Google’s $400m penalty and impact of the 5 heftiest data privacy fines on 2023 ad plans

European regulators are cracking down on violations of the EU’s sweeping General Data Protection Regulation (GDPR) with steeper fines than ever. Meanwhile, the most stringent US privacy law, the California Consumer Privacy Act (CCPA), has just gone into full effect, with beauty retailer Sephora suffering the first penalty in the form of a $1.2m settlement.

Experts expect regulatory crackdown will only intensify from this point. “European regulators collectively imposed record high penalties under the GDPR in 2022,” says Isabelle Roccia, European managing director at the International Association of Privacy Professionals. “We expect substantive GDPR enforcement to continue as European regulators’ focus will intensify on security breaches and compliance with new EU data policy requirements.”

With enforcement heating up – and a flurry of new privacy lawmaking activities – businesses that collect, process, store and trade in consumer data are feeling the pressure.

These are the five biggest data privacy penalties on record thus far – and what they mean for marketers. (It’s worth noting that the settlements of some class action lawsuits may be comparable or higher than some of the following values; these penalties only involve regulatory enforcement.)

1. Didi Global – $1.19bn (2022)

In July of this year, Chinese ride-hailing platform Didi Global was slapped with the biggest-ever privacy penalty. China’s Cyberspace Administration issued the fine after determining that the company’s practices violated the country’s network security law, data security law and personal information protection law. The government also fined two individual company leaders about $140,000 each.

The decision came on the heels of a year-long investigation, after the government suspected Didi Global to be in breach of privacy and security laws. The company accepted the punishment.

2. Amazon – $877m (2021)

In July of 2021, European regulators in Luxembourg fined Amazon Europe a whopping $877m fine for data breaches and failing to comply with general data processing principles under GDPR. Officials also tasked Amazon with unspecified ‘practice revisions.’

The fine is especially steep – it was the first GDPR penalty of its caliber, and came at a time when many privacy advocates had grown weary of lax and ineffective enforcement. The reasons for the number may be multifold, experts say. “Each major privacy law has a different methodology for determining fines, but the underlying theme is that the more ‘serious’ the infringement, the worse the penalty,” says Andrew Clearwater, chief trust officer at privacy and compliance firm OneTrust.

“Most major laws take into account the potential negative impact on the data subject, as well as a company’s negligence or knowingly continuing with non-compliance even after being notified,” he says. Other considerations may include the nature, scope and duration of the violation and types of consumer data affected (such as sensitive information like health and financial data), as well as the degree of negligence involved.

For the GDPR, the starting fine is calculated as a percentage of the maximum possible fine, and may be either: the higher of €10m or 2% of the undertaking’s annual turnover; or the higher of €20m or 4% of the undertaking’s annual turnover. Which route is taken depends on the specific violations.

Some details of Amazon’s case – and of the initial complaint, which, filed on behalf of 10,000 people, asserted that the company’s advertising system isn’t rooted in ‘free consent’ – remain unclear.

Amazon, however, snapped back. In October of last year, the company appealed the fine. In a statement it denied that any data breach had happened. The appeal has not yet reached European courts.

3. Equifax – $575m (2019)

Credit bureau Equifax in 2017 compromised the personal information of some 150 million consumers when it failed to effectively patch a database vulnerability. As a result, the company agreed to pay a $575m fine – which could rise as high as $700m – in a settlement with the US Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB) and all 50 US states. A whopping $300m of the total sum was set aside for a fund to provide affected consumers with credit monitoring services, with another $125m to be added if the payouts didn’t sufficiently compensate consumers. Equifax also agreed to be subject to routine third-party security audits.

The decision came after the company had already been hit with a roughly $625,000 fine in the UK for violating the country’s GDPR predecessor law, the Data Protection Act of 1998.

At the time of the decision in 2019, FTC chairman Joe Simons said: “Companies that profit from personal information have an extra responsibility to protect and secure that data. Equifax failed to take basic steps that may have prevented the breach.”

In 2020, Equifax was still not done paying up for its wrongdoings. It closed a handful of smaller settlements with financial institutions and US states Massachusetts and Indiana to atone for the same 2017 breach.

4. Instagram – $403m (2022)

Instagram in September was hit with a $403m fine from Ireland’s Data Protection Commissioner for violating children’s privacy protections outlined in the GDPR. The complaint centered on a long-standing platform issue that made publicly available the phone numbers and email addresses of young users when they upgraded to business or creator accounts (possibly in order to see account analytics features such as profile views and post engagement).

The decision came after an investigation was launched in 2020, the goal of which was to assess how the social platform handles data belonging to users between the ages of 13 and 17. Instagram cooperated with the Irish regulatory body throughout the investigation.

