What is a typical GDPR fine scenario for email misuse?

A typical GDPR fine scenario for email misuse involves clear, documented consent violations. Example: A company sends marketing emails to individuals who never opted in, or continues sending after unsubscribe requests. A data subject complains to their supervisory authority. The authority investigates, requests the company's consent records, and finds either no records, inadequate records (pre-checked boxes, bundled consent), or evidence that opt-outs were ignored. The authority issues a fine proportionate to the violation's severity, company size, and intent.

Real enforcement cases have targeted various consent and opt-out failures. Companies fined for: sending millions of marketing emails without valid consent; using pre-checked boxes despite GDPR prohibition; purchasing email lists without verifiable consent; continuing to email after unsubscribe requests; failing to offer clear opt-out mechanisms; and collecting consent through manipulative dark patterns. Fines have ranged from thousands to millions of euros depending on scale, intent, and repeat behavior.

Factors influencing fine amounts include: nature and gravity of the violation (how serious, how many affected); duration (one-time error vs. sustained practice); intent (negligence vs. deliberate violation); mitigation efforts (did the company try to fix it?); cooperation with the authority; previous violations; and financial impact (can the company pay?). First-time technical violations by cooperative companies typically result in lower fines than repeated willful violations by uncooperative organizations. Fines aren't arbitrary. They ureflect the seriousness of the violation, the company's response, and the message regulators want to send about compliance expectations.