Facebook and Others Hit With Privacy Fines - What You Should Be Concerned About
Online privacy laws and enforcement will continue to increase
Facebook has received a number of recent privacy complaints, with repercussions ranging from increased public scrutiny to monetary fines, including a €500,000 ($644,000) fine by the UK’s Information Commissioner’s Office (ICO) in 2018 – the maximum penalty under the UK’s data protection legislation. The fine was levied after the ICO discovered that Facebook failed to keep the personal information of its users secure by allowing third-party developers access to user information without user consent. One such third-party developer was able to convince 300,000 people to install a personality testing app that collected data from the user and their friends. This allowed around 87 million profiles data to be gathered worldwide without user knowledge.
In light of the Facebook scandal and others, consumers have become wary and distrustful of the way companies use their data. Various other platforms such as Eactis, Polar, Panera Bread, MyFitnessPal, and Google+ have experienced breaches of privacy similar to that of Facebook that left the data of millions of Americans’ personal information exposed. The frequency of these breaches yields more distrust from the public and, in turn, outrage to hold companies accountable for their mistakes.
Why should American companies be concerned about privacy laws around the world?
There are numerous privacy laws around the world, but EU privacy laws are the most important non-U.S. laws for American companies. In fact, you may be subject to privacy data regulations of the EU if you do business in the EU or even if you just collect any personal information from EU citizens.
Most importantly, the EU’s General Data Protection Regulation, commonly referred to as GDPR, places a heavy demand on companies to collect and use personal information. This regulation went into effect on May 25, 2018, and failure to comply can result in costs totaling nearly $25 million or 4% of global revenues, whichever is greater. Importantly, the GDPR requires that companies must provide “clear and transparent” notice about how customer data will be used. A company’s Privacy Policy must now explain how the data is being collected and used in a way that is easily understood by users. For further reading on the GDPR, we went deeper on the GDPR when it was first enacted here.
U.S. laws will likely be getting stricter.
As for the U.S. companies who do not do business or collect information from the EU, you should begin preparing for the future. Regulation is rapidly being introduced on the state and federal levels to ensure data is being protected. The GDPR may likely be a sign of future U.S. regulation as well.
In response to the Facebook scandal and the GDPR, California passed their own privacy law to bolster consumer trust in companies as well as to hold executives accountable for their mistakes. The California Consumer Privacy Act (CCPA) was signed into law in June 2018 and its goal to give consumers more control over their personal information by:
Giving the consumer the right to know what personal information a business has collected from them, where it was from, and what it is being used for;
Giving the consumer the right to “opt out” of allowing a business to sell their personal information to third parties;
Giving consumer the right to have their personal information deleted from the business; and
Giving consumer the right to receive equal service and pricing, even if they exercise their privacy rights under the Act.
“Personal information” in the CCPA is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The essence of the California law is similar to the GDPR – it is aiming for transparency. The Act permits a private right of action in the case of a data breach as well as administrative penalties. Any violator can be fined anything up to 4% of revenues. The CCPA will take effect on January 1, 2020.
The best thing a company can do to avoid any future risk is to revise their Terms of Use and Privacy Policies to align with the new GDPR and the CDPA. Copy and pasting old policies in-house or from another source may lead to harsher penalties in the future than not having a policy at all.
Eleven other states have followed California and implemented legislation similar to the CCPA. In response to the increased state legislation and the GDPR, Congress has introduced several bills including the Consumer Data Protection Act (CDPA). The proposed bill, introduced by Senator Ron Wyden, would provide:
Increased control for consumers by allowing them to review all their personal information that has been stored with companies and how it is being used
A uniform regulatory standard for privacy law across the United States applying to all companies who generate over $50 million in annual revenues and collect personal information on over one million consumers
The bill also increases the Federal Trade Commission’s (FTC) power to monitor and administer penalties.
The penalties under this bill are similar to the CDPA but also includes the possibility of jail time for executive who mishandle consumer data as well as fines.
Although this bill has not been passed yet, companies should start preparing for the inevitable. Regulations are shifting to a more consumer friendly environment.
What you can do.
The best thing a company can do to avoid any future risk is to revise its Terms of Use and Privacy Policies to align with the new GDPR and the CDPA. Copy and pasting old policies in-house or from another source may lead to harsher penalties in the future than not having a policy at all. In 2019, consumers are hyper-aware of their information and how it is being used in cyberspace. It is imperative for companies to be forward-thinking and tailor a Privacy Policy and their actions in line with the new regulations.
Compliances with these new regulations can be complex, but it is crucial for companies moving forward to conform to the impending requirements. Contact us if you have any questions about your Privacy Policy.