Costs Of Non-Compliance With Privacy Laws

Consumer privacy is such an important part of business. If you conduct business online, you might be wondering about the potential penalties and costs that come with non-compliance with the various privacy laws and legislation.

This article aims to answer those questions by detailing the key privacy laws you must be aware of, as well as the range of penalties for each of them.

COPPA

The Children's Online Privacy Protection Act (COPPA) is a federal law of the United States (US) that came about in the early 2000s. The purpose of COPPA is to ensure the privacy and security of any personal information collected online from persons under the age of 13.

COPPA is enforced by the Federal Trade Commission (FTC), who has the authority and responsibility to uphold the rules of COPPA.

The online collection of personal information can be a difficult and blurry field to navigate, especially for business owners. And when it comes to those businesses that cater to younger children, it can be even more so.

If your company, product and/or service is marketed towards children who are under 13 years old and located in the US, you will need to know how to abide by COPPA guidelines as well as what's at stake if you fail to meet them.

While COPPA applies only to US children under 13 years old, if you're based in the US then it's expected that you provide the same levels of protection and security to under 13's all around the world.

The main purpose of COPPA is to gain parental consent before the collection, usage, disclosure, tracking and/or sharing of a minor's private information.

It also applies to any third party services and plugins your website might be using.

COPPA regulations include:

• Posting a clear and conspicuous link to your Privacy Policy on your website or within your app.
• A notice to parents that requests their consent before you collect any information from the child.
• Parents must be given the choice to consent or deny sharing of their child's information with any third parties.
• If any changes occur within the data collection practices of the company, a notice must be sent to all parents, with the aim to receive new consent.
• A parent must be able to request access to the kinds of personal information collected from children, as well as be able to revoke their consent and request deletion of all personal information that has been previously collected.

Violating COPPA used to carry a maximum civil penalty of $16,000 USD, however, this changed on the 30th of June 2016, when the FTC increased that maximum amount to $40,000 USD.

To truly understand the potentially monumental impact of these fines, consider it like this: if your website or app is found to have violated COPPA by collecting personal information of just ten children, you could face fines totaling a whopping $400,000.

And even some of the biggest companies that cater to children have been stung, facing fines of similar amounts.

For example, in 2016, Hasbro, Mattel, JumpStart Games and Viacom were fined for failing to meet the standards and violating COPPA.

The companies were found to have allowed their websites to use tracking cookies for advertising purposes, which was deemed to be a direct violation of COPPA law.

Though ad tracking is hugely popular on many websites around the world, their usage is forbidden for any site that is aimed at children under 13 years old.

The fines for the companies were quite steep, with Viacom paying $500,000, Mattel paying $250,000 and JumpStart paying $85,000. Hasbro was not required to pay a fine due to its inclusion in an online privacy program that the FTC had approved, yet still suffered some issues.

The companies were also required to withdraw any third-party tracking and sign an agreement that said they would regularly scan their websites to ensure any data collection practices were legally compliant.

Even more recently, Disney was sued in 2017 for allegedly violating COPPA laws by collecting personal information from underage users of a number of Disney apps and sharing that data with advertisers, all without consent from the parents.

It's extremely important to ensure all your company websites and/or mobile apps are up to date with the regulations.

Visit the FTC website for more detailed information on the rules and guidelines of COPPA.

CalOPPA

The California Online Privacy Protection Act (CalOPPA) is the main piece of privacy legislation that oversees data collection in the United States.

CalOPPA came into effect back in July of 2004. It's directed towards owners of commercial websites that gather personal information from their users and contains one main requirement: the inclusion of a conspicuous link to the Privacy Policy on websites.

CalOPPA aims to protect those who live in California, so even if you're based elsewhere in the world, if there's the possibility that you will cater to California residents and collect their personal information, you're required to abide by CalOPPA.

As defined by CalOPPA, personal information can be any of the following:

• First and last names
• Home and/or business addresses
• Email addresses
• Home and mobile phone numbers
• Social Security numbers
• Geolocation information
• Credit card and other payment details

CalOPPA also includes a Do Not Track (DNT) disclosure requirement.

The DNT disclosure applies to the option that web browsers like Google Chrome, Firefox and Safari offer to their users. This option allows them to send a notification to the websites they visit, to request that their online activity and behavior is not tracked.

