Last updated on 21 May 2022 by Jaclyn Kilani (Legal writer at TermsFeed)
Under the General Data Protection Regulation (GDPR), for the first time in history, fines for privacy infringement in the EU could reach into the tens of millions of euros. Needless to say, noncompliance isn't worth it.
This article will break down the articles of the GDPR that deal with penalties of noncompliance. It will also provide some useful examples of GDPR violations that are easy to overlook but luckily also easy to resolve and remedy.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
Privacy fines are not a new concept. In recent years, more and more businesses have been taken to court for compromising consumer privacy.
It is evident that privacy penalization has been coming into the limelight for years as tracking and advertising technologies become more intrusive and advanced.
The GDPR will be the first regulation that sets the standards for administrative fines on internet privacy quite so high. It remains to be seen how often and how meticulously the European Union will enforce these new statutes.
The GDPR is a massive legal document, but here's an ultra-condensed summary of some of its most notable measures:
Certain companies that process massive amounts of personal data, like social media networks and data processing firms, will need to follow many additional stipulations.
Although the regulation will only apply to the personal data of EU residents, the GDPR will be enforced upon any business in the entire world that collects that information.
Since the internet is international by its very nature, there is no way to avoid compliance, at least as far as EU user data is concerned. Unless you can guarantee that no EU resident will ever come across your website/app, it would be in your best interest to comply. The EU is a major world power and most developed countries are prepared to cooperate with them to enforce the GDPR.
In order to manage the investigation and enforcement of the GDPR, a Data Protection Authority will be designated in each EU member state as the supervisory authority.
These supervisory authorities will be appointed by government officials in each member state and manage the day-to-day enforcement of the GDPR. You might think of them as the GDPR police.
EU consumers will have the option to submit privacy complaints directly to supervisory authorities. These will be the authorities you must report to in the case of a data breach of EU user information. They will exert full powers of the investigation and correction of GDPR infringement. In other words, they can dole out fines.
Under Article 58 Section 2 of the GDPR, supervisory authorities may take any of the following corrective actions in the case of EU consumer privacy infringement:
While most of the administrative corrections listed above are feasible and relatively simple for the affected businesses to comply with, it's the administrative fines that have online businesses the world over scrambling to meet GDPR requirements.
For the first time ever, fines for privacy violations could reach amounts of €20 million or more.
Article 83 deals with the general conditions for imposing administrative fines. Section 4 lists out what types of infringements come with a fine of up to €10 million or 2% of the company's global annual turnover, whichever is higher.
This tier of fines can apply if the following infringements occur:
Section 5 of Article 83 outlines what infringements come with higher fines of up to €20 million or 4% of the company's global annual turnover, whichever is higher.
This tier of fines can apply if the following infringements occur:
Section 2 of Article 83 provides a list of criteria for the supervisory authorities to consider when determining the amount of the fine to be imposed:
As you can see, a variety of factors will affect each individual case including aggravating and mitigating factors, how negligent or intentional the violation was, past violations, etc.
It is important to note that fines and penalties are supposed be fair and appropriate to each individual infraction. If your violation of the GDPR is an honest mistake and you make fair efforts to mitigate it, your fines will not be towards the top of the spectrum.
Although it is not possible to show visual examples of every kind of infraction, below you can see a few very obvious violations.
Valid consent is one of the cornerstones of GDPR compliance. Violations are not difficult to spot.
The McDonalds registration form does not give users an opportunity to provide their express and unambiguous consent for marketing communications; in this form, consent is assumed when a user registers for an account.:
Although Apple's registration form includes marketing consent checkboxes, this method of consent is not considered freely-given because the boxes are pre-ticked by default:
TechTarget's Cookies Policy includes the following terminology: "By continuing to use the site, you agree to the use of cookies."
This is implied consent and will not be considered legal under the GDPR. Consent for most types of cookies must be obtained via a clear action on the part of the user, such as the click of a button or tick of a checkbox.
The same goes for Privacy Policies. The kind of browsewrap agreement demonstrated in the PokerStars Privacy Policy below is also implied consent and in violation of the GDPR:
In order for a user to validly consent to the Privacy Policy they must click an agreement button or tick a checkbox.
Another fine-worthy infringement involves clear, easy-to-understand Privacy Policies. The long-winded, confusing legalese that was so popular in Privacy Policies of the past will no longer be accepted.
Ironically, it may be government agencies that will have the hardest time with this requirement:
This is the intro to the Privacy Policy for USA Citizen and Immigration Services. The language is unnecessarily complex and dense.
Although it is still unclear how serious these types of infractions will be, it is advisable to ensure your Privacy Policy is written clearly in simple language.
Accessibility to the Privacy Policy as well as to a user's choices regarding their personal information is a key point in the GDPR.
For example, the Privacy Policy should be prominent and easy-to-find within the business's website or mobile app.
In addition, a user should have easy access to their own personal information and consent choices. According to the GDPR, "It shall be as easy to withdraw consent as to give it."
Here is an example of noncompliance with these accessibility requirements and others.
When you go to the Glamour homepage, these is no immediately-visible link to the Privacy Policy in the standard footer links list. There are, however, three visible links for a user to sign up for marketing emails:
When you do finally locate the Privacy Policy, you see it is linked for users, but it's linked as part of a statement that says, "Use of this site constitutes acceptance of our [...] Privacy Policy."
As with the other examples of bad consent, you can see why this absolutely violates the consent requirement of the GDPR.
Further, usually the Privacy Policy would provide instructions on how to unsubscribe from marketing communications, especially since Glamour makes it so easy for you to enter your email address and subscribe.
However, after finally locating the Privacy Policy as part of the implied consent statement, a user would see that the Policy does not provide instructions on how to access personal data or change marketing communication preferences:
The above examples demonstrate a range of infringements that may garner a range of different penalties, from warnings to fines. When a combination of infringements are found or if a business commits repeat offenses, the larger fines could start rolling in.
Make sure your Privacy Policy is up to date and includes GDPR-required information, is written in an easy-to-understand way, and that you get the appropriate level of consent whenever you collect personal information. Do these things and incorporate sound privacy practices into your business and you should avoid being penalized.
Create Privacy Policy, Terms & Conditions and other legal agreements in a few minutes. Free to use, free to download.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
21 May 2022