Companies found in violation of strict privacy regulations are paying ever-heftier fines. Here’s a look at who got slapped with what this summer.
On May 28, the General Data Protection Regulation (GDPR) had its first birthday. Arguably the most influential and far-reaching of global privacy regulations, GDPR is now fully in force – with no further grace period extended to companies in violation of its very stringent data privacy stipulations.
This means that it’s already long past time for companies to pay more attention to how they collect, handle and store customer and employee Personally Identifiable Information (PII) and biometrics. And this also means that the summer of 2019 was a hot one as far as fines for violations of privacy regulations. How hot? Around $5.3 billion, thus far. Here’s how the Summer of Fines played out.
July 1, 2019 – TikTok investigated for handling of children’s data
After the US Federal Trade Commission levied a $5.7 million fine against TikTok (formerly Musical.ly) for breaching a children’s privacy law, the company is being investigated in the UK for an alleged violation of the Children’s Online Privacy Protection Act. TikTok apparently failed to seek parental consent before collecting names, email addresses and other personal information from users under 13. [Learn more]
July 8, 2019 – British Airways fined £183m over passenger data breach
British Airways was fined over £183m by the UK Information Commissioner’s Office after hackers stole the personal data – including login, payment card, name, address and travel booking information – of half a million of the airline’s customers. The cause, according to the regulator, was British Airways’ “poor security arrangements”.
July 9, 2019 – Marriott fined nearly £100m over GDPR breach
The UK Information Commissioner’s Office imposed a record £100m fine against Marriott International after hackers stole the records of 339 million guests. The company admitted last year that personal data including credit card details, passport numbers and dates of birth had been stolen in a huge global hack of guest records.
July 23, 2019 – Google to pay $13 million in Street View privacy case
Google agreed to a $13 million settlement for class-action litigation over the company’s collection of PII under its Street View project. The class action began when Google admitted that cars photographing neighborhoods for Street View had also gathered emails, passwords and other private information from WiFi networks in more than 30 countries.
July 26, 2019 – FTC hits Facebook with $5 billion fine
The Federal Trade Commission reached a $5 billion settlement with Facebook in the culmination of a years-long investigation into the Cambridge Analytica scandal and other privacy breaches. The FTC accused Facebook of violating the law by failing to protect data from third parties, serving ads through the use of phone numbers provided for security, and lying to users that its facial recognition software was turned off by default.
August 12, 2019 – Facebook facial recognition class action suit to move forward
Clearly this was a hot summer for Facebook. In mid August, just three weeks after beingfined by the FTC, a US Court of Appeals affirmed a lower court’s certification of a class action suit against Facebook, first filed 2015. The suit alleges that Facebook violated Illinois privacy laws by secretly amassing biometric data without consent. The plaintiffs claim that the social media giant illegally collected what the company itself claims is the largest privately held database of facial recognition data in the world.
August 22, 2019 – Swedish data protection authority issues first fine for biometrics use under GDPR
Sweden’s data protection authority fined a school SEK 200,000 (US$20,650) for using biometric facial recognition to record student attendance, in violation of the GDPR. The high school, in the town of Skelleftea, used facial biometrics to conduct daily attendance checks. The fine was levied despite the fact that school officials claimed consent was obtained from students.
September 4, 2019 – YouTube to pay $200 million for violating children’s privacy
Google will pay a record $170 million to settle allegations by the Federal Trade Commission and the New York Attorney General that its subsidiary YouTube illegally collected personal information from children without their parents’ consent.
September 5, 2019 – Home Depot faces class action over facial recognition security cameras
Four Illinois shoppers filed a proposed class action lawsuit against home improvement retailer Home Depot, claiming the company’s facial recognition security cameras violate the Illinois Biometric Information Privacy Act (BIPA).
The Bottom Line
Consumers increasingly understand that their privacy is at risk, and legislation is starting to catch up with rampant misuse of technology. Organizations that violate ever-tighter privacy laws are paying a steep price. To mitigate both the dangers of privacy abuse and the liability associated with it, organizations need to turn to solutions that allow commercialization and privacy to live side-by-side.