When you respond to the DNT, there are two main actions you can take as a business. When a user opts for the Do Not Track preference on their browser, you technically don't have to do anything. This is why it's called a request rather than a demand.

The other action is to abide by the request and stop any tracking software being loaded onto their device.

Regardless of your chosen response to DNT requests, the most important thing you have to do is address your intended response in your Privacy Policy. Doing this, whether you decide to honor DNT requests or not, is the best way to ensure compliance with CalOPPA.

A great example of how companies can address their response to DNT requests can be found at Medium.

Though CalOPPA is a state law that is more a set of general guidelines with no specific applications to industries such as healthcare, it's still an important aspect of data privacy that should be carefully implemented into your business.

As such, there are several clauses that should be included within your Privacy Policy in order to make sure it's compliant. These are:

• A clause that describes the style of personal information you aim to collect, the purpose behind this collection, and any third parties you intend on sharing that information with.
• A clause that informs users about how they can change and/or delete the information they've previously provided to your website.
• A clause that mentions how you intend on letting users know about any changes to your Privacy Policy.
• A clause that details how you intend on responding to any Do Not Track requests you receive from users.
• A clause that clearly states the most recent effective date of the Privacy Policy.

CalOPPA guidelines apply to everything from websites and Software-as-a-Service programs to mobile and even Facebook apps. So no matter what platform you're running your company through, you're required to provide a conspicuous link to your Privacy Policy on the homepage.

Violations of CalOPPA fall under the California Unfair Competition Law (UCL), which aims to keep track of any business that might be practicing in a way that is seen as unfair, unlawful or fraudulent.

According to the UCL, any violations that do occur can receive a penalty of $2,500 USD per violation. While that might not sound like too much, note that this is per violation, which means that every time someone has visited your site or application while you were deemed non-compliant, that counts as one violation - and could end up being quite costly to your business.

A well-known violation that speaks of the magnitude of such fines is the lawsuit against Delta Airlines that occurred in 2016. California's Attorney General (AG) claimed that the airline was in direct violation of CalOPPA due to its failure to post a conspicuous Privacy Policy.

The AG also alleged that Delta Airlines was collecting personal information from its users without letting them know about the collection, the purpose of the collection, or whether the information collected was shared with any third-parties.

While the case was dismissed due to unrelated reasons, it served as a wake-up call to many companies that were unaware of the risks that came with non-compliance of CalOPPA.

So it's within yours and your company's best interests to make sure you have all the various aspects of CalOPPA covered, and continue to check your compliance as time goes on in the event that any new stipulations are introduced.

GDPR

The General Data Protection Regulation (GDPR) is fairly new legislation that was created by the European Union (EU) in order to protect the privacy and privacy rights of its citizens.

It was designed to replace the Data Protection Directive of 1995, which had aged substantially over the decades and was deemed ineffective when it came to modern data protection.

The premise of the GDPR is based on the belief that individuals should have constant, unwavering security over their data sharing and online activity.

There are several new additions to the GDPR when compared to its predecessor, but they can be narrowed down to three main areas:

1. A wider territorial scope that now impacts businesses across the globe
2. The necessity of requesting and receiving explicit user consent before any data collection occurs
3. Stricter fines implemented on those who are found to be in violation of the legislation

There are two tiers of fines that have been imposed by the GDPR. These are described in Article 83 and are as follows:

Violations in the first tier can come with administrative fines of up to 10,000,000 EUR, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

Violations in the second tier can come with administrative fines of up to 20,000,000 EUR or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.

There are several factors that come into play when fines are handed down, and they're considered to be circumstantial to each individual case. These factors can be found in Article 83 and are as follows:

• The nature, gravity and duration of the infringement and the number of data subjects affected, as well as the nature, scope or purpose of the processing that led to the infringement
• Any intentional or negligent aspects of the infringement
• Any actions taken to mitigate the damage suffered by data subjects because of the breach
• Which party is more responsible due to technical and organizational measures implemented
• Any previous infringements by any parties involved
• How cooperative the involved parties are in order to remedy the infringement and mitigate any potential adverse effects of it
• Which categories of personal data are affected by the infringement
• Whether the authorities were notified appropriately
• Past compliance measures taken during any past breaches
• How much the involved parties adhere to approved codes of conduct or certification mechanisms
• Any other relevant aggravating or mitigating factors that should be considered, including losses avoided or financial benefits gained from the infringement

If your company is found to be non-compliant for any of the above, you will likely have the chance to decrease the total amount of fines handed down if you attempt to alleviate "the damaging nature, gravity and duration of the violation."

