Lessons Learned from Major Privacy Fines

Major companies getting hit with large privacy fines for violating regulations have made headlines in the first half of 2023. The most notable case is Meta, Facebook’s parent company, being fined $1.3 billion for GDPR violations. Microsoft and Amazon have also faced privacy fines of more than $20 million each. While companies like Meta or Amazon are on the radar based on the volume and types of personal data they transfer, we can still learn valuable lessons from each of these enforcements. While it isn’t likely that most organizations face as much risk as these companies, your organization still needs to comply with different privacy regulations to avoid penalties.

Here’s a breakdown of the recent privacy fines and the lessons your organization can take away from each case to minimize its risk.

Meta $1.3B (€1.2B) Fine for GDPR Violations

Following the binding decision from the EDPB, the Irish Data Protect Authority has levied the largest fine in GDPR history fine against Meta for transferring the data of European Facebook users to the U.S. The $1.3B fine is based on the volume, sensitivity, and continuous transfer of personal data. Meta is appealing the fine. The company must also bring its data-transferring practices into compliance with the GDPR within six months.

Takeaways

The Meta case is a prime example of the significance of the Privacy Shield being invalidated by a European court in 2020. The Privacy Shield was designed to provide an additional option for organizations to transfer personal data from the European Economic Area (EEA) to the US. Facebook is currently relying upon standard contract clauses which have been deemed insufficient for the transfers Facebook conducts. This highlights the importance of conducting transfer impact assessments and documenting any risks and how those risks are mitigated with available mechanisms outlined by the EDPB.

Currently, U.S. and European Union officials are negotiating a deal that would allow for the transfer between European and American organizations. Until an agreement is in place, organizations that have operations in Europe and the United States need to take steps to ensure the transfer of any personal data from the EEA to third countries has the appropriate transfer mechanism in place.

$20M Settlement Against Microsoft for Collecting Data from Children Without Parental Consent

Microsoft will pay a $20 million settlement after the Federal Trade Commission (FTC) alleged it committed Children’s Online Privacy Protection Act (COPPA) violations by collecting personal information from children who signed up to play Xbox games online without notifying their parents or obtaining consent, and by illegally retaining children’s personal information. COPPA requires online services directed to children under 13 to gain parental consent before collecting any data from children.

Xbox features allow users to play with other users online, but they must first create an account with personal information. Users who indicated they were under 13 were still asked to provide additional personal information including a phone number and agree to Microsoft’s service agreement and advertising policy. Microsoft didn’t require anyone under 13 to involve a parent until after they had provided this information. Parents then had to complete the account creation before their child could get their own account. The FTC alleged that Microsoft retained the data it collected from children during the account creation process, even when a parent never completed the process. Further, COPPA prohibits retaining personal information about children for longer than is reasonably necessary to fulfill the purpose for which it was collected.

In addition to the financial penalty, Microsoft is being required to:

• Inform parents who have not created a separate account for their child that doing so will provide additional privacy protections for their child.
• Obtain parental consent for accounts created before May 2021 if the account holder is still a child.
• Establish and maintain systems to delete all personal information that it collects from children for the purposes of obtaining parental consent if it has not obtained parental consent. Microsoft must also delete all other personal data collected from children after it is no longer necessary to fulfill the purpose for which it was collected.
• Notify video game publishers when it discloses personal information from children that the user is a child, the publisher will then have to apply COPPA’s protections to that child.

Takeaways

This case is a great example of how careful organizations need to be when collecting data from children, specifically those under 13. Organizations need to implement procedures that will automatically stop the collection of data from a subject once they have identified they are under 13 and trigger actions to collect parental consent. Establish a reasonable timeframe to collect consent, and if parental consent is not given within that window delete the child’s data. When parental consent is given, only retain the data for as long as needed to fulfill its purpose. Organizations should also consider strategies to ensure they are collecting consent from the parent and not the child, including sending a separate email and asking challenge questions that only the parent would know.

