It's been nine months since General Data Protection Regulation (GDPR), and French regulators have fined Google $57 million on January 21 for violating it; the largest GDPR fine to date. They are the first big tech company to be slapped with a fine since the law was put into effect. However, there are plenty of complaints filed against other companies — and we can expect to see more of these fines in the coming months. These fines are not limited only to big tech. Under the GDPR, any individual EU citizen can log a complaint, and subsequently, its individuals who have been the source for most of the complaints to date. If your brand works with EU customers or targets EU users, then it’s incumbent on you to be sure you’ve reviewed your procedures and update your compliance.
The fine was leveled against Google for failing two keystone GDPR provisions: getting explicit consent to gather data and sharing data between their services. While the $57 million fine is relatively small considering projections that Google will top $30 billion in earnings in the fourth quarter of 2018 and end the year around 110.9 billion, it is the heftiest fine resulting from GDPR. It’s a reminder that no business should take GDPR lightly.
GDPR regulations allow for fines "€20 million (about US$23 million, as of this writing) or 4 percent of an organization’s annual global revenue, whichever is greater.” This potentially exposes Google for billions of dollars and isn’t the first time that Google has dealt with EU fines. It’s currently under investigation for antitrust and has already been hit with a $5 billion fine in 2018 and a $2.7 billion fine from 2017.
Big tech put on notice?
Google's fine seems to be the start of the EU regulating bodies ramping up penalty activities surrounding GDPR. The French Authority (CNIL) ruled that Google did not properly get consent from users to personalize advertising. One of the big transgressions here is that Google was assuming consent instead of explicitly asking for it. Under the GDPR, users must explicitly give consent by taking an action. Users cannot be given a pre-checked box, which is what Google was doing.
Plenty of websites display a GDPR cookies notice that can be easily ignored. If the user does nothing and continues to browse the site, that notice will disappear and consent is assumed. We have even seen examples where companies are straddling the line between getting clear consent and satisfying their own usability needs. Brands doing business in the EU need to integrate security into their business processes and systems while making it easy to get consent for things like cookies and personalization. Replacing “accept” with “this is fine” is playing with fire.
Do we need protection? Are these fines just?
There has been a growing conversation about our data and what we share. This data is extremely valuable to platforms like Facebook, Instagram, Google, and other social apps. There has been more awareness around privacy in the US and some states, like California, are putting its own laws into effect. However, there are few indicators a broader application of data privacy will take shape in the United States any time soon.
Data protection is important for brands to think about, even if they are not subject to GDPR regulations. Users want their data to be protected, and not shared without consent or notice. According to a survey by Janrain, 68% of Americans want to see laws similar to GDPR in the United States. They don’t want to see an ad on Instagram for that mattress and pillow set that they searched once at 2 am, and they want to control what data is stored, and promptly they are alerted if there is a breach.
GDPR is a good first step, but the next level is firms to start incorporating data protection measures into the core of their products—assuming they aren't right now. Applied consent, disparate policies, and sharing of that data across services are no longer best practice.
For companies like Amazon, Spotify, Facebook, Experian, and Netflix, there are other complaints in the pipeline. It becomes very important that companies in compliance make sure they are keeping the customer's data safe— it's a serious threat to companies large and small who fail to comply.
Written by Nathan Spidle