Articles

Data Privacy (Non)compliance: How Enforcement Works

Written by Matt Davis, CIPM (IAPP) | August 9, 2022

In 1983, New York enacted the nation’s first mandatory seat belt law. Its reception was … mixed.

“This is not supposed to be Russia where the government tells you what to do and when to do it,” a Bronx construction worker told the Washington Post at the time.

“I wish it was mandatory for everybody, because it's worth it,” said a Manhattan store clerk.

As more and more states enacted mandatory seat belt laws, most people complied. But some cut the seat belts out of their cars in protest. Others deliberately misused seat belts by sitting on top of them, or silenced the seat belt alarm by plugging in buckles unconnected to an actual belt — the list goes on.

All in all, people struggled with compliance in the few years after seatbelt laws were first introduced. And that was just for a law that asked people to buckle up!

When we think about more complicated regulations — like data privacy — it should come as no surprise that businesses struggle with compliance. Unlike seat belt laws, it’s easy to be out of compliance even if you want to do the right thing. It can leave businesses wondering whether it really matters if they’re in compliance or not.

To spread awareness about the importance of data privacy compliance, let’s take a leaf out of the seat belt regulation book. Seat belt compliance skyrocketed after the “Click it or ticket” campaign, whose main theme was enforcement. How are data privacy regulations being enforced, and who’s enforcing them?

What noncompliance looks like

To get a sense of what authorities are looking for, let’s take a look at some examples of companies that have been penalized for noncompliance in the past.

Note that there is more information available for cases in the EU than in the US. This has to do with the fact that data privacy regulation has been around longer in the EU and the potential fines for noncompliance with the GDPR are higher. With new state privacy laws coming online in 2023, we expect to see more privacy enforcement actions in the US.

Manipulative design practices

For many companies, more data means more revenue. Under the GDPR, businesses need to gain a users’ opt-in consent before they can track their data via cookies, and they also need to provide a way for users to reject cookies. If you’re interested in maximizing data collection, it can be tempting to make cookie acceptance easier than cookie rejection.

Some companies design their cookie banners in such a way that more clicks are required to reject cookies. Google is one such example — they were fined €150 million by French data protection authorities as a result.

Charging for DSARs

In the US, a children’s toy manufacturer knew they had to provide a means for consumers to make data subject access rights requests, or DSARs. Acting on DSARs takes time out of a company’s day, so the manufacturer decided that it ought to be compensated by consumers for making DSAR requests. That was a violation of the CCPA/CPRA, and after receiving a warning from the California Attorney General, the business amended this practice and avoided a fine.

Poor security measures

Many of the headline-grabbing instances of noncompliance come to light due to a data breach. In these instances, cybercriminals steal consumer data that wouldn’t have been exposed to a breach had the company been compliant.

An example of this is Salesforce and Hanna Andersson, a children’s apparel brand.

These companies are subject to a class action lawsuit alleging that their “negligent and/or careless acts and omissions and failure to protect customer’s data” resulted in massive amounts of consumer data being exposed after a data breach. A proposed settlement of $400,000 has been reached but has not yet been formally approved as of this writing.

SMBs are subject to enforcement, too

Many of these privacy enforcement actions feature big-name companies, but it doesn’t mean that small- and medium-sized businesses can get away with noncompliance. As an example, consider Lifecycle Marketing, Mother & Baby Ltd., a UK-based SMB that received a £140,000 fine from the Information Commissioner’s Office (ICO) after reselling consumers’ personal information without their consent.

How noncompliance is discovered

Some required data privacy practices are public-facing, like how you handle cookie consent banners or DSAR requests. Others are internal, like how well you protect customer data. How do data protection authorities uncover noncompliance?

Exposed in a data breach

Even if a business is mostly compliant, flies under the radar of data protection authorities, meets a minimum threshold of adequacy, or otherwise has data privacy compliance imperfectly solved, data breaches pose a threat.

Nobody can really control whether or not they become the target of cybercriminals. If your business controls or processes consumer data and that data isn’t adequately protected, then a data breach will expose your consumers’ data. As a result, data protection authorities, plaintiff lawyers, or the state attorney general may find that you didn’t meet the standards required by data privacy regulations and are subject to enforcement.

This is a particularly expensive way to be found noncompliant.

According to recent research from IBM, the average data breach cost $4.5 million — without factoring in additional fines and penalties that result from noncompliance with data privacy regulations. On top of the costs associated with recovery, remediation, and reputational damage, a data privacy compliance fine can feel like adding insult to injury.

Consider the case of British Airways; after suffering from a data breach in 2018, the ICO fined them £20 million for failing to meet GDPR cybersecurity standards for the protection of 400,000 of its consumers’ personal and financial information.

