Data privacy compliance is an essential aspect of modern-day business operations. However, despite the various regulations in place, some companies still fail to comply, exposing themselves to penalties and reputational damage – both of which can have long-term effects on business success.
To illustrate the enforcement of data privacy regulations, it is helpful to examine examples of companies that have been penalized for non-compliance. While there are more examples of EU-based companies facing penalties due to the longer history of data privacy regulation in the EU and higher potential fines, the recent introduction of US state privacy laws means we can expect to see more privacy enforcement actions in the US.
Noncompliance continues to be an issue as companies try to avoid many privacy regulations’ stricter requirements. For instance, Google was fined €150 million ($169 million USD) by French data protection authorities for designing cookie banners to make it easier to accept cookies than to reject them, hoping users would take the simpler option. Additionally, some companies have charged (or attempted to charge) consumers for making data subject access rights requests, which is a violation of the CCPA/CPRA,.
Poor security measures have also led to data breaches, which expose consumer data and often result in enforcement actions. Hanna Andersson, a children’s clothing brand, is a prime example. Their marketing automation system was infected with malware and their clients’ data was stolen. Much of it was later uncovered on the dark web. The resulting CCPA/CPRA lawsuit cost the company $400,000 and forced them to adopt more stringent security practices.
While many of these examples feature big-name companies, small- and medium-sized businesses are also subject to enforcement. An example is Eldon Insurance Services Limited, a UK-based small business that received a £60,000 (approximately $72,000 USD) fine from the ICO for processing consumers’ personal information without their consent. The violation was discovered when the company sent over a million unsolicited marketing emails without obtaining the recipients’ consent to use their data.
As the above examples show, data protection authorities around the world take their jobs very seriously. In Europe, organizations such as the UK’s Information Commissioner’s Office (ICO), France’s Commission Nationale de l’informatique et des Libertés (CNIL), and Ireland’s Data Protection Commission (DPC) have the power to levy fines and penalties. In the US, the enforcement landscape is more fragmented, with state attorneys general and class-action lawsuits being common sources of enforcement. But more and more states are passing their own privacy laws. And with many of these laws taking direct inspiration from the far-reaching and very strict GDPR, we can expect to see significant fines based on US privacy laws too.
To avoid penalties and reputational damage resulting from non-compliance, businesses should prioritize data privacy compliance. This can be achieved through measures such as not charging consumers for DSARs, investing in robust cybersecurity measures, and staying up-to-date with the latest data privacy regulations.
Your company will also need to understand which privacy laws apply to you. Fortunately, we’ve developed a user-friendly privacy compliance software for just that purpose: 4Comply. Contact us for a free demo today.