Senior Content Marketing Manager II
January 10, 2023â˘7 min read
How to avoid GDPR fines in 2023
GDPR fines increased 120% between March 2018 and March 2021, according to a report by legal firm CMS.
And 2021 saw some of the biggest privacy fines yet. Amazon, WhatsApp, and Google were slapped with fines that together totaled over $1.3 billion.
It varies from case-to-case, but the most common triggers for GDPR fines are:
Essentially, companies are being fined for collecting and processing consumer data when they shouldnât be, failing to protect consumer data, and generally flouting the mandates laid out by the GDPR.
Weâll dive a little deeper into the three largest fines to date below.
In their July 2021 earnings report, Amazon revealed a âŹ746 fine levied by the Luxembourg National Commission for Data Protection (CNDP)ââthe largest GDPR fine to date by far.
Though the exact details of Amazonâs violation are still fuzzy, the original complaint cites a lack of âfree consent.â
Three months after receiving the fine, Amazon officially filed for appeal, which is why details on the case arenât yet publicly available. However, what little we know is still telling.
GDPR Article 4Â states consent must be âfreely given, informed, and unambiguous,â so any fine citing invalid consent indicates that one or more of those requirements was not met.
The 2021 fine was actually Amazonâs second consent related fine. In 2020, they received a $42M fine from CNIL, Franceâs privacy watchdog, for placing cookies without user consent. Dropping cookies without consent is a clear violation.
However, privacy watchdogs throughout Europe have also cracked down on deceptive cookie consent practices. In early 2021, Google and Facebook both received multi-million dollar fines for employing dark patterns i.e. designing consent interfaces in a way that coerces users into accepting cookies. Only providing an âAccept allâ button is one example of a common dark pattern.
Without more detail itâs difficult to say exactly what Amazon could have done to avoid this massive fine. However, strictly adhering to the GDPRâs consent guidelines by ensuring user consent is freely given, specific, informed, and unambiguous would be a good start.
In Sept 2022, Irish data protection authorities fined Instagram a record-breaking âŹ405 million ($402M)âthe second larger GDPR fine ever.
Ireland's Data Protection Commission (DPC) started their investigation in 2020, focusing on Instagram users aged 13-17 who were able to open Instagram business accounts. The issue being that Instagram business account are defaulted to "public," so can be viewed by anyone and allowed user's phone numbers and emails to be published publicly.
GDPR requires abundantly transparent communications about privacy policies for services that target minors. It also has clear requirements around privacy by design and defaulting to the highest levels or privacy, especially as it relates to children's data online.
Though Instagram reportedly plans to dispute the penalty, the DPC is currently involved in at least six other investigations into Meta-owned companies.
In Sept 2021, WhatsApp received the third largest GDPR fine to date from Irelandâs Data Privacy Commission (DPC). The âŹ225M penalty was levied for failing to include âlegitimate interestsâ for data processing in their company privacy policy.
Companies under the GDPR must be transparent about how user data is gathered and shared, and are required to provide this information on their website in an easily accessible privacy policy.
According to the ruling, WhatsApp failed to:
WhatsApp is appealing the fine, but other organizations can still take important lessons from this penalty. First and foremostââproviding clear, easily accessible privacy information is crucial.
Forcing a user to click through multiple layers of linked documents, or including long blocks of text that relay little meaningful information are both grounds for fines.
Itâs also important that your privacy policy includes detailed information about how and why data is being processed, including your legal basis for processing, data recipients (as well as categories of data recipients), retention periods, and more.
Finding and documenting this level of detail is time-consuming, but glossing over aspects of your data processing operations can result in significant penalties.
Googleâs 2021 GDPR fine came in two partsââa âŹ90 million fine for Google LLC and a âŹ60 million fine for Google Ireland. Both fines were levied on the same day for the same reasons.
The key difference is that the Google Ireland fine was in regards to the google.fr domain, whereas Google LLC was fined for violations on the google.com domain.
CNIL's investigated focused on cookie violations on Google-owned video streaming platform Youtube, as well as on main Google search engine.
The privacy regulator concluded that Google was using non-compliant cookie consent mechanisms, which made it too difficult for users to refuse cookie collection on both Youtube and Google Search.
According to Franceâs privacy watchdog CNIL, Youtube users only had to click once to accept cookies, whereas refusing cookies took multiple clicks.
CNILâs complaint stated that Google purposefully made the consent mechanisms more complex to push consumers to accept cookiesââa clear violation of the GDPRâs requirement that companies provide equally simple ways to opt into or out of data collection.
Similar to Google's 2021 fine, Facebook received a âŹ60 million GDPR fine for failing to give users way to refuse cookies as easily as they could accept them. Users had to go through several clicks when refusing cookies, whereas accepting them only required clicking one button.
More than that, the button to reject cookies was labeled "Accept cookies" and was located at the bottom of the second screen in the consent interface. Regulators made the case that this made rejecting cookies and unnecessarily difficult and confusing processâa clear violation of GDPR Article 4, which states consent must be "freely given, specific, informed and unambiguous."
