Businessman with people icons showing GDPR fines

Lessons Learned From GDPR Fines in 2023

In a year marked by record-breaking GDPR fines from companies like Meta and Amazon— Criteo, the French ad tech giant, is the latest company to find itself at the receiving end of a GDPR fine of €40 million ($44 million) penalty for its failure to obtain users’ consent regarding targeted advertising. This case serves as a reminder to companies worldwide about the importance of GDPR compliance. As businesses grapple with the repercussions of non-compliance, it becomes crucial to identify and avoid the three common mistakes that have landed countless organizations in hot water.

Not obtaining informed user consent

Under GDPR regulations, organizations must ensure that users are fully aware of what they are consenting to and understand how their data will be processed and used. This means presenting information in a concise and accessible manner, avoiding complicated legal jargon, and certifying that individuals have the freedom to give or withhold their consent without facing any negative consequences.

Failure to do so can result in severe consequences—consequences that totaled roughly $57 million for Google in 2019. The popular search engine had failed to provide users with clear and transparent information about how their personal data was being collected and used for targeted advertising purposes. The company was found to lack transparency in presenting essential information like the purposes of data processing, the storage duration of the data, and the categories of personal data being processed. This lack of oversight ultimately resulted in the hefty reprimand from French data protection authority, CNIL.

Data transfers outside the EU

One critical aspect of GDPR compliance involves handling data transfers outside the European Union (EU). The GDPR policy mandates that organizations must ensure adequate safeguards when transferring personal data to countries with less stringent data protection laws.

Recently, Meta was fined a record-breaking $1.3 billion  by Ireland’s Data Protection Commission after failing to comply with a 2020 ruling by the European Union’s highest court, which determined that the data of European users’ transferred by the company to the United States did not have adequate protection against American surveillance agencies. The social media giant faced scrutiny when it transferred personal data to a jurisdiction with lax privacy regulations, leading to public outcry, legal challenges, and reputational damage.

Illegally processing children’s data

Protecting children’s data is a top priority under GDPR. Organizations are required to obtain explicit consent from a parent or guardian before processing personal data of children under the age of 16, or a lower age as defined by each EU member state.

Disregarding these regulations can have significant ramifications, as TikTok, the popular social media platform quickly learned after it was issued a fine of £12.7 million for illegally processing the data of 1.4 million children under the age of 13 without parental consent. Under GDPR, safeguarding the privacy and well-being of young users is a necessary component to achieve compliance.

What can we learn from these GDPR fines?

More fines have been imposed by GDPR in 2023 alone, more than 2019, 2020, and 2021 combined according to enforcementtracker.com, reaching over €1.6 billion ($1.8 billion). The string of GDPR fines in 2023 highlights the critical importance of compliance in today’s data-driven landscape. To avoid falling victim to costly penalties, organizations need to prioritize obtaining informed user consent, ensure secure data transfers outside the EU, and adhere to regulations regarding children’s data protection.

Enforcement of data protection regulations show no signs of letting up anytime soon— so organizations need to learn from the mistakes of others and take proactive measures to protect user privacy and reduce risk, build trust, and avoid the legal and reputational consequences associated with GDPR non-compliance.