In the last five years, Meta has amassed upwards of €2.2 billion ($2.38 billion) data privacy violation fines under the EU’s General Data Protection Regulation (GDPR). Its Big Tech peers Amazon and Google earned nine-figure fines for data privacy violations.
For some, it may defy belief that tech firms continue to garner data privacy fines. But with GDPR’s toughest sanction being less than 5% of a firm’s annual turnover, these fines carry less of a financial imperative for larger companies. As a point of comparison, last year Meta earned $113 billion in revenue, from which 95% was derived from its advertising business; yet Facebook and Instagram’s parent company was hit with a €1.2 billion ($1.3 billion) fine in May 2023.
What’s more, Meta amassed all of its GDPR fines in the last two years with all five occurring in 2022 and 2023, according to the GDPR Enforcement Tracker.
Are Big Tech fines simply the cost of doing business?
While GDPR lists the loss of reputation as a deterrent alongside its financial fines, it appears some tech companies aren’t experiencing consequences from repeated violations of data privacy laws. For instance, advertisers trusted Meta with $34.15 billion in revenue in Q3 2023, a 23% increase over its Q2 2022 numbers.
Meta ad-revenue rival Google is another repeat offender of data privacy legislation. Since 2018, Google has received €215 million ($232 million) in GDPR fines from seven violations. Google made $280 billion in revenue in 2022 alone, with 80% ($224 billion) of this revenue derived from ads.
“There are guidelines at the European level to harmonize the calculation of administrative fines,” says Isabell Roccia, managing director, Europe at the International Association of Privacy Professionals. “However, the severity of the fine to be applied against types of non-compliance remains a subject of debate among European regulators.”
The Court of Justice of the European Union (CJEU) also recently ruled that GDPR fines can only be imposed in certain circumstances.
Microsoft also set aside $425 million in June 2023, ahead of a potential fine for LinkedIn activity levied by the Irish Data Protection Commission (IDPC). In 2018 the regulator began an investigation into whether LinkedIn’s advertising practices were GDPR compliant, but has not given its final verdict.
Apple isn't shielded from Big Tech fines, having earned an €8 million ($8.6 million) fine from CNIL (France’s national data privacy agency) in 2023 for cookie practices that violated the French Data Protection Act. For context, Apple brought in $394 billion in 2022 with $4.7 billion of that coming from App Store ads.
It’s important to note GDPR isn’t the only data privacy legislation at play, as many nations have their own data privacy laws. Firms operating outside the EU also have to abide by the terms of the GDPR where usage of EU citizens’ data is concerned, with some nations having set up adequacy frameworks such as the UK-US data bridge.
The US has yet to enact federal legislation on the same footing as the GDPR, but did adopt the Children’s Online Privacy Protection Act (COPPA) in 2000. COPPA has undergone several updates in the subsequent years, but the core action includes protections for children’s data online.
Both Google and Microsoft have run afoul of COPPA, amassing $170 million and $20 million in fines respectively.
The California Consumer Privacy Act (CCPA) is another major piece of US legislation that came into effect in January 2020. It has been described as the US GDPR, as it legislates harsh penalties for organizations that fail to adequately protect consumer data or which exhibit unacceptable data breach responses.
A shift towards financial and operational accountability for Big Tech
Privacy protection pundits list children’s data protection among the most important privacy initiatives. It’s in line with these concerns that many Big Tech fines are handed out, with the protection of children on social media frequently cited as a sticking point for regulators.
“We have seen significant fines and transformative regulators decisions in areas… such as compliance with international data transfers or cookies requirements, as well as on areas that are the subject of industry-wide reflection at the moment such as AdTech and children’s privacy,” says Isabelle Roccia, managing director, Europe for the International Association of Privacy Professionals (IAPP).
With children’s privacy at stake, many are seeing the inclusion of mandatory corrective actions in their sanctions from data privacy regulatory bodies.
“There is a recent trend in enforcement – beyond the fines – to order corrective action that strikes at the core of business practices and may result in paradigm shifts in established practices,” says Roccia.
Take Microsoft’s recent $20 million sanction by the US Department of Justice (DOJ) for COPPA violations. The DOJ included several corrective actions and monitoring requirements with its fine.
Learn about the commonly encountered end users scenarios that pose difficulties for network operations teams
DOWNLOAD NOW
“This settlement requires Microsoft to clearly communicate with parents about their child’s data and sets up procedures to monitor Microsoft’s compliance with federal statutes regarding children’s online privacy,” wrote US Attorney Nick Brown for the Western District of Washington.
Amazon also found itself in the crosshairs of the DOJ when it misrepresented several data retention practices of its Alexa voice assistant line. The company was accused of retaining voice recordings of children’s voices and not deleting account information even after parents of child users requested for the firm to do so. This earned Amazon a $25 million penalty. The firm was also required to identify and delete inactive profiles of users younger than 13 years of age and tell the truth about how long it is retaining and whether it is deleting voice data.
The logic for financial remuneration-only penalties was to deter future fines and reputational damage. But many of these sanctions aren’t deterrents to organizations that operate at the scale and magnitude of the Big 5. A great deal of users depend on these services to live day-to-day and will continue to do so. For companies such as Meta, Amazon, Microsoft, Apple, and Google the law may be forced to shift towards direct instruction in remediating data privacy harms and violations.
For enterprises outside of this exclusive group, the financial, reputational, and operational impact of data privacy violations can still very well cause threats to business operations. To that end, Roccia provides us with a glimpse into what’s ahead.
“Under the GDPR, the current structure of up to 4% of global annual turnover had has various impacts: the most obvious is financial, but the impact can be significant on reputation, customer trust, operations, and processes,” Roccia shares. “Some fines and most importantly some regulators’ decisions this year are increasingly requiring change in practices and paying more attention to privacy governance internally.”
“Privacy compliance does not exist in a vacuum and is always at the intersection of other considerations – cyber security, data sharing, competition and increasingly artificial intelligence (AI).”
