Survey after survey shows that even though the California Consumer Privacy Act (CCPA) became effective on January 1st, many affected companies are still not fully prepared to comply with the data privacy regulation. Although CCPA’s predecessor, the General Data Protection Regulation (GDPR), is specific to EU data subjects, it may offer some insight into the potential consequences for those who have not yet come to terms with the CCPA’s new compliance standards. Here are some examples of GDPR violations since 2018, the hefty penalties levied, and tips on how these outcomes could have been mitigated.
1. Not getting customer consent to use data/insufficient fulfilment of information obligations.
Consent is one of the fundamental premises of the GDPR, demonstrated by Google’s €50 million fine for “lack of transparency, inadequate information, and lack of valid consent regarding the ads personalization.” Information about data gathered by Google wasn’t easily accessible to users, and when the information was provided, it wasn’t comprehensive or clear enough for users to understand.
La Liga was fined €250,000 for a mobile app that allowed for the remote activation of the phone’s microphone to listen for football games being projected in sports bars. Users were unaware that leveraging location data, La Liga could check if the venue had paid for permission to broadcast the game, and users were not notified that their phone’s microphone would be in use.
Tip: Explain your data practices in a way that allows users to easily understand what data is being collected and what their data will be used for—this requires you to be transparent, straightforward, and comprehensive.
2. Insufficient legal basis for data processing.
In October, 2019 the Hellenic Telecommunications Organization was fined €200,000 for both not having permission to contact subscribers on a do-not-call registry and for misleading recipients of advertising messages — the unsubscribe link did not actually unsubscribe.
A large consulting firm was subject to a hefty fine for a similar issue: it had required consent for the processing of employees’ personal data and then had given those employees the impression that their data was being processed for one reason, when it was really being used for another reason entirely.
Tip: Regularly check that your unsubscribe button actually unsubscribes. Also be sure that the reason you’re giving for gathering consent matches the actual use. Data collected can only be used for an overtly stated purpose and cannot be recycled for other needs.
3. Not sufficiently conducting due diligence of data privacy and security protocols.
After an acquisition, a large hotel chain discovered their central reservation database of the new subsidiary had been hacked, including five million unencrypted passwords and eight million credit card records, impacting 30 million EU residents. By neglecting to perform sufficient due diligence, the brand inherited both the breach and a fine of nearly £100 million.
Tip: It’s vital to do thorough data privacy and security due diligence during any M&A process. It’s also much less expensive to invest in auditing and improving protocols for your company and any you are looking to partner with or acquire.
More penalties than just fines
With GDPR and CCPA, organizations can be held financially accountable for mismanagement of data. But damages can be more than monetary: the reputational damage from a breach results in a breakdown of consumer trust that is incredibly challenging to regain.
Thankfully, it’s easier to avoid all that collateral damage by learning from others’ mistakes. Every organization must take full responsibility for protecting that data and guarding it like the precious asset it is.
Although additional guidance on CCPA continues to trickle out, you may still have some unanswered questions around compliance.