processing activities, and access your premises to inspect systems.
Complaint handling gives individuals a direct path to a regulator. When someone believes their rights have been violated - say, a website ignored their right to erasure request - they can file a complaint with their national DPA. The authority assesses the case, investigates if warranted, and can order corrective action or impose a fine.
Guidance is the proactive side. DPAs publish opinions, guidelines, FAQs, and sector-specific recommendations. France's CNIL, for instance, has published detailed rules on cookie banners and consent mechanisms since 2020, warning organisations well before issuing fines.
Key Data Protection Authorities Around the World
The landscape of privacy regulators varies by region. Some operate under a single comprehensive law, while others share enforcement duties across multiple agencies. The table below lists the most active DPAs that website owners are likely to encounter.
| Region | Authority | Key Law Enforced |
|---|---|---|
| EU (coordinating body) | European Data Protection Board (EDPB) | GDPR (consistency and cross-border disputes) |
| France | CNIL | GDPR + French Data Protection Act |
| Ireland | Data Protection Commission (DPC) | GDPR |
| Germany | BfDI + 16 state-level DPAs | DSGVO (German GDPR) |
| United Kingdom | Information Commissioner's Office (ICO) | UK GDPR + Data Protection Act 2018 |
| Brazil | ANPD (Autoridade Nacional de Protecao de Dados) | LGPD |
| United States | FTC + California Privacy Protection Agency (CPPA) | FTC Act, CCPA/CPRA + state laws |
| Canada | Office of the Privacy Commissioner (OPC) | PIPEDA |
| South Africa | Information Regulator | POPIA |
| India | Data Protection Board (being established) | DPDPA |
Germany splits enforcement between a federal commissioner and 16 state authorities, each responsible for private-sector compliance in their region. The United States has no single federal DPA. The FTC acts as a de facto enforcer using its consumer protection mandate, while California's CPPA is the first state-level privacy agency, established under the CPRA in 2020.
Enforcement Powers: Investigations, Fines, and Bans
Article 58 of the GDPR divides DPA powers into investigative, corrective, and advisory categories. Investigative powers let a DPA order an organisation to hand over information and conduct on-site audits. Corrective powers include issuing warnings, ordering compliance, imposing processing bans, and levying administrative fines.
The fines are what make headlines. GDPR penalties follow a two-tier system under Article 83. The lower tier caps at 10 million euros or 2% of global annual turnover for breaches like failing to maintain processing records or report a data breach. The upper tier - up to 20 million euros or 4% of global turnover - applies to violations of core principles such as lawful processing, consent, and data subject rights.
These are not theoretical ceilings. Cumulative GDPR fines have exceeded 7.1 billion euros since May 2018, with roughly 1.2 billion euros issued in 2025 alone. Ireland's DPC fined TikTok 530 million euros in May 2025 for unlawful data transfers to China. France's CNIL fined Google 325 million euros and SHEIN 150 million euros in September 2025 for cookie consent violations.
Non-EU authorities carry similar weight. The UK's ICO can fine up to 17.5 million pounds or 4% of global turnover. Brazil's ANPD can impose penalties of up to 2% of a company's revenue in Brazil, capped at 50 million reais per infraction. California's CPPA levies fines of up to $7,500 per intentional violation - a figure that scales quickly when thousands of consumers are affected.
How the One-Stop-Shop Mechanism Works
When a company processes personal data across multiple EU countries, the GDPR's one-stop-shop mechanism (Article 56) determines which DPA takes the lead. The lead supervisory authority is typically the DPA in the country where the company has its main establishment - the place where central administration decisions about data processing are made.
Ireland's DPC, for example, acts as lead authority for Meta, Google, Apple, TikTok, and many other tech companies with European headquarters in Dublin. The lead DPA coordinates with other "concerned" DPAs through a cooperation procedure. If they cannot agree on an outcome, the EDPB can issue a binding decision to resolve the dispute.
One important exception affects cookie consent enforcement. Cookie rules fall under the ePrivacy Directive, not the GDPR, so the one-stop-shop mechanism does not apply to them. This is why France's CNIL was able to fine SHEIN's Irish subsidiary directly for cookie violations on shein.com - the ePrivacy framework lets any national authority enforce cookie rules within its territory.
What DPAs Look for on Your Website
DPAs do not only respond to complaints. Many conduct proactive sweeps and audits targeting specific issues. The EDPB runs coordinated enforcement actions on a rotating topic each year. Past themes have included cloud services by the public sector (2023), Data Protection Officer appointments (2024), and the right of access (2025). A coordinated action on the right to erasure launched in early 2026.
