01 February 2020
Most countries around the world now have privacy and data protection laws in place to protect website users and customers online.
Many of these laws require website operators to notify their users of what information the website collects, and for what purpose, among other things.
But what are the penalties if you don't do it?
First, let's take a look at the US.
The primary data protection law for users of online websites in the US is the California Online Privacy Protection Act (CalOPPA). It protects "individual consumers residing in California who uses or visits [a] commercial Web site or online service", and requires the operator of the website or service to comply with certain rules.
It must outline:
In the UK and EU, the current law is set out under the EU Data Protection Directive. In the UK this is implemented by the Data Protection Act.
The EU Data Protection Directive requires:
The EU law is soon to change, however, with the EU Data Protection Directive being replaced by the EU General Data Protection Regulation.
This Regulation will include:
Let's take a look at those penalties now, for both the EU and the US.
Let's take a look at what the penalties are if you don't comply with these laws. We'll start with CalOPPA.
CalOPPA is set out in the California Business and Professions Code, under chapter 22, sections 22575-22579. CalOPPA doesn't have enforcement provisions of its own, but it is expected that any claims will be brought under the "unfair competition" provisions of the Code.
These provisions state that "Any person who engages, has engaged, or proposes to engage in unfair competition shall be liable for a civil penalty not to exceed two thousand five hundred dollars ($2,500) for each violation".
The California Attorney-General has already brought one claim against Delta Airlines for $37,500,000 in fines. The case failed on unrelated grounds, but the next entity claimed against may not be so lucky.
In the UK and EU, the situation is a little bit different.
Under the EU Data Protection Directive, individual laws (including sanctions) are required to be implemented in each country. The Data Protection Act allows fines of up to £500,000 for serious breaches, and each individual EU member states' legislation contains differing penalties and fines depending on the jurisdiction.
In France, the French Regulator, the Commission Nationale de l'informatique et des libertés (CNIL) can order a financial sanction up to EUR 150,000 for the first violation, up to EUR 300,000 for a second violation within 5 years of the first.
This wording is completely new, and was added to the "How we use the information we collect" section. Google also fleshed out their section on cookies:
You can see that both of these new sections explain quite clearly how users' data may be used in Google's services. The areas of the sections underlined with dotted lines also have explanatory notes, like this:
With the new EU General Data Protection Regulation (GDPR) the penalties for non-compliance can be up to 4% of global turnover.
The requirements of the EU GDPR are stricter than the Directive and apply to a much broader group of people.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.