In the past few years, regulations around personal data have evolved to become the most exhaustive and strictly enforced in history. Between California Consumer Privacy Act (CCPA) and the EU’s General Data Protection Regulation (GDPR), monetary and reputational damages related to the mishandling of data have the potential to disrupt even the largest and wealthiest of corporations. Because both laws are still relatively novel, most companies are still in the learning process, and always seeking new practices for avoiding massive fines and ultimately protecting their brands from lasting public scrutiny.
One way of avoiding a costly violation is acknowledging its possibility and truly understanding potential outcomes. For this purpose, here’s a review of each regulation and the associated penalties and fines.
In effect since 2018, the GDPR has set the standard for data regulations across the globe. Although the legislation only applies to the personal data of EU citizens, any organization that sells to EU consumers or manages their information is required to be in full compliance. Although the law itself is far-reaching and complex, and should be reviewed thoroughly by a qualified legal team, its objective is fairly straightforward. To be in compliance with the GDPR, a company must cultivate an environment of trust and transparency as to how it manages all personal data, and should be aggressive and proactive in its defense against data breaches.
Penalties for violations of the GDPR are notoriously uncompromising and aggressive. Minor violations come with a price tag of €10,000,000 or 2% of annual revenue, whichever is higher. Major violations will cost an organization at least €20,000,000 or 4% of revenue, with the same condition. While the percentage points may seem modest, the financial repercussions could prove fatal for smaller companies, and can have a significant impact on the bottom line of larger corporations.
Some notable examples of enforcement include hotel chain, Marriott International, and clothing retailer, H&M. In 2020, Marriott paid $23.8 million to the Information Commissioner’s Office (ICO) for a data breach that occurred in 2018, compromising its customers’ transaction histories and other personal information. Later in 2020, H&M paid €35.3 million to the ICO for illegally surveilling employees at its Nuremberg office in Germany.
In both cases, the companies were initially quoted much harsher fines (Marriott was facing €100 million before settlement), which demonstrates the seriousness with which the ICO would like GDPR compliance to be viewed. Although harsh financial damages might ultimately be overcome by larger institutions, there is no proven method for mitigating a brand’s association with data breaches in the eyes of the public.
CCPA enforcement officially went into effect on July 1st, 2020. While the law and its objectives are similar to the GDPR, the legislation continues to evolve and careful measures should be taken to remain up to date on the language. Regulations apply to any organization selling to California residents or managing their personal data, regardless of where the organization operates.
One significant difference between the two laws is how financial damages are assessed. Each case will vary depending on the nature of the violation, but can include a civil penalty of up to $7,500, and fines of anywhere from $100 to $700 per consumer in the event of a breach. These numbers, however deceptively tame in comparison with GDPR fines, should be alarming to any company managing high volumes of personal data, especially large corporations. Breaches that compromise thousands of consumers (which are not uncommon), can easily cost an organization millions in revenue.
Another unique aspect of the CCPA is the power it gives to the individual consumer to file civil claims. One of the purposes of the legislation is to give consumers the ability to exercise their rights to privacy, and it requires corporations to respond promptly to consumer requests for information regarding their data. Many are concerned this could lead to more breaches in instances of fraudulent requests by third-parties. For this reason, certain provisions have already been withdrawn, and the law is expected to undergo any number of amendments in the near future. Over the next year, we will have a better understanding of how CCPA violations unfold, but active cases already exist against well known corporations such as Amazon, Zoom, TikTok, and many others.
The GDPR and CCPA represent a significant threat to any company vulnerable to a data breach, but also propose an opportunity to improve practices and gain the trust and further business of consumers. As regulations continue to evolve, companies should be auditing their data practices with increased scrutiny, evaluating employees and third-party associates, and fool-proofing their methods of consent. With data privacy at the forefront of the minds of consumers and litigators alike, it’s critical for companies to adopt practices that emphasize security and minimize risk.
Information Commissioner’s Office: https://ico.org.uk/
GDPR Enforcement Tracker: https://enforcementtracker.com/
California Office of Attorney General: https://oag.ca.gov/privacy/ccpa