Happy Data Privacy Day everyone!
2018 has been a turbulent year when it comes to consumer data privacy: GDPR came into force, and firms made efforts to comply with the regulation. However, research of iWelcome revealed that European firms had difficulty with implementing changes to comply to the regulation: 33.7% was still uncompliant to the GDPR in most areas after the regulation came into force in May. We saw the first GDPR fines, and significantly large data breaches occurred. But what is the state of play in January 2019?
1. Google gets fined
Google had it coming, but kudos to French data regulator CNIL for imposing a tremendous fine of € 50 million Euros for a lack of transparency and valid consent.
According to CNIL, Google did not obtain clear consent to process consumer data, because “essential information” was “disseminated across several documents”. Additionally, the information is only accessible after having to execute sometimes up to 5 or 6 steps. These practices are highly uncompliant with the transparency principle of the GDPR, since users are not fully aware of the extent to which the processing operations are being carried out by Google. On top of that, the option to personalise ads was pre-ticked when creating an account, which contradicts the GDPR, and consent should have been specified for each purpose of processing data.
2. No excuses for small-sized companies: lower fines in motion as well
Not only large companies like Google suffer from GDPR fines: A small business in Germany called Kolibri Image has been issued with a €5,000 fine for inadequate data processing standards. The company did not have a contract in place with third parties for the processing of consumer data. Since there was no contract, sensitive data had been transmitted to the third-party service provider without proper legal bases in place. This is a wake-up call for small-sized enterprises, as they are being watched by data protection bodies as well.
3. Largest collection of breached data found
During autumn and winter of 2018 we were startled by major data breaches such as the Marriott and Facebook data breaches. Thus far, no big data breaches happened in 2019. But there is remarkable news on the largest collection of breached data ever found. 770 million e-mail addresses and passwords were posted to a popular hacking forum in mid-December. Security researcher Troy Hunt, the man behind the “Have I Been Pawned” breach-notification service, discovered the file. According to him it does not concern a new hack, but a “Collection #1” made up of different individual data breaches from literally thousands of different sources.
4. Consumers claim their privacy through the Californian Consumer Privacy Act
The start of the new year sets the stage for several public forums around the Californian Consumer Privacy Act, referred to as CCPA. The CCPA was originally initiated by a consumer initiative, and consumer engagement continues through these public forums that allow them to voice their opinions during the months of January and February. The initiative emerged from privacy concerns among American consumers: Recent research revealed that 83% would like the right to tell an organisation not to share or sell their information, 80% wants the right to know where and to whom their data is being sold, and 73% would like the right to ask an organisation how their data is being used. Interestingly, 67% of US consumers think the government should do more to protect data privacy. That is exactly the issue the CCPA is tackling: the right to privacy is more alive than ever.
5. 84% of US organisations act messy around consumer privacy
Since consumer data privacy is a booming topic, and big tech companies are under fire, iWelcome had put 50 data controllers in the US to the test over the last 3 months of 2018. In the sample, organisations that have European customers were included as well as organisations that only operate in the US. All companies in the sample were scored on their GDPR-compliance, and an astonishing 84% was ‘uncompliant across the board’ up to ‘fulfilling some GDPR-requirements’. Although the CCPA and GDPR are different, plenty of GDPR-requirements that were assessed also apply to the CCPA. One thing is for sure: a lot of progress should be made when it comes to consumer data privacy, to make consumers feel safer and more eager to engage with your firm online.
Market Researcher at iWelcome
Mandy is an experienced researcher in the area of GDPR. She has executed all GDPR-related research iWelcome has done over the past two years. In addition to that, she is part of iWelcome's marketing department.
Feel free to repost this blog on your website or social channels! But when you do so, please be so kind to mention the source and give us a notice via firstname.lastname@example.org.