How Regulatory Fines Became the New Normal in 2019

2019 was a landmark year for regulation in technology. We celebrated the one year anniversary of EU-based GDPR in May, the approval of the California Consumer Privacy Act (CCPA) in October (which will officially go into effect on Jan 1, 2020), and saw the emergence of several global regulatory watchdogs. All culminating in a record-breaking number of regulatory infringement fines for tech companies who failed to prioritize the rights and privacy of consumers in 2019. And the bad news is, if companies don’t begin to get serious about privacy and data security issues in 2020, that number is only going to go up. 

A Timeline of Unfortunate Events 

The regulatory year started off with a bang, when in January, the French data protection authority (CNIL) announced it was fining Google nearly $57 million, for failing to properly disclose to users how their data was being collected across Google’s services. At the time, the penalty marked the largest privacy violation to date under GDPR, appearing only seven months after the law had gone into effect.

In March, Google faced regulation violations yet again, this time a $1.7 billion fine on charges that Google’s advertising practices violated antitrust laws in Europe. European watchdogs noted that Google had violated antitrust rules by imposing unfair terms on companies that used its search bar on their websites in the region.

Then came July, a busy month for privacy regulators. Facebook faced a record-breaking $5 billion fine as part of a settlement with the FTC – the largest penalty ever imposed on a company for violating consumers’ privacy rights. As a part of its settlement with the FTC, Facebook also agreed to adopt new protections for the data users share on the network. Around the same time, Facebook separately agreed to pay $100 million to settle data misuse charges brought on by the SEC. Talk about a rough 30 days. 

Additionally, British Airways faced a $230 million GDPR fine for its 2018 data breach which affected 500,000 customers. And similarly, Marriott was slapped with a $123 million fine for its data breach in 2018 which saw 383 million guest records and 18.5 million encrypted passport numbers stolen. Later in July, Equifax agreed to pay $575 million as a part of a global settlement with the FTC, following the credit reporting company data breach in 2017. The breach affected approximately 147 million people due to Equifax’s failure to take necessary precautions to secure its network. 

Finally, in September, Google-owned YouTube was fined $170 million by the FTC to settle accusations that the platform had illegally collected personal information about children without their parents’ consent. The settlement required Google and YouTube to pay $136 million to the FTC and $34 million to New York for allegedly violating the Children’s Online Privacy Protection Act (COPPA) Rule.

Less Than Fine

As technology and tech giants have continued to advance and expand at an unprecedented scale, we witnessed a critical third party enter into the business/consumer interaction in 2019 – the regulators. Established not only to prioritize the rights of the consumers’ but also to manage the reach of tech giants, 2019 was the year that global regulators and watchdogs established themselves as protectors of the people, defenders of data democracy, and as forces to be reckoned with in the tech world. 

So what will 2020 hold for all three parties? No one can be quite certain yet. But what we can expect is that the watchdogs will continue to advocate for transparent data management practices, honest and timely breach disclosures, and increased data privacy regulation, whether tech companies decide to comply or not. We can expect that the CCPA will mark only the start of data privacy legislation in the US, and that the rest of the world will likely begin to follow along the path GDPR has set by adopting legislation of their own. Countries like Brazil, Australia, Japan, South Korea, and Thailand are already doing so.