This post relates to Cooley’s Privacy Talks series – a webinar program featuring Cooley practitioners discussing practical guidance and best practices around managing data protection-related issues. Sessions range from the European General Data Protection Regulation (GDPR) to the California Consumer Privacy Act (CCPA) – and all the other new data protection frameworks arising in the US, Asia and Latin America. Sessions will occur on a monthly basis in 2022.
Since the entry into force of the GDPR in May 2018, companies in the European Union and the United States have faced increasing exposure to enforcement actions. Almost four years in, we have the hindsight to interpret the enforcement trends and quantify the risks by sectors, countries, and areas of compliance. Note: The figures mentioned in this post are based on publicly available sources accessed in December 2021.
In the US, the unique patchwork of federal and state privacy and data security laws exposes companies to enforcement from multiple sources. In this post, we focus on recent enforcement actions by the Federal Trade Commission under Section 5 of the FTC Act and the California attorney general’s early enforcement of the CCPA, and highlight upcoming state-level enforcement considerations.
#1: EU: How did enforcement actions evolve since 2018?
Enforcement actions in the EU can result from an arsenal of tools available to data protection authorities (DPAs), such as fines, reprimands and warnings.
- In 2018, few sanctions were issued, with about 600,000 euros in total fines. Many DPAs were kept busy with setting up guidance regarding their own national data protection legislation.
- In 2019, the DPAs started enforcing more forcefully, with fines up to 50 million euros. The number of public sanctions also skyrocketed, from about 19 in 2018 to 152 in 2019.
- In 2020, the number of fines doubled compared to 2019. We observed a plethora of sanctions with high amounts (e.g., more than 35 million euros in Germany for H&M), resulting in a total of about 300 million euros in fines across the EU.
- In 2021, although the number of sanctions remained similar to 2020, the total amount of fines tripled, reaching more than 1 billion euros. This is mainly due to two decisions from DPAs in Luxembourg (more than 700 million euros against Amazon) and Ireland.
#2: EU: Which EU countries are the most active in sanctioning companies?
Considering the total number of fines, Spain and Italy come first. Eastern European countries such as Hungary, Romania and Poland, as well as Norway and Germany, are also top-ranked in terms of number of fines.
However, different trends apply when looking at the most severe DPA actions in terms of total amount of fines. It’s no surprise that Luxembourg and Ireland come first (see their decisions above), followed by Italy, France, Germany and the UK.
The Italian DPA has positioned itself as a particularly vigorous regulator, as reflected in its number and total amount of fines.
#3: EU: Which types of companies are at higher risk?
Companies operating in the broad sector of “industry and commerce” account for more than 50% of fines issued, followed by companies in the “media and telecom,” “transportation and energy” and “employment” sectors.
Some companies on the top 10 list of highest individual fines are also operating in the industry and commerce sector (e.g., Amazon and H&M), the media and telecom sector (e.g., TIM and Wind Tre) and the transportation sector (e.g., British Airways).
#4: EU: Which areas of compliance are the most scrutinized?
Currently, the high-risk areas of compliance are insufficient legal basis for data processing (with an average fine of more than 600,00 euros), insufficient technical and organizational measures to ensure information security (with an average fine of more than 300,000 euros), non-compliance with general data principles, insufficient fulfilment of data subjects’ rights, etc.
There are significant differences between the average and median fines. The median reflects more accurately the typical fine that an organization would get for an infringement. For example, the median fine for insufficient legal basis is more than 12,000 euros, while the median fine for insufficient security measures is more than 30,000 euros.
#5: EU: What are the enforcement trends and points of attention?
The current enforcement trends are as follows:
- Article 5 GDPR, which covers general data principles, is often relied upon by DPAs as a “catch-all” clause to enforce the GDPR.
- More and more class action suits are being initiated.
- The immaterial damages amount is increasing (e.g., moral damages recently awarded in Germany for the benefit of data subjects affected by a data breach).
- The one-stop shop, which was supposed to streamline enforcement procedures for the benefit of a lead DPA, has not yet proven itself to be fully efficient.
To mitigate the risks, pay particular attention to properly managing data breaches and data subjects’ rights, which can be used as a trigger by DPAs for inspections. In addition, remain accountable by documenting your GDPR compliance efforts (e.g., the need for a data protection officer). You should also consider appealing DPA sanctions.
#1: US: What did the FTC’s privacy and data security enforcement look like in 2021?
The US doesn’t have a comprehensive federal privacy or data security law. However, the Federal Trade Commission has broad authority to enforce Section 5 of the FTC Act, which prohibits deceptive or unfair commercial acts or practices, including those related to privacy and security.
