Most countries around the world now have privacy and data protection laws in place to protect website users and customers online.
Many of these laws require website operators to notify their users of what information the website collects, and for what purpose, among other things.
But what are the penalties if you don't do it?
Laws around the world
First, let's take a look at the US.
The primary data protection law for users of online websites in the US is the California Online Privacy Protection Act (CalOPPA). It protects "individual consumers residing in California who uses or visits [a] commercial Web site or online service", and requires the operator of the website or service to comply with certain rules.
It must outline:
- The personal information that is collected through the online service (website or mobile app) and any third parties this information may be shared with
- How users can request changes to any of their information that was collected
- How the operator of the online service will respond to "Do Not Track" requests of users
- Whether other third parties may collect personally identifiable information about users through the service
UK and EU
In the UK and EU, the current law is set out under the EU Data Protection Directive. In the UK this is implemented by the Data Protection Act.
The EU Data Protection Directive requires:
- Users of online websites or services must be told when you are collecting their personal data
- Personal data must only be collected for specific, lawful reasons
- Anything collected should be relevant to the purpose for which it was collected
- The personal data collected should be kept up to date
- The personal data collected should be kept accurate (users will need access to the data to be able to keep it accurate and up to date)
- Data should only be kept as long as necessary
- The personal data should be kept safe and secure
- Personal data must not be transferred to a country or territory outside the EEA unless that country or territory also ensures an adequate level of protection for the data
The EU law is soon to change, however, with the EU Data Protection Directive being replaced by the EU General Data Protection Regulation.
This Regulation will include:
- More stringent requirements on notifying individuals about their personal data being collected more stringent requirements for processing and keeping personal data
- New roles, such as Data Protection Officers and EU Representatives
- Broader scope, in that it applies to anyone collecting or processing the data of EU citizens, not just businesses based in the EU
- Increased penalties for non-compliance
Let's take a look at those penalties now, for both the EU and the US.
Penalties for non-compliance
Let's take a look at what the penalties are if you don't comply with these laws. We'll start with CalOPPA.
CalOPPA is set out in the California Business and Professions Code, under chapter 22, sections 22575-22579. CalOPPA doesn't have enforcement provisions of its own, but it is expected that any claims will be brought under the "unfair competition" provisions of the Code.
These provisions state that "Any person who engages, has engaged, or proposes to engage in unfair competition shall be liable for a civil penalty not to exceed two thousand five hundred dollars ($2,500) for each violation".
The California Attorney-General has already brought one claim against Delta Airlines for $37,500,000 in fines. The case failed on unrelated grounds, but the next entity claimed against may not be so lucky.
In the UK and EU, the situation is a little bit different.
Under the EU Data Protection Directive, individual laws (including sanctions) are required to be implemented in each country. The Data Protection Act allows fines of up to £500,000 for serious breaches, and each individual EU member states' legislation contains differing penalties and fines depending on the jurisdiction.
In France, the French Regulator, the Commission Nationale de l'informatique et des libertés (CNIL) can order a financial sanction up to EUR 150,000 for the first violation, up to EUR 300,000 for a second violation within 5 years of the first.
Google fined by Regulators
This wording is completely new, and was added to the "How we use the information we collect" section. Google also fleshed out their section on cookies:
You can see that both of these new sections explain quite clearly how users' data may be used in Google's services. The areas of the sections underlined with dotted lines also have explanatory notes, like this:
Fines by EU GDPR
With the new EU General Data Protection Regulation (GDPR) the penalties for non-compliance can be up to 4% of global turnover.
The requirements of the EU GDPR are stricter than the Directive and apply to a much broader group of people.