Facebook and Others Hit With Privacy Fines - What You Should Be Concerned About
Online privacy laws and enforcement will continue to increase
Facebook has received a number of recent privacy complaints, with repercussions ranging from increased public scrutiny to monetary fines, including a €500,000 ($644,000) fine by the UK’s Information Commissioner’s Office (ICO) in 2018 – the maximum penalty under the UK’s data protection legislation. The fine was levied after the ICO discovered that Facebook failed to keep the personal information of its users secure by allowing third-party developers access to user information without user consent. One such third-party developer was able to convince 300,000 people to install a personality testing app that collected data from the user and their friends. This allowed around 87 million profiles data to be gathered worldwide without user knowledge.
In light of the Facebook scandal and others, consumers have become wary and distrustful of the way companies use their data. Various other platforms such as Eactis, Polar, Panera Bread, MyFitnessPal, and Google+ have experienced breaches of privacy similar to that of Facebook that left the data of millions of Americans’ personal information exposed. The frequency of these breaches yields more distrust from the public and, in turn, outrage to hold companies accountable for their mistakes.
Why should American companies be concerned about privacy laws around the world?
There are numerous privacy laws around the world, but EU privacy laws are the most important non-U.S. laws for American companies. In fact, you may be subject to privacy data regulations of the EU if you do business in the EU or even if you just collect any personal information from EU citizens.
U.S. laws will likely be getting stricter.
As for the U.S. companies who do not do business or collect information from the EU, you should begin preparing for the future. Regulation is rapidly being introduced on the state and federal levels to ensure data is being protected. The GDPR may likely be a sign of future U.S. regulation as well.
In response to the Facebook scandal and the GDPR, California passed their own privacy law to bolster consumer trust in companies as well as to hold executives accountable for their mistakes. The California Consumer Privacy Act (CCPA) was signed into law in June 2018 and its goal to give consumers more control over their personal information by:
Giving the consumer the right to know what personal information a business has collected from them, where it was from, and what it is being used for;
Giving the consumer the right to “opt out” of allowing a business to sell their personal information to third parties;
Giving consumer the right to have their personal information deleted from the business; and
Giving consumer the right to receive equal service and pricing, even if they exercise their privacy rights under the Act.
“Personal information” in the CCPA is defined as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The essence of the California law is similar to the GDPR – it is aiming for transparency. The Act permits a private right of action in the case of a data breach as well as administrative penalties. Any violator can be fined anything up to 4% of revenues. The CCPA will take effect on January 1, 2020.
Eleven other states have followed California and implemented legislation similar to the CCPA. In response to the increased state legislation and the GDPR, Congress has introduced several bills including the Consumer Data Protection Act (CDPA). The proposed bill, introduced by Senator Ron Wyden, would provide:
Increased control for consumers by allowing them to review all their personal information that has been stored with companies and how it is being used
A uniform regulatory standard for privacy law across the United States applying to all companies who generate over $50 million in annual revenues and collect personal information on over one million consumers
The bill also increases the Federal Trade Commission’s (FTC) power to monitor and administer penalties.
The penalties under this bill are similar to the CDPA but also includes the possibility of jail time for executive who mishandle consumer data as well as fines.
Although this bill has not been passed yet, companies should start preparing for the inevitable. Regulations are shifting to a more consumer friendly environment.
What you can do.