US companies face hefty fines for GDPR violations

US companies pushing the limits of digital privacy may face heft fines from the European Union (EU).

EU companies are required by the General Data Privacy Regulations (GDPR) to give users a choice over how data is collected and used. The choice can be made by clicking on the bottom banner and turning off cookies settings. In 2021, many US websites offered one choice effectively saying, “Give us your data or go away.” Thanks to largely toothless data privacy laws in states like California and New York, this is acceptable to the letter of the US law but violates the spirit.
However, even if the user clicks “Accept” those companies are in trouble, according to the Data Protection Commission in Ireland,

A spokesperson for the commission said, “Article 5(3) of the ePrivacy Directive states that the storing of information, or the gaining access to information already stored of a user is only allowed on condition that the subscriber or user concerned has given consent.” She said there are exceptions for site maintenance but none for social tracking, third-party advertising, or first-party analytics. Users must have the opportunity to explicitly approve that type of data collection and sharing, under the GDPR.

Hefty fines

Companies violating those restrictions can face fines of up to 4 per cent of their annual revenues for each violation. Google, British Airways, H&M and Marriott all received fines in excess of €10,000,000 ($12,500,000) for GDPR violations.

US companies followed the requirements for the first year after the GDPR came into force in 2020. That changed last year when the dichotomy between new US privacy laws and the GDPR became apparent.

While the EU requires companies to prove they have permission to collect data, or opt-in, the US laws are, universally, “opt-out”,
There lies the rub. A global consumer survey from Axway found:

  • 90% of more than 5,000 respondents wish they knew what data companies collect about them
  • 85% are concerned that their online data may not be secure
  • 76% admit to not knowing how their data is managed in the cloud.

But the US laws force users to send separate written demands to each company to get that information and stop data collection. This requirement has proven so difficult that users just don’t bother. In 2020 there was a flood of requests that eventually trickled to almost nothing. In fact, Linkedin reported receiving only two requests in two years.

Onus on user

The California Consumer Privacy Act (CCPA) makes it even easier for data collectors by limiting what websites are affected. Companies must have annual gross revenues exceeding $25 million; sell, buy, receive or share the personal information of 50,000 or more California consumers; or derive 50% or more of annual revenue from selling personal information.

None of those exceptions exists for companies doing business with residents in the EU.

Some US companies make it even harder by requiring not just written documentation, but notarized proof of residence.

There are organizations dedicated to protecting consumer privacy, including Common Sense Media, which co-authored the CCPA initiative. The organization worked with the California legislature to amend the CCPA requiring an opt-in for users 16 years old and under. Their website,, helps individuals make companies to identify and destroy any personal information the companies might collect. However, the site will direct you to specific company websites where the options are limited. For example, Lyft allows deletion of personal information but also deletes your subscription so you can’t use the service. There is no option to see what data they’re collecting, nor an option to say they can’t sell your data. So while the site makes it easier to deal with the companies, it does not make it easy.

Related:   Web Scraping: A Critical Tool For Threat Intelligence

According to Consumer Reports, 62 per cent of users either didn’t know whether their opt-out request was successful. Only 18 per cent of users report receiving a confirmation that their data would not be sold in the future.

Ignorance is the excuse

The problem in US laws is just a basic ignorance of what needs doing. It is virtually impossible to find a solon at any level of US government that understands how the internet works, as evidenced by US Congressional hearings with tech giant CEOs. That ignorance is fed by the constant lobbying of the legislators by the same companies.

“The CCPA, has been the subject of a sustained, effective lobbying campaign that has been very successful,” said Paul Smith, country manager for Sweeft Digital in the United Kingdom. “The companies won successful exceptions and exclusions. There’s no prohibition for certain purposes to which consumer information will be put. There’s no banning of targeting profiles, screening or sale of information data brokers.”

Sweeft Digital is an agency that helps companies build and grow digital platforms. Part of their work is ensuring companies conform to the highest digital privacy standards so as not to run afoul of stringent government regulations. Smith said the US versions of these laws are largely toothless.

Toothless laws

“On the whole CCPA is ambiguous. We have very, very clear and explicit rules and regulations here in the UK, and particularly in Europe,” he explained adding that In the US, that ambiguity allows many different inferences as to what and is not allowed.
Smith was specifically concerned with the collection of biometric data. The laws in the US, UK and EU call out biometrics in their texts, but the US opt-out provisions allow companies to collect that data at will until the user formally says, “NO!”

Smith said that until the ambiguities in the laws are addressed, users must take their data protection into their own hands. “We’ve got this wonderful thing called Google. The whole world is there to educate yourself. Empower yourself and don’t trust or depend upon somebody else to do it for you. Because guess what? They’re gonna let you down.”

Lou Covey

Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.

One thought on “US companies face hefty fines for GDPR violations

Leave a Reply

Your email address will not be published. Required fields are marked *