Uncovered by privacy rights groups

Data privacy rights groups will sometimes assess the privacy practices of a sample of companies to determine whether they’re complying with the law or not. If they find, for example, that a certain number of companies have manipulative cookie banners or deceptive privacy policies, they’ll file a complaint with their relevant data protection authority or with the attorney general.

In the EU, the most noteworthy data privacy group is NOYB, or None of Your Business. NOYB is Max Schrems’s data privacy group, and it has been behind famous EU data privacy decisions, like the invalidation of the Privacy Shield. Recently, NOYB lodged a whopping 226 complaints with EU data protection authorities against websites with deceptive cookie banner practices.

While privacy rights advocacy groups are more active in the EU than they are in the US, that doesn’t mean there are none in the US and that they aren’t seeking out businesses that are breaking the law. Often, they were the same groups that lobbied for a given law to be created in the first place.

Individual complaints

Data privacy advocacy groups may have more resources and more time to spend on advancing a complaint, but individuals are just as capable of filing complaints with data protection authorities or attorneys general. In all likelihood, these complaints would result from highly visible infractions, such as failing to provide consumers a choice to withdraw consent from cookies, failing to act on cookie consent choices, failing to act on DSARs, and so on.

The odds are slim that any individual complaint will trigger enforcement actions, but it’s never zero. As more complaints against the same company and for the same infraction build up, those odds increase.

How penalties get enforced

Data protection authorities

For the time being, the majority of enforcement actions from data protection authorities take place in the EU. When you hear about million euro fines being levied against Amazon or Google, usually those were issued by an authority like the UK’s ICO, France’s Commission Nationale de l'Informatique et des Libertés (CNIL), or Ireland’s Data Protection Commission (DPC). Once made aware of a data privacy violation, these organizations have the power to levy fines and penalties.

With the exception of California, the US lacks organizations specifically focused on privacy enforcement actions. California’s CCPA/CPRA is enforced by the California Privacy Protection Agency (CPPA), though it has not yet taken any enforcement actions as of this writing.

While a US federal data privacy regulation has yet to be enacted into law, those bills that have been advanced in congress generally leave enforcement up to the FTC. To date, the FTC has led significant enforcement actions against organizations with data privacy practices that constitute a “deceptive trade practice” and with respect to children’s personal data.

State attorneys general

In American states with data privacy laws on the books, the state attorney general is the usual source of privacy enforcement actions.

Attorneys general have the power to investigate a business merely under the suspicion that they are not complying with data privacy regulations. If an attorney general discovers that a business is noncompliant, they’ll typically issue a warning first. If that warning is ignored or isn’t acted upon in a satisfactory way, state attorneys general will file suit.

Class-action lawsuits

Businesses can also face class-action lawsuits from plaintiff firms. The likeliest trigger for a class-action lawsuit will be the result of a data breach — which, after all, is a highly visible, public event that affects a class of people (i.e., the business’s customers). As an example, the suit against Salesforce and Hanna Andersson mentioned above is a class action lawsuit that resulted from a data breach.

Private lawsuits

This is the least common means of enforcement, but it still bears mentioning. Most data privacy regulations do not allow for what’s called a “private right of action,” meaning that individuals can’t decide to sue businesses because they are not in compliance.

However, there are some jurisdictions that permit a limited private right of action. The GDPR allows for a private right of action, but it isn’t really designed for that purpose. In the EU, a private lawsuit would function differently depending on the laws of an individual member state. Moreover, the big, headline-grabbing fines wouldn’t come about as a result of an individual lawsuit — only the data protection authorities have the power to levy those kinds of penalties.

The CPRA also allows for a limited private right of action. But, this only applies in the event of a data breach and only if certain types of consumer data were exposed.

“Click it or ticket” for data privacy regulations

The real takeaway here is that data privacy regulations (just like seatbelt laws) aren’t toothless.

In the grand scheme of things, these laws are all very new. In jurisdictions like the EU, enforcement has kicked into full gear after the GDPR’s enactment in 2016. In the US, where data privacy laws are more recent, enforcement is still ramping up, and US-based businesses can expect privacy enforcement actions to increase.

Of course, knowing that there are many ways that your business can be penalized isn’t quite as useful as knowing how to avoid being penalized in the first place.

To learn more about the basics of data privacy laws, we recommend checking out our other blog post on the topic: The anatomy of a data privacy law. It’ll give you an overview of what goes into a data privacy law, which will help you identify your data privacy compliance needs as it relates to your specific law.

And if you want broad compliance with multiple laws without having to read a half dozen blogs and legal articles, you can always sign up for a demo of Osano.