The Facebook-Cambridge Analytica Data Scandal of 2018 was a massive jolt to data privacy in the USA. The data misuse by the tech giant caused quite an uproar. It cost the social media giant $5 billion.
It was not the only case where Facebook or a big tech company violated the data privacy of people. It, probably, would not be the last. Ever since the implementation of privacy laws like the GDPR, we have seen many such big organizations fined by the data protection authorities. And some of them have been fined more than once. But, the question is, is it enough? Does this make the big techs adopt a more rigorous approach to data privacy?
In this article, we will discuss various data privacy violations by big tech companies and the need for data privacy regulators to ensure stronger provisions that do not hurt smaller organizations more than the tech giants.
Article excerpt
Big techs like Google, Twitter, Facebook, and Amazon have all violated data privacy regulations and paid the price for it. They even rectified their mistakes. However, it seems like rather than solving the core issues — providing stronger privacy provisions and following the privacy laws — they would rather pay the small price or find workarounds to avoid the law.
Are issuing official apologies or financial settlements enough to curb the rising privacy violations or the fear among people? Also, smaller organizations suffer the worst from the enforcement of privacy laws as the bigger organizations’ allegations do not affect their expanding market share.
Data privacy violations by big techs
Let us look at some of the data privacy violations by big tech companies in recent years.
Twitter — ~$544K by Irish DPC
In December 2020, the social media company Twitter was fined $544K (€450K) by Ireland’s Data Protection Commission (DPC). The fine was issued for a violation that occurred two years before the ruling. In December 2018, Twitter suffered a data breach that they failed to notify the DPC within 72 hours.
Twitter’s European headquarters is in Ireland. Hence, the Irish DPC, being the superior authority, took the case.
European Data Protection Board (EDPB), the authority that oversees all regulatory frameworks in the EU, took a binding decision and adopted its first Article 65 to decide the penalty for Twitter.
WhatsApp — ~$60 million (estimated) by Irish DPC
Facebook-owned WhatsApp may face a massive fine of up to $60 million (€50 million) for violating the transparency requirement of the GDPR. The judgment comes, once again, from the Irish DPC. WhatsApp failed to inform its users about how it shares the data with Facebook.
The instant messenger app recently updated its privacy policy that disclosed its data collection and sharing practices. It created confusion and concerns regarding the users’ privacy that made WhatsApp delay the privacy changes.
Google — $120 million by France’s CNIL
The French privacy watchdog, Commission Nationale de l’Informatique et des Libertés (CNIL), levied a fine of $120 million on Google for violating cookie consent requirements under the ePrivacy Directive (the EU Cookie Law). The $120 million fine is a total of $72 million on Google LLC and $48 million on Google Ireland for being jointly responsible.
The CNIL’s judgment was a consequence of three violations by the French website of Google: use of marketing cookies without user consent, inadequate information about these marketing cookies, and a partially defective cookie opt-out mechanism.
The penalty was decided based on the severity of the violation because more than 50 million french users were affected. It does not help the case for Google that the company indirectly had financial gain from using the marketing cookies. All these became crucial factors for deciding the fine.
Amazon — $42 million by France’s CNIL
Just like Google, Amazon’s french website also violated cookie consent requirements. The CNIL fined the e-commerce giant $42 million following the findings from their investigation between December 2019 and May 2020. Amazon made two ePrivacy Directive violations, similar to Google: use of advertising cookies without user consent and lack of adequate information about these cookies.
The CNIL’s reason for levying the fine was these violations affected millions of people in France who use Amazon.
Since the CNIL investigations, the french websites of both Google and Amazon have stopped storing marketing cookies without user consent. However, they still do not inform the users about the purpose of the cookies and that the users can deny consent to them.
Therefore, the CNIL committee ordered the tech giants to inform their users within three months (after the ruling). Otherwise, they have to pay a fine of 100,000 euros per day of delay beyond it.
Google — $60 million by France’s CNIL
The CNIL sanction on Google was not the tech giant’s first. On January 21, 2019, the CNIL fined Google $60 million for failing to get valid user consent for targeted advertisements. The CNIL found that Google failed to inform its users before processing their personal data. Another violation was that it failed to prove a legal basis for its processing of the users’ personal data for advertisements, as the consent request for cookies was not specific.
Facebook — $5 billion by the USA’s Federal Trade Commission (FTC)
As already mentioned in the beginning, the Facebook-Cambridge Analytica data scandal was nothing less than a shocking expose on privacy violation in the US.
Cambridge Analytica is a British consulting firm that collected the personal data of millions of Facebook users without their consent. The personal data was originally collected by an app for building the psychological profiles of its users. Cambridge Analytica gathered the data of over 87 million Facebook profiles from the app and used it for analytics for the 2016 US presidential election campaign.
The people were outraged with so many demanding for Facebook boycott, such as trending #DeleteFacebook on Twitter.
Cambridge Analytica also used the data for Brexit analytics purposes.
The Federal Trade Commission (FTC) of the US issued a whopping fine of $5 billion for the violation.