Amazon Fined $25M for Keeping Alexa Voice Recordings of Children

The FTC and the Department of Justice (DOJ) have accused Amazon of violating COPPA by not honoring parents’ deletion requests for Alexa voice recordings of children and geolocation data. According to the complaint, Amazon assured Alexa users that voice recordings and geolocation data would be deleted upon request, but the company failed to follow through with its promises and kept some of the data and used it to improve its Alexa algorithm. Some Alexa-enabled devices and services are targeted at children and collect personal data, including voice recordings. The FTC and DOJ alleged Amazon held those children’s recordings indefinitely unless it received a deletion request from a parent. When parents sought to delete that information, Amazon is accused of failing to delete the recording transcripts from all its databases.

Under the proposed federal court order Amazon will be required to pay a $25M penalty and take the following actions:

• Stop using geolocation, voice information, and children’s voice information subject to consumers’ deletion requests for the creation or improvement of any data product.
• Delete inactive Alexa accounts of children.
• Notify users about the FTC-DOJ action against the company.
• Notify users of its retention and deletion practices and controls.
• Stop misrepresenting its privacy policies related to geolocation, voice, and children’s voice information.
• Create and implement a privacy program related to the company’s use of geolocation information.

Takeaways

Amazon ran afoul of several privacy principles and requirements in this investigation. Organizations should ensure they are only processing personal data that is needed for a specific and disclosed purpose. Further, organizations should operate from a data retention schedule and securely delete personal data that is no longer aligned with disclosed business purposes. Finally, organizations must ensure they are aware of the types of personal data they are collecting and have the required permission and consent mechanisms to ensure the processing is permissible.

Ring to Pay $5.8M for Compromising Customer Privacy

The FTC has charged home security camera company Ring (owned by Amazon) with failing to protect its customers’ private videos by allowing any employee to access videos and failing to implement basic privacy and security protections.

The FTC’s complaint alleges Ring used customer videos for training algorithms without consent and did not restrict which employees and contractors could see customer videos, including those from cameras in bedrooms and bathrooms. Ring is also accused of failing to take any steps until January 2018 to adequately notify customers or get consent for their private video recordings being reviewed for various purposes, including training algorithms. Ring buried information in its Terms of Service and Privacy Policy, claiming it had a right to use recordings obtained in connection with its services for “product improvement and development,” according to the complaint.

The FTC claims Ring also failed to implement standard security measures to protect data from “credential stuffing” and “brute force” attacks, despite warnings from employees, outside security researchers, and experiencing credential stuffing attacks in 2017 and 2018. The complaint alleges Ring’s security vulnerabilities enabled hackers to compromise 55,000 Ring accounts, giving them the ability to see private videos and harass customers using the camera’s two-way functionality.

If the FTC’s proposed order is approved by a federal court, Ring will have to pay a $5.8M penalty and take the following actions:

• Delete data products such as data, models, and algorithms derived from videos it unlawfully reviewed.
• Implement a privacy and security program with safeguards on human review of videos as well as other security controls, such as multi-factor authentication for both employee and customer accounts.

Takeaways

The Ring case shows how important it is for organizations to operate from a least privilege methodology.  Employees who do not need to access personal data to complete their job duties should not have access. This will continue to be an area of focus for regulators and organizations need to be prepared to demonstrate both a policy and technical layer of compliance. Regular audits of system and application access should occur to prove ongoing compliance as well.

Organizations should align against an industry accepted information security framework and regularly test its effectiveness at defending against cyber threats. Reaching and maintaining reasonable alignment with programs such as the NIST Privacy Framework and NIST CSF are effective ways to build and establish confidence in a cybersecurity program.

At CompliancePoint we have an experienced team of privacy professionals that can help your organization avoid privacy fines by achieving and maintaining compliance with the various domestic and international privacy laws including the GDPR, CCPA, and all state privacy laws. Reach out to us at connect@compliancepoint.com to learn more about how we can help.