The fines, penalties, and other sanctions associated with violations of privacy and cybersecurity laws typically are a function of the particular legal regime being violated. For example, FCRA allows harmed consumers to recover between $100 and $1,000 in statutory damages for willful violations of the statute, while other statutes give regulators even greater flexibility to impose fines commensurate with the nature of the violation.
Outside the US, penalties for violations of privacy laws can be significant. The primary example of that is GDPR, which allows for penalties of up to four percent of worldwide revenue or €20 million (whichever is higher).1
1 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR), O.J. 2016 L 119/1, art. 83.