The data privacy movement isn’t going away in 2023. It continues to gain ground following a year in which enforcement activity ramped up and record fines were handed out, led by regulatory action from the European Union’s General Data Protection Regulation (GDPR). In a possible sign of things to come, last year also saw the first fine handed out under the California Consumer Privacy Act (CCPA).
But U.S. businesses would be remiss to think that the GDPR and CCPA are the only privacy laws that could impact them moving forward. Data privacy is a global movement, with cross-border laws cropping up in jurisdictions worldwide. Companies that rely on consumer data face new challenges—and new opportunities—heading into what should be another action-packed year in privacy regulations.
Top GDPR fines against U.S. businesses in 2022
The General Data Protection Regulation (GDPR) is the original privacy law, and arguably the most feared. Launched in 2018, it gives each member country a data regulator that is empowered to issue fines of up to 4% of a company’s annual revenue, or up to €20 million (whichever is higher), for breaking the law.
GDPR enforcement has steadily ramped up, from 16 fines in 2018 to 302 in 2020, including several in the €20 mil - €50 mil range. Last year, European authorities fined businesses more than €830 million ($881 million) for GDPR violations. That’s lower than the €1.3 billion paid in 2021, but 2022 stands out for the emphasis on a single company.
Meta’s Very Bad Year
Meta Platforms Inc., the owner of Facebook, WhatsApp, and Instagram paid over 80% of the GDPR fines levied in 2022, including fines of €405 million, €282 million, and €17 million by Irish authorities and a €60 million fine from the French. To date, Meta has paid approximately €1 billion for GDPR violations.
Meta has reportedly set aside 3 billion for EU privacy fines in 2022 and 2023. Early in 2023, the Irish Data Protection Commission (DPC) fined Meta €210 million and €180 million to settle complaints about how the company handles user data. That’s far less than the €2 billion in fines that some were expecting, but in a devastating blow to Meta’s targeted advertising-based revenue model, Irish authorities ruled that Meta currently lacks the legal grounds to process Europeans’ data.
In the decision, the DPC said Meta could not lump user consent agreement to collect data into its terms of services. This resulted in illegally forced consent from Facebook and Instagram users because they were forced to choose between consenting to data collection and losing access to the platforms, the DPC announced.
The decision has impacts far beyond Meta. It is a clear shot across the bow against companies that use personal data in targeted advertising and do not meet GDPR principles of transparency and consent.
Other Big GDPR Fines From 2022
Meta was the company hardest hit by GDPR fines in 2022, but it was hardly the only U.S.-based company to run afoul of EU data regulators. Other notable GDPR fines aimed at U.S. firms in the past 12 months include:
- Clearview AI—€20m: The Manhattan-based facial recognition company Clearview AI received not just one €20m GDPR fine, but three. The separate fines were issued by authorities in Italy, Greece, and France. Specific violations included breach of transparency obligations, collecting biometric data without a legal basis, and failing to appoint an EU representative under Article 27. British authorities imposed another €9m fine against Clearview AI for failing to have a lawful basis for data collection. The collective fines should serve as a reminder that the GDPR imposes higher data protection standards for biometric and other “sensitive” data.
- Google LLC—€10m: The Spanish data protection authority fined Google €10m for violating Article 6 of the GDPR (lawfulness of processing) and Article 17 (“right to be forgotten”). Spanish authorities said that Google transferred data to a third party, the legal database Lumen Project, without providing subjects with an opt-out mechanism for such communications. Google also allegedly made it difficult for users to submit requests for the removal of the content.
- Discord Inc.—€800,000: French authorities slapped VOIP and instant messaging social media platform Discord with a fine of 800,000 Euros for breaching GDPR Article 5 (no written data retention policy), Article 13 (not providing information about data retention periods), Article 25 (failure to ensure data protection by default), Article 32 (failure to ensure the security of personal data), and Article 35 (failure to perform a data protection impact assessment).
- Alpha Exploration/Clubhouse—€2m: Alpha Exploration Co., a San Francisco software company that owns the audio social network Clubhouse, received a €2m fine from Italy’s Garante for a number of non-compliant data processing practices. Garante cited Clubhouse’s lack of data use transparency, users’ ability to share and store audio without consent, sharing account information with no legal basis to do so, and indefinite storage times for recordings.
High-Level GDPR Enforcement Takeaways
While these examples may give the impression that the GDPR is only interested in going after Big Tech, a closer look at GDPR enforcement data paints a more nuanced picture.
International law firm CMS runs the GDPR Enforcement Tracker website, which provides a database of EU data protection authority fines and penalties. Some of their overall takeaways, published in a 2022 annual report, include:
- The leading violations that resulted in fines were “insufficient legal basis for data processing” and “non-compliance with general data processing principles,” with average fines of €1.2 and €3.5, respectively. “Insufficient technical and organizational measures to ensure information security” (average €400,000 fine) and “insufficient fulfillment of data subject’s rights” (average 180,000 fine) also topped the list.
- Spain was the leading country for GDPR enforcement in terms of the number of fines issued, followed by Italy and Romania. Luxembourg, Ireland, and France led the way for average GDPR fine amounts and total amount of fines per country.
- Violations of data subject rights have a high likelihood of triggering GDPR action. Companies should therefore emphasize internal processes, policies, and training that correspond to data subject access requests and transparency obligations to avoid fines.
- B2C businesses appear more likely to face data regulator investigations/fines than B2B companies. This could be due to data subjects reporting alleged GDPR breaches to authorities.
- Among sectors, industry and commerce and media, telecoms, and broadcasting faced the highest GDPR exposure.
- The use of new technologies, driven by the need to innovate, could be a trigger for investigations, as these technologies have a higher likelihood of “risky” consumer data processing.
