Fines for not having a Privacy Policy

Fines for not having a Privacy Policy

Most countries around the world now have privacy and data protection laws in place to protect website users and customers online.

Many of these laws require website operators to notify their users of what information the website collects, and for what purpose, among other things.

A common way to cover these requirements is by setting up a website Privacy Policy.

But what are the penalties if you don't do it?

We'll look at the requirements of the laws in the US, UK, and EU, and examine what penalties there are for non-compliance. In most cases, you can be fined for not complying with the law, although in some cases it's more the lack of notification to the user, not exactly for not having a Privacy Policy.


Laws around the world

United States

First, let's take a look at the US.

The primary data protection law for users of online websites in the US is the California Online Privacy Protection Act (CalOPPA). It protects "individual consumers residing in California who uses or visits [a] commercial Web site or online service", and requires the operator of the website or service to comply with certain rules.

One of the main requirements it sets out is that the operator of the website or online service must "conspicuously post its privacy policy on its Web site, or in the case of an operator of an online service, make that policy available".

It must outline:

  • The personal information that is collected through the online service (website or mobile app) and any third parties this information may be shared with
  • How users can request changes to any of their information that was collected
  • How the operator will let users know that the Privacy Policy has changed
  • The date on which the Privacy Policy agreement is effective
  • How the operator of the online service will respond to "Do Not Track" requests of users
  • Whether other third parties may collect personally identifiable information about users through the service

UK and EU

In the UK and EU, the current law is set out under the EU Data Protection Directive. In the UK this is implemented by the Data Protection Act.

The EU Data Protection Directive requires:

  • Users of online websites or services must be told when you are collecting their personal data
  • Personal data must only be collected for specific, lawful reasons
  • Anything collected should be relevant to the purpose for which it was collected
  • The personal data collected should be kept up to date
  • The personal data collected should be kept accurate (users will need access to the data to be able to keep it accurate and up to date)
  • Data should only be kept as long as necessary
  • The personal data should be kept safe and secure
  • Personal data must not be transferred to a country or territory outside the EEA unless that country or territory also ensures an adequate level of protection for the data

The EU law is soon to change, however, with the EU Data Protection Directive being replaced by the EU General Data Protection Regulation.

This Regulation will include:

  • More stringent requirements on notifying individuals about their personal data being collected more stringent requirements for processing and keeping personal data
  • New roles, such as Data Protection Officers and EU Representatives
  • Broader scope, in that it applies to anyone collecting or processing the data of EU citizens, not just businesses based in the EU
  • Increased penalties for non-compliance

Let's take a look at those penalties now, for both the EU and the US.

Penalties for non-compliance

Let's take a look at what the penalties are if you don't comply with these laws. We'll start with CalOPPA.

CalOPPA is set out in the California Business and Professions Code, under chapter 22, sections 22575-22579. CalOPPA doesn't have enforcement provisions of its own, but it is expected that any claims will be brought under the "unfair competition" provisions of the Code.

These provisions state that "Any person who engages, has engaged, or proposes to engage in unfair competition shall be liable for a civil penalty not to exceed two thousand five hundred dollars ($2,500) for each violation".

Given that a violation would occur every time a user accessed the website or online service without the Privacy Policy, these fines could be quite hefty.

The California Attorney-General has already brought one claim against Delta Airlines for $37,500,000 in fines. The case failed on unrelated grounds, but the next entity claimed against may not be so lucky.

In the UK and EU, the situation is a little bit different.

Under the EU Data Protection Directive, individual laws (including sanctions) are required to be implemented in each country. The Data Protection Act allows fines of up to £500,000 for serious breaches, and each individual EU member states' legislation contains differing penalties and fines depending on the jurisdiction.

In France, the French Regulator, the Commission Nationale de l'informatique et des libertés (CNIL) can order a financial sanction up to EUR 150,000 for the first violation, up to EUR 300,000 for a second violation within 5 years of the first.

Google fined by Regulators

In the past, Google was fined €150,000 by the French regulator as the Privacy Policy did "not sufficiently inform its users of the conditions in which their personal data are processed, nor of the purposes of this processing".

This wasn't a fine for not having a Privacy Policy, but for having one that was not good enough.

It was not only France who fined Google for these issues but also Spain, who levied a maximum fine of €900,000 against Google. The Dutch and Italian regulators also threatened fines. In the UK, the Information Commissioner's Office decided not to prosecute as long as Google changed their Privacy Policy agreement in a timely manner.

As a result, Google made changes to their Privacy Policy, and added further information in a number of sections. The two most extensive changes were in relation to the use of Google account data, and how information from cookies is used. Have a look at the new sections below:

Account Data clause in Privacy Policy of Google

This wording is completely new, and was added to the "How we use the information we collect" section. Google also fleshed out their section on cookies:

Cookies clause in Account Data clause in Privacy Policy of Google

You can see that both of these new sections explain quite clearly how users' data may be used in Google's services. The areas of the sections underlined with dotted lines also have explanatory notes, like this:

Explanatory notes in Privacy Policy of Google

The explanatory notes provide additional information for Google's users, which makes their Privacy Policy more likely to now meet EU requirements for describing how it uses people's personal data.

Fines by EU GDPR

With the new EU General Data Protection Regulation (GDPR) the penalties for non-compliance can be up to 4% of global turnover.

This isn't a penalty for not having a Privacy Policy per se, but more failing to comply with the data protection requirements of the Regulation. However, if you didn't have a Privacy Policy or similar document, it would be very difficult to comply, which makes it a moot point.

The requirements of the EU GDPR are stricter than the Directive and apply to a much broader group of people.

While a Privacy Policy may not appear important at a first look, if you haven't got one or you haven't got yours right, you may be in violation of the law. This violation is not just an empty wrongdoing, either - you may be subject to hefty fines in your jurisdiction.

If you're based in the US or EU, ensure that you've got a Privacy Policy in place that meets the requirements of CalOPPA or the General Data Protection Regulation, or you could be exposed to huge liabilities. If even Google can get caught, so can you.

Leah H.

Leah H.

Qualified Solicitor. Writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.