Legal Risks to Businesses
By Vault JS | August 8, 2023
Fines and lawsuits related to data protection and privacy are a real risk for organizations in today’s environment. Enterprise websites are under particularly close scrutiny, with billions of dollars of fines assessed annually across hundreds of companies. Here, we look more closely at the cost of non-compliance for those websites.
Regulators are enforcing more types of violations every day. We have seen over 2000 enforcement actions under the GDPR alone, each with its own nuances, and new privacy laws are being passed all over the world, at both national and state levels. Even beyond that complexity, old laws can be applied to modern situations in new and unpredictable ways.
For instance: laws designed to protect against physical wiretapping are beginning to be applied to session replay tools that record users’ browsing sessions without their consent or VPPA which was originally set to protect Blockbuster video watchers’ privacy is now being applied to website videos.
As such, it is impossible to give a comprehensive list of all possible privacy violations. However, some of the most common enforcement actions surround companies:
- Collecting customer data without sufficient consent
- Sharing customer data without sufficient consent, particularly with advertisers
- Storing data improperly, such that customers’ information is put at risk
- Failing to identify and remedy data breaches in a reasonable timeframe
- Failing to exempt sensitive or health information from typical monitoring
- Using dark patterns to coerce customers into agreeing to monitoring they do not want or understand, and
- Failing to inform customers of their data collection practices
The fines and lawsuits for privacy violations and PII theft are intimidatingly large and – even more disconcertingly – growing. Meta was fined $410 million for their data sharing practices in 2021, Amazon $877 million the same year for improper customer data processing, and Meta twice more in 2023, including a single $1.3 billion fine for their data storage practices. In between the fines are the lawsuits: T-Mobile settled for $350 million after a data breach, Google for $390 after questions about their dark patterns, Equifax for $575 million after failing to secure customer PII. It seems like every week there’s a new hundred-million-dollar story.
Yet the smaller stories might even be more concerning for the average website owner. Sephora’s $1.2M fine in 2022 was particularly noteworthy, not only because Sephora as a retailer was an unexpected target in a sea of Big Tech violators, but because the fine focused on its failure to respect the Global Privacy Control signal, a shortcoming which has never been specifically litigated before. Vault JS observes dozens of organizations per month ignoring GPC signals, many of whom did not previously consider that practice to be a violation at all, much less one likely to be fined. In the time since the Sephora action, we have seen many more organizations adjusting their priorities and incorporating GPC support into their privacy platforms.
As companies rework their priorities and analyze their own data protection practices, they can and should look to recent legal actions to see where their legislative risk may lay.
We have compiled an incomplete list of fines and lawsuits that they may find relevant in that effort.
GPC opt-out not honored
Sensitive health data shared with advertisers without user consent
Health Breach Notification Rule
Sensitive health data shared with advertisers without user consent
Failure to detect and respond to data breach; non-secure PII storage
€746 M (~$888 M)
Unspecified consent issues in advertising system
£183 M (~$232 M)
Customer data harvested when visitors diverted to phishing site
€5 M (~$5.7 M)
Dark patterns and transparency; harder for users to reject than accept cookies
€225 M (~$266 M)
Dark patterns and transparency; platform insufficiently clear about the extent of its data sharing
€1.2 B ($1.3 B)
Improper transfer of data from Europe to United States
California Invasion of Privacy Act, Electronic Communications Privacy Act
Session replay tools record user session without consent, collecting health data
Wiretap Act, California Invasion of Privacy Act
Session replay tools record user session without consent
Video info and title shared with Meta via Facebook Pixel
Non-essential cookies placed after opt-out
How can I avoid large fines?
The only way to be certain you will not be fined at all is to remain entirely compliant with all privacy laws, past, present, and future. But that’s nearly an impossible task. Mistakes happen, security systems can be breached, and no company is invulnerable.
So there are certain general measures you can take in order to minimize potential future fines.
- Take precautionary measures. This means proactively putting technical systems into place to monitor your data flows and alert you to any risks that emerge. It also means developing a company structure and culture that will take those risks seriously and move to address them.
- Be clear and transparent about your privacy and data practices. If customers make a free, informed, and explicit choice to accept your use of their data, you won’t be fined for using it. Being transparent also helps create an audit trail of everything you are doing to comply with the law and monitor your vendors. (Remember, though, not all fines are related to user consent; you may still be at risk for other types.)
- Remedy your mistakes as soon as you discover them. If you find a security or privacy risk in your system, patch it, don’t hide it. If you are alerted to a violation, address it. Not only will swift action help prove that your violation was unintentional, and therefore deserving of a smaller fine, but some laws, including the CCPA, allow companies to avoid fines entirely if they adequately cure their violations within a specified grace period.
- Mitigate damage. If you discover that your company’s practices have already done damage to customers, actively communicate that discovery to customers, and try to right that damage.
- Cooperate with supervisory authorities. If you find that you have been violating a privacy law, notify the appropriate authority proactively. If you are notified of a risk or violation, be transparent with the authority as they investigate.
- Make an effort to comply with the law. This one is simple and obvious, but it is important. Companies that intentionally operate in conflict with regulations are fined more severely than companies which violate the law through negligence. And companies with a history of noncompliance and no proof that they have made an effort to improve their systems face greater consequences than those that have learned from their mistakes.
- Keep records of your efforts. Keep your company’s internal records intact and available in case of a privacy audit. They can help demonstrate improvement over time.
These steps can demonstrate your commitment to preserving user privacy and data security, and they may earn you the good will (and lowered fines) of enforcement agencies.
All companies have a basic ethical obligation to protect their consumers’ privacy and data security. It’s the right thing to do in and of itself, and companies that make an effort to do so enjoy increased consumer trust and a higher perceived brand value. But it can be hard to keep those abstract priorities in mind when faced with the real costs of developing and maintaining privacy infrastructure.
Seeing privacy fines and lawsuits can make those abstract values very tangible. A company that invests in its compliance programs and efforts to protect customer data early can avoid fines that would cost them hundreds of millions of dollars in fines, lawsuits, and lost customer trust.