Finally, CMS notes that, regardless of enforcement variations across countries and sectors, GDPR fines continue to be serious and are here to stay. Record fines and landmark cases may get the most attention, but this should not obscure the fact there has been a constant increase in the total number of GDPR enforcement actions since 2018.
Enforcement Tracker data also shows that many small and medium-sized enterprises (SMEs) have received GDPR fines. Although most have, to date, been European SMEs, as enforcement ramps up, U.S. firms could face closer scrutiny.
Big companies like Meta and Google may consider large GDPR fines a cost of doing business, but monetary penalties could be more impactful for smaller businesses as a percentage of their revenue.
GDPR is the tip of the compliance iceberg
Companies that deal with EU data subjects can’t afford to ignore the GDPR, which has inspired similar legislation on every continent, as this IAPP chart shows. And like the GDPR, these laws can pack a regulatory punch.
One of the more noteworthy privacy developments of 2022 was the first fine issued under the CCPA. The $1.2 million settlement against Sephora was accompanied by a statement from California’s Attorney General to businesses that, “My office is watching, and we will hold you accountable.”
In addition to issuing fines, California also has the authority to require actions to “cure” alleged CCPA noncompliance. As detailed on the AG’s CCPA Enforcement page, these curative actions have included:
- Reviewing and updating service-provider contracts
- Blocking personal information transfers upon detection of the Global Privacy Control (GPC)
- Redesigning loyalty programs to capture express opt-in consent
- Updating privacy policies to include required CCPA rights
- Adding CCPA-compliant opt-out links
- Implementing staff training to better process right-to-know and delete data subject requests
Looking Beyond the CCPA
The CCPA was the first state-level data privacy law passed in the U.S. But with a federal privacy law remaining out of reach in 2022—and for the foreseeable future—more states are following in California’s footsteps.
During the 2022 legislative cycle, lawmakers in 29 states and Washington, D.C. considered data privacy bills.
- 23 states held committee hearings on privacy bills
- 7 states passed a privacy bill through one chamber
- Two states—Connecticut and Utah—passed privacy laws
Connecticut and Utah joined California, Colorado, Nevada, and Virginia as the only states with data privacy laws—for now. But given the flurry of 2022 legislative activity, more state-level laws are expected in 2023.
Even if no other states pass laws this year, there is much in the U.S. privacy landscape that bears monitoring. As of January 1, the California Privacy Rights Act (CPRA), which amends the CCPA, and the Virginia Consumer Data Protection Act (VCDPA), are in effect. Later in the year, the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), and the Utah Consumer Privacy Act (UCPA) take effect.
On their own, these state data privacy laws present a significant compliance burden. But 2022 served as a reminder that U.S. privacy laws take more than one form, both at the state and federal levels. For example:
- Google agreed to pay a record $391.5 million in November 2022 to settle charges stemming from its location data tracking practices. Attorneys general from 40 states led this action, calling it the largest interest privacy settlement by U.S. states in history. The settlement came under state consumer protection laws—not data privacy laws—adding another layer of compliance to be aware of.
- President Biden signed an Executive Order in October 2022 to implement the E.U. – U.S. Data Privacy Framework. The deal looks to replace the vacated Privacy Shield agreement and bring greater certainty to Transatlantic data transfers, which have been left in a legal gray area for the last couple of years. Final approval could come in spring 2023.
Legislative Developments Outside the E.U and U.S.
From a U.S. business perspective, a compliance strategy that focuses on the U.S. and E.U. is understandable. The two economic regions have a close economic partnership, and digital data flows between the U.S. and E.U. are worth around $7 trillion in trade and investment. When looking to expand abroad, many U.S. businesses first cast their gaze in Europe’s direction.
E-commerce in a globalized economy, however, opens doors to an international customer base. And whether a business has customers in Australia, Asia, South America, Africa, Canada, or New Zealand, it will have to contend with local data protection laws. A partial list of the countries with such laws includes:
- Hong Kong
- South Africa
- South Korea
While many of these laws have common data subject rights and impose similar obligations on data controllers/processors, each law is different and demands a tailored compliance strategy.
As if that isn’t challenging enough, new laws are constantly being introduced and passed. Some of the biggest developments from 2022 to come out of the global privacy sphere are:
- Australia’s Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 would amend the country’s 1988 Privacy Act and impose steep new privacy breach penalties of up to AUD$50 million (around US$35 million).
- Britain, a non-E.U. member, has said it will scrap the GDPR and impose its own regulatory regime that it promises will be more business and consumer friendly.
- Indonesia ratified the Personal Data Protection Act (PDP). It is comparable to the GDPR, but with a key difference: the PDP covers Indonesian citizens both inside and outside the country (i.e., those living abroad).
- Quebec adopted Law 25. Designed to modernize Quebec’s privacy laws, Law 25 will come online over a three-year phased rollout. Penalties range from up to $100,000 for individuals to $25,000 or 4% of global revenue for private companies.
Didomi helps companies embrace changes in global privacy laws
The scope and speed of the spreading data privacy revolution can make complying with the many different laws feel overwhelming. There’s no sugarcoating the difficulties that privacy legislation imposes on businesses—or the costs they can face for noncompliance.
The good news is, embracing basic privacy principles—like always obtaining consumer consent before gathering personal information and implementing Privacy by Design principles across digital products and services—goes a long way toward satisfying global data protection laws.
Companies should also know that help is available. Having a partner that is up to date with hundreds of regulations worldwide lets you focus on your business while we take care of data privacy.
Didomi’s Consent Management Platform and Preference Management Platform turn compliance into a business advantage. Comply with privacy laws worldwide, even in the most complex technical environments, as part of a future-proof data strategy that puts the user front and center.
To test your compliance and learn more, talk to an expert at Didomi: