Last updated on 08 August 2022 by Leah Hamilton (Qualified Solicitor. Writer at TermsFeed)
Companies need to understand the privacy laws in the regions where they do business, and the fines and penalties associated with non-compliance with such laws.
Many business owners don't understand the gravity of violating existing privacy laws such as the EU's General Data Protection Regulation (GDPR) or California's Online Privacy Protection Act (CalOPPA). However, the cost to a company for non-compliance can be staggering.
Here are ten examples of well-known companies fined for privacy law violations over the last few years:
Let's take a look at a few of the most widely-applicable privacy laws and what the fines are for violating each of them.
The law applies to any company that collects California residents' personal information, regardless of whether the company is based in California.
CalOPPA defines personal information as "information that identifies, relates to, describes, or is capable of being associated with, a particular individual."
This includes things like:
It also includes persistent identifiers like cookies and IP addresses.
When a company violates CalOPPA, it can face severe fines. CalOPPA violations are considered unfair business practices under the California Unfair Competition Law (UCL).
The UCL forbids businesses from engaging in any practices that are seen as unfair, unlawful, or fraudulent. Any violation can result in civil penalties of up to $2,500.
The Children's Online Privacy Protection Act (COPPA) is a United States federal law. The FTC has enforcement authority over COPPA compliance and has brought numerous actions against website and app operators for violating the law.
The goal of COPPA is to ensure the security and privacy of any personal data collected from individuals under the age of 13.
According to COPPA, personal data includes but is not limited to:
COPPA requires businesses to:
Businesses that violate COPPA can be subject to civil and criminal penalties. Currently, the maximum civil penalty is $43,280 per privacy violation per child.
There are some important steps companies can take to ensure they comply with COPPA. These include:
Businesses can help protect children's online privacy by taking these steps while avoiding costly fines and penalties.
The EU Cookies Directive is a piece of legislation that the EU incorporated into the e-Privacy Directive.
The essential idea behind it is that companies now need to obtain user consent before placing cookies on their devices such as computers, laptops or smartphones.
Cookies are small files that get embedded on your device when you visit a website. They are used for various purposes like remembering your login details or tracking your browsing habits.
Companies that collect personal data through cookies must provide clear and concise information about their activities and ensure that users can easily give or withhold their consent. Failure to do so can result in hefty fines.
The Cookies Directive has been widely criticized for being too complicated and putting an undue burden on businesses. Nevertheless, it remains an integral part of EU legislation.
Violators can be subject to monetary fines of up to 500,000 GBP. This amount is only given in the case of a deliberate breach that brings about substantial distress to the data subject. In other cases, the maximum fine is much lower, at 100,000 GBP.
There are a few crucial things that companies need to do to comply with the Directive.
Second, companies must ensure that they have implemented appropriate technical and organizational measures to protect user data. Part of that is ensuring that only authorized personnel have access to cookie data and that all data is securely stored.
Finally, companies should keep detailed records of their compliance with the Directive, including information about the cookies used on their website and how they obtained consent from visitors.
These records should be made available upon request to authorities or individuals who exercise their right to access their personal data.
The General Data Protection Regulation (GDPR) has been a game-changer for how businesses protect the data of their customers and users. The EU created it in response to the awareness that people have become increasingly comfortable sharing their personal information online without understanding the implications.
The GDPR is designed to give individuals more control over their data, and to hold businesses accountable for failing to safeguard it.
The main principles of the GDPR are that companies must only collect data for specific, explicit, and legitimate purposes, and that the data must:
People who are protected by the GDPR are also given a number of user rights that must be facilitated.
The GDPR sets out the maximum administrative fines the EU can impose on companies for breaching the law. These fines are tiered, with the second tier being the most serious breaches.
The maximum fine that can be levied for a first-tier breach is 10,000,000 EUR, or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
These GDPR fines are significantly higher than the maximum fine under the previous data protection regime, which was 500,000 EUR.
Tier two fines max out at 20,000,000 EUR or 4% of the total yearly sales for the preceding fiscal year, whichever is higher.
In determining the fine amount, the GDPR considers the infringement's nature, gravity, and duration, the number of data subjects impacted, and the level of damage they suffered. The Regulation also provides for a series of aggravating and mitigating factors that may be considered when setting the fine level.
To comply with the GDPR and avoid violations, the law requires businesses to take a number of steps to protect the personal data they hold.
These include but aren't limited to:
The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian federal law that sets out how organizations must handle the personal information of Canadians.
It establishes guidelines and rules regarding how organizations collect, use, and disclose personal information.
PIPEDA protects four primary consumer rights. These are:
If an organization is found to be knowingly in breach of PIPEDA requirements, it can be fined up to $100,000 for each violation.
Business owners can take a few simple steps to ensure they are compliant with PIPEDA.
First, they should appoint a privacy officer responsible for ensuring the organization complies with PIPEDA requirements.
Second, they should develop policies and procedures to protect personal information and train all employees on these policies and procedures.
Business owners need to keep up with privacy legislation. Failure to do so could harm your company's bottom line. You need to be aware of several different data privacy laws, and it's essential to understand any amendments that have been made to them.
Some of the most widely applicable privacy laws include CalOPPA, COPPA, the EU Cookies Directive, the GDPR, and PIPEDA. These laws regulate how companies collect, use and disclose personal data, and failure to comply can result in heavy fines.
That's why it's critical for companies to invest in privacy compliance. By doing so, they can avoid costly penalties and create a foundation for protecting their customers' privacy.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
08 August 2022