Across twenty-three major matters in twelve jurisdictions, regulators kept returning to one charge: that Meta's drive to collect, combine and monetise personal data outran the consent, transparency and competition rules meant to contain it. Privacy enforcement accounts for more than four of every five dollars.
Meta's enforcement arc starts with U.S. deception and consent-order policing, expands sharply into EU GDPR enforcement, then broadens into competition, biometric-privacy, and advertising / unfair-competition theories. Privacy and data-governance failures dominate — both by number of major matters and by money at risk.
Several "separate" cases are really attacks on one business logic: large-scale data collection, cross-service integration, behavioural targeting, and business-side dependence on Meta-owned interfaces and defaults. The same conduct surfaces under U.S. consumer-deception law, EU GDPR, EU and national competition law, state biometric statutes, and consumer law abroad.
The aggregate — about $11.6B in nominal USD equivalents — is a high-confidence floor for major matters, not a full census. Read the original-currency official amounts first; the dollar totals are comparability tools, not statutory figures.
Legally diverse, economically coherent: one data engine, many bodies of law.
Approx. penalties by year, USD bn (selected major monetary matters). Two spikes: the 2019 FTC-led U.S. privacy reset ($5.1B) and the 2024 global enforcement wave ($2.88B).
Germany, Türkiye, India, Korea, the Irish ad cases and the DMA decision all object to combining data across Facebook, Instagram, WhatsApp and the wider web without meaningful opt-out. Different laws, one criticism: the drive to enlarge the data graph outran valid consent and fair competition.
The largest Irish cases don't allege a hack. They say Meta either failed to explain processing clearly enough or relied on the wrong lawful basis for monetisation — WhatsApp transparency, the Facebook/Instagram legal-basis decisions, the transatlantic transfers. These go to the consent and policy architecture of the ad model itself.
Scraping, plaintext passwords, the access-token breach — the DPC treated architectural and process weakness as sanctionable even without proven external misuse. A controller of Meta's size is expected to anticipate realistic abuse paths and build against them.
Competition authorities didn't copy the privacy regulators — they recoded data practices as market-structure harm: dominance, barriers to entry, self-preferencing and tying in display advertising and classifieds. Data becomes an input, an advantage, and sometimes a barrier to entry.
Italy's AGCM, Nigeria's FCCPC and Spain's publishers' judgment reframe the bargain: users pay in data. Spain goes furthest, turning allegedly unlawful data exploitation into an unfair advertising advantage that damaged rivals' revenues — a private-law damages award built on a GDPR breach.
Content moderation, labor and tax are live across Meta's perimeter but had not, by June 2026, produced comparable final monetary sanctions — only preliminary DSA findings, a contested Italian VAT theory, and ongoing Kenya litigation. The closed-case cost center remains privacy first, competition second.
Borrowing from information geometry, each matter is plotted as a point in an issue-space — near neighbours share legal theory, distant ones don't. Competition cases gather on the left, privacy on the right, security up top. Then each point is given mass equal to its penalty, and the map's center of gravity is the mass-weighted centroid: the single spot that best summarises where Meta's enforcement weight actually rests.
The twist that makes this a reference tool: the gravity moves depending on who is asking. Re-weight the same points by what a given audience cares about, and the centroid slides to that audience's region. Pick a lens below — the map re-lights and the crosshair relocates.
How to read this: each circle is one matter — position = how similar its legal theory is (similar matters cluster), size = penalty, colour = legal area (see key below), brightness = how much it matters to the chosen lens. The crosshair is the weighted balance point; the dashed rings show where the other lenses' balance point sits.
The portfolio is dominated by privacy and data-protection enforcement tied to ad-tech, data combination, and governance failures, with competition law a clear second tier. The order-of-magnitude conclusion is stable even after the currency caveats: major monetary exposure sits in the multi-billion range, anchored by the 2019 U.S. reset and the 2024 global wave.
The newest matters point forward. The DMA "pay-or-consent" fine and Spain's private-damages judgment show enforcement migrating past state fines toward gatekeeper-style structural duties and civil liability to competitors — formats that reach the ad-supported model more directly than any single penalty.
Scope note: this is a major-matters record, not an exhaustive census. Smaller matters (Ireland's €5.5M 2023 WhatsApp decision, Korea's 2024 sensitive-data fine) would modestly raise the totals. Many headline cases remain in appeal channels — the EU Marketplace and DMA decisions, the Spanish judgment, India's WhatsApp case, and several Irish GDPR fines. Dollar figures are approximate comparability tools converted at rounded decision-date FX; original-currency amounts are authoritative.