For website owners, the areas most likely to trigger scrutiny include:
Cookie consent mechanisms - whether your cookie banner sets non-essential cookies before obtaining consent, whether rejecting cookies is as easy as accepting them, and whether cookie choices are actually respected by the underlying scripts.
Privacy notices - whether your privacy policy clearly identifies the legal basis for each processing activity, names the data controller, and explains data subject rights.
Data subject rights - whether you respond to access, deletion, and portability requests within the required timeframes (typically 30 days under the GDPR).
International data transfers - whether personal data sent outside the EEA is protected by adequate safeguards such as standard contractual clauses or an adequacy decision.
Third-party scripts - whether third-party tracking pixels and analytics tools process data lawfully and with proper consent.
The CNIL's September 2025 cookie fines illustrate the practical risk. Both Google and SHEIN were caught placing advertising cookies on users' devices before any consent interaction took place. SHEIN's "Reject all" button did not actually stop cookie collection. These are not edge cases - they are common technical failures that a cookie scanner would detect in minutes.
How to File a Complaint With a DPA
Any individual can lodge a complaint with their national DPA free of charge. Under GDPR Article 77, the complaint goes to the authority in the member state where the person resides, works, or where the alleged infringement occurred. Most DPAs accept complaints through an online form on their website.
The DPA acknowledges the complaint, assesses whether it falls within its remit, and may contact the organisation for a response. If it finds a violation, it can order corrective measures, impose a fine, or both.
Businesses should treat every DPA complaint seriously - a single unresolved case can trigger a broader investigation. Maintaining clear subject access request processes and a documented cookie policy reduces the chance of complaints escalating.
The Global Trend: More Countries, More Authorities, More Enforcement
Over 130 countries now have data protection laws, and the majority have established dedicated supervisory bodies. India finalised the rules for its Digital Personal Data Protection Act in November 2025, creating a four-person Data Protection Board with enforcement powers. The trend is clear: enforcement is expanding, not contracting.
In the United States, eight new state privacy laws took effect between January 2025 and January 2026, each enforced by its state attorney general. California's CPPA has moved beyond rulemaking into active enforcement, fining data brokers who failed to register under the Delete Act.
For website owners operating across borders, this means dealing with multiple DPAs at once. A consent management platform that adapts to visitor location is no longer optional - it is a practical necessity for avoiding regulatory exposure in every market you serve.
Frequently Asked Questions
Can a DPA fine my website if my business is outside the EU?
Yes. The GDPR applies to any organisation that processes personal data of individuals in the EU, regardless of where the business is located (Article 3). DPAs have fined companies based in the United States, China, Israel, and elsewhere. Clearview AI, for example, has received fines from DPAs in France, Italy, Greece, and the Netherlands totalling over 100 million euros.
Which DPA handles cookie consent complaints in the EU?
Cookie rules fall under the ePrivacy Directive, not the GDPR, so the one-stop-shop mechanism does not apply. The DPA in the country where the user is located can investigate cookie violations directly. France's CNIL fined SHEIN's Irish subsidiary 150 million euros for cookie breaches affecting French users, bypassing Ireland's DPC entirely.
How long does a DPA investigation usually take?
Simple complaints may be resolved within a few months, but complex cross-border cases can take two to four years. The TikTok data transfer investigation by Ireland's DPC, which resulted in a 530 million euro fine in 2025, began years earlier. Maintaining thorough records and responding promptly to DPA requests can speed up the process.
Do I need to notify a DPA before processing personal data?
Under the GDPR, there is no general obligation to notify a DPA before processing data. You must consult the DPA if a data protection impact assessment reveals high residual risk (Article 36), and you must notify within 72 hours of discovering a personal data breach (Article 33).
Is there a data protection authority in the United States?
There is no single federal DPA. The FTC enforces privacy through its consumer protection authority, while the CPPA in California is the first state-level dedicated privacy regulator. Other states rely on their attorneys general to enforce privacy statutes.
Stay Ahead of DPA Enforcement
Regulators are issuing more fines, investigating more websites, and coordinating across borders more effectively than at any point since the GDPR took effect. A compliant cookie banner, a clear privacy policy, and a documented consent trail are no longer nice-to-have items - they are the minimum a DPA expects to see. Kukie.io scans your site for cookies, categorises them, and generates the consent records DPAs ask for during investigations.