2021 saw a slew of record breaking GDPR fines and 2022 showed no sign of slowing down.
In January 2022, Google Ireland and Google LLC received a combined fine of $170M, while Franceâs CNIL slapped Facebook with a $68M fine for failing to obtain valid user consent.
Then on March 17, 2022, Facebook received yet another fineââthis time levied by Irelandâs Data Protection Commissionââfor failing to show they could protect userâs data.
Itâs clear GDPR fines are here to stay and, though all the largest fines have been levied on tech giants, itâs not just large companies who should be concerned.
Check out the GDPR enforcement tracker for a complete list of GDPR fines, many of which were dealt to smaller organizations.
To avoid hefty fines and support usersâ data rights, organizations should take the following steps.
Privacy policies are an important compliance tool. Not only are they explicitly required, they also give users the information they need to successfully exercise their data rights.
Make sure your policy addresses the full scope of operations. Outline what information you will collect, keep, and share with third parties and provide a way for consumers to submit data subject access requests.
Remember, the policy should be straightforward, transparent, and easy for users to find and access. Donât underestimate the importance of this piece.
If GDPR regulators feel your privacy policy is unnecessarily complex, difficult to access, or attempting to hide information i.e. making users click through multiple embedded links to find the information they needââthat is grounds for a fine.
Under GDPR, consent must be âfreely given, informed, and unambiguous.â
Attempting to influence or trick users into accepting cookies is viewed as a violation. Even something seemingly innocuous, like providing an âAccept allâ button but not a âReject allâ button, can be considered a dark pattern.
According to European privacy watchdog NOYB, dark patterns âget more than 90% of users to click the âacceptâ button while industry statistics show that only 3% actually want to agree.â
In March 2022, NOYB sent 270 website owners draft complaints about deceptive cookie banners, with the aim of encouraging website owners to redesign their banners with GDPR guidelines in mind.
Though the initial foray was draft complaints, NOYB Chairman Max Schrems stated:
âWe want to ensure compliance, ideally without filing cases. If a company however continues to violate the law, we are ready to enforce usersâ rights.â
So what should you do as an organization?
Provide three different buttons upfront: Accept all, Reject all, and Show purposes. That way consumers can provide valid consent upfront, and your organization wonât be open to a dark patterns accusation.
Regulatory agencies place the responsibility for protecting user data on data controllers and processors i.e. the businesses who are collecting and using user data.
This means businesses must take steps, not only to ensure data security, but also to provide accessible documentation about their security measures.
Use up-to-date cybersecurity measures such as identity and access management (IDAM), third-party regulation, and end-to-end encryption for sensitive data.
Effective IDAM places limits on who has access to sensitive data, giving people only what they need to do their job correctly. Third-party regulation means vetting third-party processors appropriately and drawing up clear, comprehensive contracts around how data is processed and secured.
Data breaches are another important consideration. For businesses that process large quantities of user data, security breaches can mean sensitive consumer information has been compromised.
Both known and suspected breaches must be reported within 72 hours in order to avoid GDPR fines.
Thatâs why itâs also recommended that organizations document and socialize an incident response plan throughout the company, so everyone knows whatâs expected and how to respond in the event of potential security breach.
Data minimization is a core GDPR principle, so companies should take steps to holistically limit the data they collect and process throughout the organization.
GDPR Article 5Â states that:
Personal data shall be: (c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (data minimisation)
What does this mean in practice? The UKâs Information Commissionerâs Office (ICO) provides helpful clarification on this topic:
In practical terms, data minimization is more of a framework for considering how and why your organization collects data. That said, outlining, documenting, and circulating data minimization best practices throughout your organization can go a long way.
IAPP offers further resources on applying data minimization.
One fairly simple way to strengthen your GDPR compliance is to limit the amount of data you collect on your employees.
When collecting internal data from employees, employers do not need explicit consent. However, they must be able to make an argument for âlegitimate interest,â which can be more difficult than it sounds.
In 2021, German retailer notebooksbilliger.de received a âŹ10.4 million fine for failing to provide a valid legal basis for monitoring employees using CCTV cameras.
By monitoring employees in break rooms, warehouses, and point of sales, regulators argued the retailer overstepped what could be considered a legitimate interest.
Regulators also felt notebooksbilliger.de had violated data minimization principles by keeping the recorded footage for over 60 days.
Despite not requiring consent, processing employee data has clear pitfallsââso best practice is to minimize that form of processing wherever possible.
Our mission is to make it simple for companies to give their users control of their data by encoding privacy across their tech stack.
Automate data subject request workflows with Privacy Requests, ensure nothing is tracked without user consent with Transcend Consent, or seamlessly generate Records of Processing Activity (ROPA) for GDPR compliance with Data Mapping.
Looking to evaluate your current privacy program and discover any hidden costs? Explore our privacy request cost calculator.
Senior Content Marketing Manager II