However, the company disagrees with how the fine was calculated and said that the final decision was made after the platform’s privacy and security settings had already been updated. “This inquiry focused on old settings that we updated over a year ago, and we’ve since released many new features to help keep teens safe and their information private,” a Meta spokesperson said.

To many media and adland players, the decision added fuel to a growing data privacy fire. It came just weeks after the California Attorney General’s office issued its first enforcement action on the GDPR-like California Consumer Privacy Act against Sephora. Around the same time, the FTC was kicking off a new rulemaking process with a focus on cracking down on “lax data security practices.”

“While all of these events aren’t coordinated or causal, they are certainly correlated – a function of many years building up to a moment where these regulations have teeth, and the market has a desire to see them used to protect consumers,” Cory Munchbach, president and chief operating officer at customer data platform BlueConic, told The Drum at the time.

5. Google – $391.5m (2022)

Just this week, Google has agreed to a $391.5m settlement over allegations by 40 US states that the tech titan illegally tracked users’ locations. On top of paying the fine, Google is also required to be more forthcoming and transparent when it comes to tracking users’ location and provide more detailed information about location-tracking data on a dedicated web page. The decision came after an investigation led by state attorneys was opened in 2018.

“When consumers make the decision to not share location data on their devices, they should be able to trust that a company will no longer track their every move,” said Iowa Attorney General Tom Miller in a statement on Monday. “This settlement makes it clear that companies must be transparent in how they track customers and abide by state and federal privacy laws.”

The company said in a blog post published Monday that it would focus on “making updates in the coming months to provide even greater controls and transparency over location data.”

Reports suggest that, in particular, the company will develop easier ways for users to delete their location data. New users will gain access to tools that can facilitate the automated deletion of certain personal data after a given time period.

The penalty adds to a wave of recent data privacy allegations against Google. Last month, Arizona settled a similar case with Google for $85m, and a handful of states including Texas, Washington state, Indiana and Washington DC sued the search giant for ‘deceptive’ location-tracking behaviors.

For the media ecosystem, the writing is on the wall

The majority of the biggest-ever fines for data privacy and security violations have come in the last two years alone. Enforcement crackdown is reaching a fever pitch; for adtech companies and publishers – especially those with a lot to lose, like Meta, whose advertising business is already under threat thanks to Apple’s iOS privacy changes – there is not much room for error.

Not only do media players face financial threat; they also risk losing trust, and ultimately creating an unsuitable brand environment for the advertisers whose dollars they so heavily rely on. Meta in particular is a focus. Besides the recent $403m Instagram penalty, the tech behemoth’s messaging platform WhatsApp was charged $255m last year for violating GDPR rules about transparency (a decision it appealed). “[These penalties come] at a time when the entire business model of Meta is being attacked from all fronts, with threats to privacy rife throughout Meta’s platforms,” Paul Coggins, chief executive officer at mobile advertising platform Adludio, told The Drum in September. “[There’s a] belief that social media channels are the wrong environment for advertisers. Soon, they will begin to pull ads if these environments continue to be unsafe.”

Other top publishers, such as Google and TikTok, are surely on edge too. They know the tide is rising.

“As enforcement momentum continues, and regulatory expectations continue to be clarified, we are likely to see increased fines, particularly where prior enforcement renders it such that companies should have known that their act or omission was a violation,” says Arielle Garcia, chief privacy officer at advertising agency UM Worldwide.

Experts predict that, as GDPR enforcement becomes more serious, so too will US enforcement. California regulators have issued their first round of enforcement actions, spooking publishers and advertisers alike. The CCPA’s private right to action – which enables individual citizens to sue organizations for violating their data rights – introduces a new minefield for companies that collect, process, store, use and trade consumer data.

Plus, with five new state-level privacy laws slated to go into effect in 2023 and a federal bill being considered in Congress, organizations using US consumer data are surely preparing for a more stringent regulatory environment.

OneTrust’s Clearwater predicts that it will be no small change. “As we continue to see more privacy legislation, there will be huge changes in how companies design and drive privacy programs that encompass laws across numerous geographies. With this, enforcement will continue,” he says.

But he suggests that companies should avoid seeing compliance as a necessary evil for avoiding fines and “reframe” it as “a way to drive trust with customers, employees, partners and stakeholders.” He goes on to say: “Privacy is a key pillar of trust, and the reputational damage associated with enforcement can often be more impactful in eroding consumer trust than fines.”

And Clearwater may be right: a recent Cisco study suggests that a majority of people believe that how an organization handles personal data reflects how it views and respects its customers.

Ultimately, if publishers put true privacy and security at the heart of their operations, they’re likely to nourish valuable advertiser relationships and buoy their own business success.

If they fail, they risk losing it all.

For more on how the world of data-driven advertising and marketing is evolving, check out our latest Deep Dive.