Image credit: Piqsels

Privacy regulators in the European Union hit Amazon with a record fine of $887 million for advertising violations. The regulators found that Amazon violated the General Data Protection Regulation (GDPR), the main body of data protection laws in the EU. The charges were brought by Luxembourg CNPD, the country’s data protection agency. This fine is the largest ever to be issued under the GDPR.

In response to the EU fine, Amazon stated that the decision was meritless. “The decision relating to how we show customers relevant advertising relies on subjective and untested interpretations of European privacy law, and the proposed fine is entirely out of proportion with even that interpretation.”

The fine represents roughly 4.2% of Amazon’s net income for 2020 (about $21.3 billion). Regulators may impose fines on companies that account for up to 4% of their annual revenue.

About the General Data Protection Regulation

The EU originally published the GDPR in 2016. Enforcement began in 2018. The European Parliament and the Council of the European Union created the GDPR. They designed it to protect personal data and enhance individuals’ rights over their personal data. The GDPR also addressed how the EU should regulate data transfers outside of the EU.

A number of other countries have since modeled their privacy laws based on the GDPR’s framework. Some of these countries include Argentina, Kenya, the UK, Japan, South Korea, and Brazil. The GDPR inspired them to draft privacy laws that relate to companies like Amazon. It has also been influential at the state and local government level. For example, the California Consumer Privacy Act (CCPA), passed by the California legislature in 2009, includes many similar provisions.

Amazon Not the Only One Fined

The EU is not picking on Amazon. EU regulators have also hit other BigTech companies such as Alphabet, Apple, and Facebook with hefty fines. In 2019, the EU fined Google $57 million fine under the EU’s data privacy law. The EU penalized Google under the GDPR for not properly disclosing its data collection practices to users. Google failed to disclose data collection processes related to targeted advertising across its service platforms, including YouTube and Google Maps. The charges, brought by  France’s data protection authority, were just the fourth monetary penalty against any company under the GDPR.

Since then, regulators in the EU have ramped up efforts to reign in the privacy practices of large tech companies like Amazon. The GDPR has impacted on tech companies and consumers alike. For the general public, one of the most noticeable results is the increase in the number of consent boxes to click.

EU Regulators Take Tough Stance

EU regulators haven’t just policed the data privacy practices of large companies. They have taken a tough stance on tax and antitrust violations. Google faced a $5.15 billion antitrust fine for abusing its power over the mobile phone market. The EU decision stated that Google used its Android mobile operating system, in 80% of the world’s smartphones, to suppress competition from rivals. Google is seeking to overturn the ruling at a five-day court hearing scheduled for September 2021.

EU regulators are leading a number of antitrust investigations into Facebook’s advertising practices. They are probing into how Facebook uses advertising data in its classified ads business. In a series of ongoing battles with EU regulators, the EU has hit Facebook with fines totaling over $10 billion over the past decade.

Not Just Big Companies Like Amazon

The news headlines include many stories about large tech companies facing penalties from EU regulators. To remain out of the crosshairs of regulators, startups operating at a smaller scale should also take precautions in handling consumer data. Consequences of GDPR noncompliance are steep. Under the GDPR, individuals have a right to file a complaint and seek damages when their data is mishandled. The definition of “personal data” under the GDPR is wide-reaching. Furthermore, fines imposed by EU regulators can be up to 4% of the company’s global revenues.

Startups should implement comprehensive data management strategies and manage data in a transparent, secure fashion. Companies should restrict data usage to what is necessary to fulfill its purpose.

Startups should also implement privacy policies that address potential risks under the GDPR. To make sure a company’s privacy policy is compliant with the EU’s data privacy laws, thorough review by one or more lawyers is recommended. The privacy policy should address the purposes of data collection, the third parties involved in processing data, users’ rights with respect to their personal data, and how users will be notified of any changes to the company’s privacy policies.