There are lessons in Europe’s GDPR enforcement for American companies seeking to comply with new privacy laws like the California Consumer Privacy Act (CCPA). Since taking effect in May 2018, Europe’s sweeping privacy law, the General Data Protection Regulation (GDPR) has seen over 800 fines issued across the European Economic Area and the U.K.
GDPR enforcement began slow, but has picked up considerable momentum. Between July 18, 2020, and July 18, 2021, the size and quantity of fines increased. Data acquired by Finbold indicates that the cumulative number of GDPR violations has surged 113.5% over the last 12 months between July 2020 and July 2021. Last year, the number of fines was 332, rising to 709 in 2021. Over the same period, the number of fines imposed by EU regulators for the violations spiked 124.92%. In July last year, the cumulative fines stood at €130.69 million, growing to €293.96 million.
In late 2020, France also fined Amazon €35 million after the tech giant allegedly failed to offer cookie consent on its website. American businesses may see a connection here, as cookies recently emerged as a flashpoint in CCPA enforcement, with California AG Rob Bonta claiming that cookies constitute personal information under CCPA.
Marriot also received a stinging €20.4 million ($23.8 million) fine for compromising 383 million guest records (30 million EU residents), when the hotel chain’s guest reservation database was breached. Personal data like guests’ names, addresses, passport numbers, and payment card information was exposed. As Tessian reports, the hack originated in Starwood Group’s reservation system in 2014. While Marriott acquired Starwood in 2016, the hack wasn’t detected until September 2018.
Explaining the Rise in GDPR Fines and Enforcement
So why the increase in fines and enforcement activity for GDPR? First, consumers are becoming more comfortable exercising their rights under GDPR, and that means that more consumers are reporting breaches to regulators. Second, ransomware attacks and data hacks have become more prominent in the news, bringing more public attention to the data breaches that impact large numbers of consumers. Third, European regulators are becoming better at detecting violations of personal information, and as a result, they are more willing to flex their regulatory muscles.
Thus far, big tech and telecom companies have been a key focus of GDPR enforcement. This is a feature, not a bug, as both the tech and telecom sectors are dominated by a small number of very large companies that are highly data-driven and perform extensive data processing. Because customers are concentrated among a small number of companies in these sectors (some of them, arguably monopolies), the lack of competition in the marketplace leads companies to be complacent about compliance since customers have little choice in their service providers.
What GDPR Enforcement Suggests for CCPA
If the trend in GDPR fines holds clues for the CCPA, it suggests that California will continue its current trajectory of stepping up enforcement, which will almost certainly result in increased fines.
In July, the California Attorney General’s office released a first-year report on enforcement activity (click here for more), showing a clear increase in the number of enforcement actions undertaken by the AG. As illustrated by these cases, California’s efforts in CCPA enforcement show a preference for applying an expansive reading of consumer private right of action and the definition of “sale” of data. That can only spell trouble for businesses that fail to adapt to the evolving regulatory environment in California. If this trend continues in CCPA enforcement, more fines and larger fines will not be far behind.