Following an agreement in October 2018, Facebook decided to pay the UK’s data protection authority £500,000 for its role in the scandal. The social media giant, however, has not taken any liability.
Facebook — $650 million by the US federal judge
When it comes to violating data privacy, Facebook cannot catch a break.
In January 2020, Facebook lost a $650 million class-action lawsuit for illegally collecting the biometric data of its users. A Chicago attorney alleged that Facebook’s facial recognition technology collected Illinois users’ data without consent for its tag suggestions feature. It is a violation of Illinois’ privacy law.
Just a slap on the wrist?
The big tech companies, like Google and Facebook, are undoubtedly repeated offenders here. And, the financial penalty they received for it is huge, no doubt about that either. However, looking at the annual revenue of these companies, these barely make a dent in their bank account.
Many data protection authorities have come forward alleging that these judgments failed to weigh the severity of the violation. We believe that the intention of the privacy laws should not be just about levying fines to the offenders. However, millions of people’s data have been compromised and these companies will still get away with paying what seems like pennies for them as fines.
The need for stringent and targeted data privacy provisions
Google, despite facing massive fines for data privacy violations, keeps on growing its market share. Here is how the US ad-tech vendors have performed a few months after the implementation of the GDPR:
It clearly shows how the smaller ad-tech vendors have felt the maximum brunt of the privacy regulation. Google has taken advantage of the situation to expand its market.
While the smaller organizations are struggling and still following the laws, bigger organizations are taking over the market and are yet to take liability for their past violations.
Some of the big techs have issued apologies for their action and brought in some privacy provisions. However, it is still a matter of debate whether it is enough, seeing how new or repeated cases of violations of them keep emerging. A lot of these violations occurred after the implementation of the privacy laws like the GDPR. And then, there are always cases where they refuse to take liability despite the evidence.
To take Facebook’s Cambridge Analytica data scandal, the FTC judgment is said to be rushed, and the fine amount is just a small number to let the social network giant sweep its violations under the rug. And then there is the classic case of shifting its UK users into user agreements with its headquarter in the US. It will make the user data lose the data privacy and protection under the EU laws. So, instead of coming up with a stronger privacy framework, Facebook decided to play it safe. Google had also shifted its UK user database, following Brexit.
Recently, we have seen Amazon and Google also downplaying the laws of the land it operates in. Even after CNIL caught Amazon and Google’s french websites, violating cookie consent requirements; they still failed to fully comply with the law. The French data protection authority has issued strict orders for the big techs to rectify their mistakes or pay daily fines. However, such disregard for the laws, even after being notified of it is a matter of concern and requires serious deliberation. After all, these big techs are not above the law.
While it is a welcome insight that the use of trackers has significantly reduced in Europe, it is still a concern that the privacy regulators are far too lenient with infringements committed by the tech giants. Maybe this calls for stronger privacy provisions for these companies.
Smaller companies look up to bigger companies. Hence, the big techs must take liability and provide stronger protection of the personal data of their users, and respect the privacy laws. Getting away from privacy violations by paying the fine every time is not a righteous approach. The users of these big techs also trust them when they decide to share their data. It’s time to protect the user data with the advanced resources they have and lead by example for all those who look up to them.
CookieYes believes in data privacy
At CookieYes, we believe that data privacy matters. That is why our cookie consent solution keeps bringing more privacy-specific features to the table. We strive to put privacy first and build a user-friendly product. Our cookie consent provides several features that make your website compliant with privacy laws like the GDPR, ePrivacy Directive/Regulation, and CCPA, for cookies.
Using CookieYes, you can add a cookie consent banner or popup to your website that will inform the visitors about the cookies used by the site. It also lets you add a reject option for them to deny consent. You can disable non-essential cookie categories and let the visitors selectively opt-in for the cookies.
You can decide what your website’s consent banner must say or look like.
It automatically blocks third-party cookie scripts, such as Google Analytics, Hotjar, and Facebook pixels, until the users give their consent to use them. That means your website will not load any tracking cookies until the users register their consent via the consent banner.
CookieYes automatically scans your website for cookies and adds them to the cookie list on your website. It will help you to identify the non-essential cookies your website stores on the user device.
Another CookieYes feature that aligns with the privacy laws is the option to record the user consent. The solution logs the user consent registered via the banner and their specific cookie preferences. You can use the scan report for audit purposes if need be.
Since the EU has many countries with different spoken languages, our application supports the auto-translation of the banners in 24 languages. A website may have visitors from all around the world. Therefore, CookieYes allows your website to display the cookie consent banner based on the visitors’ browsing location.
Also, we now offer a free Privacy Policy Generator in the application.
So, be it an e-commerce store, portfolio website, or personal blog, CookieYes is the perfect cookie consent management tool for your website. It supports all major content management platforms, such as WordPress, Magento, Shopify, Wix, Weebly, Drupal, Squarespace, Imagepress, Joomla, or even custom-coded websites.
CookieYes products recently hit 1 million users!
Sign up today and be part of the force that fights for data privacy.
