In November, Google reached a $392 million settlement agreement with 40 US states regarding location tracking. Later that same month, Ireland’s Data Protection Commission fined Meta $275 million for breaking the European Union’s General Data Protection Regulation (GDPR). These hefty fines are the latest in a series of regulatory actions against tech giants, shining a brighter light on data security and its future.
Google’s settlement in the US relates to allegations that the company continued to track consumers through their devices despite location tracking being turned off. A group of 40 US Attorneys General collaborated to carry out the investigation, leading to the largest-ever privacy settlement in the country.
The settlement was led by Oregon AG Ellen Rosenblum and Nebraska AG Doug Peterson. Alexandra Vesalga, a privacy attorney and founder of consulting firm AV Privacy, points out that this kind of collaboration is likely to be a trend going forward
“We will likely continue to see regulators collaborating on larger enforcements. We saw this earlier this year when the UK and Australia’s privacy enforcement bodies worked together on an investigation and enforcement against Clearview AI. Like everyone, regulators are tight on resources, and combined enforcements give them more resources and stronger bargaining power,” Vesalga says.
Data Leak of Personal Information
Meta’s $275 million fine relates to a data leak that led to the publication of personal information of 500 million Facebook users. In September, the company was also hit with a $400 million fine for violating GDPR through its mishandling of minors’ data on Instagram. The company plans to appeal this fine. It also announced updates to Facebook and Instagram to protect the privacy of teen users.
Following the announcement of Google’s $392 million settlement, the company published a blog post promising more transparency in regard to using location data.
“Since the settlement terms include Google's promise to now be more forthcoming about the location data it collects, it’s clear that collecting (and inevitably monetizing) location data won’t stop,” says Sharon Polsky, president and CEO of privacy and data protection company AMINA and president of the nonprofit Privacy and Access Council of Canada.
The multimillion-dollar fines are piling up, and the numbers may seem eye-watering, but how much impact will they ultimately have on companies that make billions in profit?
“Will settlement always be an option for companies and will this settlement result in tangible changes to Google policies and practices, or will it be considered a cost of doing business?” asks Tom Cope, CISO of data protection solutions company Next DLP.
If settlement is an option, and companies can afford the fines, data privacy violations may continue to make headlines. “The hope would be that these fines would deter other companies from violating consumer privacy in the future, but cynically, I suspect many companies will simply try harder not to get caught,” says Todd Kartchner, chief privacy officer of business law firm Fennemore.
Size Doesn't Matter
Behemoth companies with the wherewithal to pay these large fines aren’t the only ones subject to data privacy regulations. “Big tech companies make for big headlines, but there are more smaller companies struggling to comply with the myriad privacy and access-to-information laws,” according to Polsky.
The large fines that make headlines do call more attention to data privacy, and Polsky expects investigations and fines involving organizations of all sizes to increase.
Five US states have comprehensive consumer data privacy laws, and all 50 states have Unfair and Deceptive Acts and Practices laws, which can be used to protect online information, according to the National Conference of State Legislatures. Data privacy legislation, the American Data Privacy and Protection Act (ADPPA), is also being considered at the federal level.
“Many states have recently passed or proposed comprehensive privacy laws, and a federal bill has been considered. Nonetheless, the subject matter is complex and there are competing interests, which means things move slowly,” says Vesalga.
Polsky highlights the EU’s GDPR, California’s Consumer Privacy Protect Act, Illinois’ Biometric Privacy Act, and Australia’s newly strengthened privacy law as examples of laws that give regulators greater authority, but she hopes to see a fundamental shift in how new legislation addresses data privacy.
“Real and lasting change will require a new legislative perspective that is preventive, not reactive,” she explains.
The Google settlement and Meta fine pull the curtain back on how companies are mishandling data, but the breach of regulations has already occurred. “The big issue with privacy legislation is no one knows there is a privacy issue until it lands in the news. A few lines of code and anyone can collect a massive amount of personal information if their app is popular enough,” Cope argues.
Many companies, like Google, take an “opt-out” approach to location tracking and use of personal data. In contrast, GDPR regulations advocate for an “opt-in” approach, encouraging companies to allow “freely given” consent.
Polsky wants to see that approach to consumer consent become the norm. “Consent needs to be opt-in instead of opt-out, and privacy policies should be required to be brief, unambiguous, and clearly detailed -- and required to allow us to agree to only certain things, not all-or-nothing,” she expounds. “That novel approach would enable each person to make a fully informed choice and be in control of what’s collected about them and how it could be used.”