27 July 2020
Failing to respect your customers' privacy can result in reputational harm, loss of personal information, and wasted resources. Increasingly, it can also put you in violation of the law, and lead to large fines and legal claims.
No matter where your business operates, there is almost certainly at least one privacy law it must obey.
The headline-grabbing, multimillion-dollar fines available under these fines are real, and they can also affect smaller businesses who do not take proper care of personal information.
We're going to look at possible sanctions under five of the most important privacy laws worldwide.
CalOPPA applies to any "operator" of a commercial website, online service, or app that collects "personally identifiable information" (PII) from consumers in California.
This includes operators based outside of California.
This can add up to many millions of dollars, for example where thousands of consumers download a non-compliant app or visit a non-compliant website. Each download/visit will be an individual violation.
A private legal claim could result in "actual damages," i.e. the amount of money actually lost by the consumer as a result of the operator's CalOPPA violation.
An operator may violate CalOPPA either:
An operator can violate CalOPPA by failing to do one or more of the following things:
The California Consumer Privacy Act (CCPA) has caused thousands of businesses operating in California to review their practices and change the ways they collect, use, and sell consumers' personal information.
While the law is sometimes said to target social media corporations and "data brokers," more and more businesses are coming to realize that the law applies much more broadly.
The CCPA applies to any business operating in California that decides how and why to collect personal information, providing it meets one of the following three thresholds:
This includes companies based outside of California.
Note that a company may fall under the second threshold by using third-party cookies for tracking or analytics purposes.
The CCPA also applies to "service providers" who process personal information on behalf of a business.
The CCPA provides two means by which to sanction non-compliant companies:
Private right of action: Consumers can bring private legal claims against businesses for:
Civil penalties pursued by the Attorney General can be:
A "violation" occurs each time a consumer's rights are violated by the non-compliant business.
So, for example, if a business's website does not provide proper notice of the collection of personal information, a "violation" occurs each time the business collects a consumer's personal information.
Under the private right of action, statutory damages can be an amount of between $100 and $750, per consumer, per incident. An "incident" occurs each time an individual consumer suffers the exfiltration, loss, or theft of their personal information.
Violating any part of the CCPA can result in a civil penalty. Possible violations include failing to:
Claims under the CCPA's private right of action are only available where a business has failed to properly secure personal information, resulting in its access and exfiltration, loss, or theft (i.e. where there has been a data breach).
Businesses must receive 30 days' notice before the Attorney-General can pursue a civil penalty, or a consumer can pursue statutory damages. If the business "actually cures" their alleged CCPA violation within this period, the case will not proceed.
An individual consumer bringing a case for actual damages does not need to provide notice.
The United States has notoriously weak privacy law, relying on a patchwork of state-by-state statutes and industry-specific regulations.
The Children's Online Privacy Protection Act (COPPA) is the exception. COPPA applies all over the United States and protects children's privacy across every industry.
COPPA applies to operators of commercial websites, online services, and apps that are directed to children (minors under the age of 13) or knowingly collect the personal information of children.
"Personal information" includes persistent identifiers such as IP addresses and device IDs, which brings targeted advertising to children under the scope of COPPA.
COPPA also applies to content creators using third-party online services such as YouTube. According to the Federal Trade Commission (FTC), when using a third-party platform, "COPPA applies in the same way it would if the channel owner had its own website or app."
COPPA applies to non-US operators that knowingly collect the personal information of children in the United States.
Violating COPPA can lead to a civil penalty under the FTC Act, which is regularly adjusted for inflation and currently stands at up to $43,280 per violation.
In the world of digital advertising, this can add up to some extremely large figures. For example, in 2019, the FTC and Google settled a case for $170 million after YouTube was alleged to have violated COPPA.
There is no private right of action under COPPA. However, this has not prevented parents pursuing class-action lawsuits against operators, claiming that non-compliance with COPPA provisions has violated their children's civil rights to privacy.
An example is the 2019 case against TikTok, settled for $1.1 million dollars.
An operator can incur a civil penalty by failing to:
The EU General Data Protection Regulation (GDPR) has totally changed the face of the internet and brought hundreds of thousands of businesses worldwide under the jurisdiction of EU privacy law.
The GDPR applies to "data controllers" and "data processors," which can be individuals, non-profits, or businesses of any size.
A "data controller" decides how and why to collect, use, or process personal information. Most businesses are data controllers in respect of some personal information.
A "data processor" processes personal information on behalf of a business.
See our article "GDPR Data Controller vs. Data Processor" for more information.
The GDPR applies to any non-EU company that:
The GDPR continues to apply in the UK despite the country's withdrawal from the EU. Like every EU member state, the UK also has its own privacy legislation. In the UK, this is called the Data Protection Act 2018. This law refers to the GDPR throughout.
The GDPR contains two main monetary sanctions:
Administrative fines issued by the EU's Data Protection Authorities (DPAs). These can amount to:
Data controllers are the main subject of GDPR sanctions and legal claims as they hold primary responsibility for obeying the GDPR's principles and facilitating the rights of individuals of their personal information.
However, a data processor can also be liable for a penalty or private legal claim if it violates the GDPR's rules for data processors, or if it goes against the lawful instructions of its data controller.
The biggest GDPR fine so far remains the €50 million ($55 million) fine against Facebook by the French DPA.
EasyJet is also facing an £18 billion ($22 billion) class-action lawsuit after a massive data breach in early 2020.
Violation of any part of the GDPR can lead to an administrative fine or private legal action.
Some key GDPR violations include failing to:
The Personal Information and Electronic Documents Act (PIPEDA) is a relatively strict privacy law that applies on a federal level across Canada. In 2018, an amendment introduced fines for non-compliance with certain provisions.
PIPEDA applies to private sector organizations, i.e. any organization or person engaged in "commercial activity."
PIPEDA is federal law that applies to all processing of personal information across borders in Canada. Certain provinces have local privacy laws that override PIPEDA, but in every case these laws are substantially similar to PIPEDA.
Non-Canadian companies with "a real and substantial connection to Canada" also must comply with PIPEDA.
PIPEDA is enforced via fines of up to $100,000 CAD (approximately $73,000 USD) per violation. These fines are initiated by the Office of the Privacy Commissioner (OPC) and pursued by the Justice Department through the federal courts.
Individuals can also pursue private claims for compensation having read the OPC's report.
Upcoming changes to PIPEDA are likely to see the OPC empowered to issue fines directly.
Fines are only applicable to violations of PIPEDA's data breach reporting and recording provisions.
Under PIPEDA, organizations must report any breach of consumers' personal information that presents a "real risk of significant harm." They must also inform the individuals affected when it would be reasonable to do so.
Organizations are also required to keep records of all data breaches, whether or not the breach has resulted in a real risk of significant harm.
The privacy laws examined above all apply to any business operating within their jurisdiction, regardless of where the business is based.
This means that, depending on the scope of your business activities, you may have to comply with each or any of these laws.
Some of the sanctions and remedies you need to know about include:
COPPA (United States):
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.