This can be done by reporting any data breach as soon as it's realized and cooperating entirely with the authorities to fix things.

Regardless, failing to comply with the GDPR can end up costing your company a lot of money. In 2016, a British telecommunications company, TalkTalk, was fined £400,000 GBP for failing to protect customers from data hackers.

As a comparison, while this is still a substantial amount, if this fine had been handed down under the GDPR, it would've reached a massive £59 million GBP instead.

As such, it's important to ensure your organization is compliant with the GDPR before the May deadline. A great starting point is the Key Issues list found on the GDPR information site.

EU Cookies Directive

The EU Cookies Directive is a piece of legislation that was added to the E-Privacy Directive in 2009. The basic idea behind it is that companies now need to obtain user consent prior to placing cookies onto their devices (like their computer, laptop or smartphone).

All websites owned in the EU or targeted towards EU citizens are expected to comply with this directive.

A cookie is a small computer file that is downloaded to a user's browser when they access websites. They carry helpful pieces of information that can provide a better browsing experience for users.

While cookies are relatively harmless and extremely useful for companies, there are still a few risks associated with using them, such as fraud and invasion of privacy.

These potential risks are the main reason why the EU Cookies Directive is so important; it aims to minimize such risks and provide better security for all users.

The penalties for violating the EU Cookies Directive are monetary fines that can reach a total maximum amount of £500,000 GBP (approximately $665,000 USD at time of writing). This amount is given in the case of a deliberate breach that brings about substantial distress to the data subject.

Smaller penalties include notices of information and/or enforcement being sent to the companies that dictate any breach or violation that is occurring.

One of the largest fines that has been handed down was to NPO, a Dutch public broadcaster when in 2014 it was given a fine of 25,000 Euros (approximately $29,000 USD at the time of this article).

This fine was given due to NPO's failure to implement an adequate consent mechanism on its website regarding its use of cookies, meaning users weren't given the opportunity to provide valid consent to being tracked.

If you fall under the scope of the Cookies Directive, make sure you implement a cookie consent solution to avoid breaking the law.

PIPEDA

The Personal Information Protection and Electronic Documents Act (PIPEDA for short) is a Canadian data privacy law that relates to how private sector organizations gather, use and share the personal information they collect during the course of their business practices.

PIPEDA came into effect in 2000, and its aim was to encourage trust between consumer and company in the e-commerce section.

Canada implemented this law in order to provide assurance to the European Union (EU) that Canada's privacy laws were similarly adequate to the EU's, and were able to uphold and protect the personal information of EU citizens.

PIPEDA aims to give individuals the right to the following:

• The knowledge behind why an organization is collecting, using and disclosing their personal information
• The expectation that an organization will collect their information for an appropriate reason, and won't be using it for any way other than specified
• Contact details for the person in the organization who is in charge of protecting their personal information, as well as who they can complain to if they have any queries or issues
• The expectation that an organization will use appropriate security measures to protect their information
• Access to any of the personal information a user has shared with the organization, as well as the assurance that this information will be accurate and up to date

And as an organization, you are required to do the following:

• Get explicit consent from each user before you collect and use any of their personal information.
• Provide a user with your product or service even if they don't give you consent to collect their information.
• Ensure any collection of information is done in a fair and lawful manner.
• Have company policies that relate to personal information, and ensure these policies are clear, easy to understand and available to anyone.

PIPEDA is a relatively easy piece of legislation to follow, but the fines for not doing so are quite steep. If an organization is found to be knowingly in breach of PIPEDA requirements, they can be fined up to $100,000 for each violation.

In conclusion, as a business owner and/or website operator, it's important for you to be up to date with the latest pieces of legislation that pertain to data privacy, as well as any amendments that occur, because failure to do so can make a huge dent in your company's bottom line.

The main legislations most companies across the world will need to be concerned with are COPPA, CalOPPA, GDPR, EU Cookies Directive and PIPEDA. So consider compliance with these legislations to be an investment in your business' better future, and start focusing on yours today.

The best place to start with global compliance with privacy laws is to create a Privacy Policy and make it accessible on your website and any mobile apps you may run.