Have you noticed the increasingly-complex cookie disclosure forms popping up on even the most unassuming website? These expanded forms aren’t present because digital businesses have suddenly decided informing customers about their data collection practices is an ethical imperative. Instead, these companies are most likely working with customers in both the U.S. and the EU, and they find themselves facing significant backlash if they aren’t following strict transparency rules.
These GDPR rules define potentially devastating penalties for unassuming companies, and these penalties can come for the most unexpected reasons–if you don’t know the rules.
What Is the General Data Protection Regulation (GDPR)?
GDPR is a data privacy and security standard with jurisdiction in the European Union (EU) with a foundation in foregrounding consumer rights over protecting their personal information.
In some cases, these standards are rather restrictive, especially when compared to other standards worldwide. In other cases, however, these laws create a clear understanding of how businesses must interact with customers in a more equitable and respectful data marketplace.
At the heart of the law are seven principles of data protection. These principles are:
- Lawfulness, Fairness, and Transparency: Businesses must process the personal data from consumers and must be done so lawfully and transparently. Data processing must occur within the lawful boundaries of GDPR.
- Purpose Limitation: Personal information may only be collected and processed for clearly specified purposes, made explicit to the consumer and for no reason other than those purposes.
- Data Minimization: Businesses may only collect personal information from relevant and adequate consumers for the stated purposes of that collection and may not collect data for future processing purposes (including sale to third parties).
- Accuracy: Businesses must take any reasonable, necessary step to ensure accurate customer data. This includes promptly updating consumer data if and when consumers contact the business to update their information.
- Storage Limitation: Stored data shall only be stored so long as it is needed for stated business purposes (with certain exceptions for historical or research applications). Otherwise, the business must delete the data once it has fulfilled its purpose.
- Integrity and Confidentiality: A business must implement security, privacy and integrity controls so that consumer data remains confidential and protected against unauthorized disclosure, theft, alteration, or destruction.
- Accountability: All businesses operating within EU jurisdiction must demonstrate compliance with GDPR through practices like creating dedicated Data Protection Officer (DPO) positions, inventorying data systems, and performing assessments and audits.
While the GDPR regulations break down these principles into finer details, it is within these line items that compliance and penalties are assessed.
What Are the Fines Associated with GDPR Non-Compliance?
To put it bluntly, GDPR fines are no joke. Part of what makes compliance with GDPR requirements so important is that fines levied aren’t rated on a flat scale. As such, it’s much more difficult for vastly wealthy businesses to avoid significant penalties.
Generally, GDPR divides their penalty structure into two different tiers:
- Lesser Infringements apply to regulations for securing and protecting data and laws around organizations that certify and monitor businesses under GDPR. In this lesser tier, non-compliance could result in fines up to €10 million or 2% of the company’s worldwide annual revenue, whichever is higher.
- Serious Infringements apply to any breach of the foundational principles of GDPR, including failure to process data lawfully and transparently; failure maintains accurate consumer data; failure to process data securely and well within defined business purposes; disregarding the rights of consumers to know and correct data collected by your business; or, transfer of data to third parties outside the EU to avoid GDPR jurisdiction. Penalties at this tier may result in fines of up to €20 million or 4% of the company’s worldwide annual revenue, whichever is greater.
While 2%-4% may not seem like much, this fine is per event. And, within EU regulations, some of the most significant fines come from failure to maintain honesty and transparency with consumers, including attempting to obfuscate data collection purposes or process data outside the bounds of clearly-defined business purposes.
What Are Some of the Highest GDPR Fines (as of 2022)?
It may not be surprising to many of us, but lately, tech companies have started increasing their data-gathering processes to incredible, perhaps unethical levels. For businesses outside of the EU, the cost of maintaining a presence within the EU has been a scaling back or mitigation of collection processes that are accepted elsewhere.
This has led, in turn, to some of the most significant fines for tech companies that we’ve seen. Some of the most expensive fines, as of June 2022, are the following:
- Amazon: In 2021, Amazon announced in an earnings report that it had been levied a fine totaling €746 million, based on disclosures (or lack thereof) connected to data collecting and processing practices.
- WhatsApp: A few months after the Amazon fine, Ireland levied another penalty against WhatsApp for lack of legal justification of their data processing practices. Their total fine amounted to €225 million.
- Google (Ireland): The French data protection authority fined Google Ireland on January 6, 2022 for €90 million for failure to provide users with options to refuse cookies properly. In short, Google made it much simpler for users to accept cookies for marketing refusals but much harder to refuse them (a common tactic for businesses attempting to circumvent GDPR rules).
- Facebook (Meta): Much like Google Ireland, Facebook (Meta) earned a €60 million fine for building cookie acceptance forms that seemed to provide no option to refuse cookies.
- Google: Familiar face for GDPR fines, this €60 million fine was a parallel penalty with its sister office (Google Ireland) for improper and opaque cookie forms.
There have been some criticisms about the equality of applying penalties across the EU, but this criticism seems to lead certain jurisdictions to seek more drastic penalties for non-compliance. Case in point, the top penalty (Amazon) is almost double the next four penalties combined.
Maintain GDPR Compliance With Lazarus Alliance
Businesses with any foothold in a country within the EU are already facing the pressure of GDPR compliance. Audit logging, critical privacy controls, consent and opt-in forms and more are all part of this package, and any bit of data you collect from customers in the EU will adhere to this compliance structure.
It’s important to understand that you don’t have to go it alone. The experts at Lazarus Alliance can help.
Working With GDPR Compliance Requirements?
Call Lazarus Alliance at 1-888-896-7580 or fill in this form.
[wpforms id=”137574″]