In 2021, the FTC announced six privacy or data security settlements – approximately half as many as in 2020. Three of these involved alleged Section 5 violations; the others mainly concerned alleged violations of the Gramm-Leach-Bliley Act, the Fair Credit Reporting Act or the Children’s Online Privacy Protection Act.
The Section 5 cases were brought against: (1) a photo storage and organization app; (2) a fertility tracking app; and (3) a company’s surreptitious phone monitoring apps. These enforcement actions mainly focused on allegedly deceptive conduct. For example, the photo app allegedly deceived consumers about its use of facial recognition technology and the retention of users’ photos where they had deactivated their accounts. The fertility tracking app allegedly shared users’ health information with third-party marketing and analytics companies after promising to keep the information private. The phone monitoring apps allegedly misrepresented their use of reasonable security measures and their investigation into a data security incident. The FTC also considered the sale of the phone monitoring apps to be an unfair practice because the company did not take reasonable steps to ensure that customers used the apps only for legitimate and lawful purposes, and because the apps caused or were likely to cause substantial injury to consumers (for example, as the result of stalking or domestic abuse) that could not be reasonably avoided and was not outweighed by countervailing benefits.
As part of the settlements (including consent orders), both the photo app and fertility tracking app agreed not to misrepresent their privacy practices. The photo app was required to delete improperly collected or retained information as well as any models or algorithms developed using such information, and the fertility tracking app was required to instruct the third parties to delete user health information that it had improperly shared with them. The FTC also required the apps to obtain affirmative user consent for any future use of facial recognition and sharing of health information with third parties, respectively. For the phone monitoring app case, the FTC not only required the company to cease all data collection through the apps, and delete and disable access to previously collected personal information, but also prohibited the company and its founder from ever again selling any software application that can track or monitor a user’s activities on a mobile device. Both the fertility tracking app and the spyware app were required to notify their purchasers and/or users of the FTC settlements as well.
None of the settlements included monetary penalties, consistent with the Supreme Court’s opinion in AMG Capital Management, LLC v. FTC, which drastically limited the FTC’s ability to seek monetary relief, as we described in an April 2021 Cooley alert.
#2: US: How has the FTC described its privacy and data security enforcement priorities for 2022?
In its annual Report to Congress on Privacy and Security in September 2021, the FTC explained its enforcement priorities.
- Integrating consumer protection and competition concerns when addressing problems arising in digital markets.
- Expanding remedies, including by:
- Providing notice to harmed consumers.
- Obtaining monetary remedies for harmed consumers.
- Obtaining non-monetary remedial relief for consumers.
- Not allowing companies to benefit from illegally collected data.
- Focusing on dominant digital platforms, whose data practices will remain an enforcement target.
- Expanding understanding of algorithms,including their implications for consumer protection and competition, and developing guidance on fair and equitable use.
#3: US: What are the most common alleged CCPA violations?
Based on the California attorney general’s first-year enforcement update, the most common alleged CCPA violations are:
- No “do not sell” link or opt-in process for minors.
- Non-compliant consumer request processes.
- Non-compliant service provider contracts.
#4: US: What are some lessons from early CCPA enforcement?
It’s important for companies to:
- Understand that non-compliant privacy policies will make you an easy target.
- Analyze whether your use of third-party cookies and similar trackers for online behavioral advertising purposes triggers the CCPA’s “sale” provisions – and post a “Do Not Sell My Personal Information” link accordingly.
- Document internal processes for responding to CCPA consumer requests to facilitate compliance with the CCPA’s more granular requirements.
- Ensure that your CCPA consumer rights process is easy to find, easy to use, and does not require consumers to provide more information than is necessary.
In addition, don’t forget to develop a written information security policy that, at a minimum, meets the relevant requirements of the Center for Internet Security’s Critical Security Controls. While the CCPA does not itself contain data security requirements, the law provides a private right of action for certain data breaches that result from a business’s failure to implement reasonable security practices.
#5: US: Which new state laws will increase the potential for privacy enforcement in 2023 and beyond?
While many companies are still refining their CCPA compliance programs, the California Privacy Rights Act, which amended the CCPA, will become effective on January 1, 2023, and enforcement will begin six months later. The CCPA will continue to be enforced until the CPRA amendments become effective.
Virginia and Colorado have also passed new comprehensive state privacy laws, both of which take effect next year. Virginia’s Consumer Data Protection Act becomes effective January 1, 2023, while Colorado’s Privacy Act takes effect July 1, 2023.
Companies that collect the personal information of California, Virginia or Colorado residents should assess their obligations under these laws and begin preparations to comply with applicable requirements.
We discuss these new and amended state privacy laws in Privacy Talks Session 4.