The Privacy Revolution: A Look Back at 15 Months of GDPR
GDPR has been in effect for well over a year now. During this time, the regulation has brought issues of privacy and how companies deal with data to the forefront of the minds of consumers and business owners.
In this article, we’ll look at some of the major GDPR stories that have hit the headlines over the past year and a half.
Cookie Use Changed Instantly
A Reuters Institute factsheet from August 2018 suggested that between April, the month before GDPR came into effect, and July, two months after, the number of third-party cookies on news sites dropped by 22 percent. This included big drops in the number of advertising and social media cookies.
The report used data from websites from seven EU countries: Finland, France, Germany, Italy, Poland, Spain, and the U.K. The findings were significant because news websites typically had a “dramatically higher” prevalence of third-party cookies, according to the report.
Other news websites took a different approach to avoid falling foul of the regulations. According to NiemanLab, over one thousand U.S.-based news sites, including around a third of the 100 largest newspapers, chose to block visitors from the EU.
This included the sites of Lee Enterprises, the company behind many local U.S.-based news outlets. A spokesperson for the company explained to NiemanLab that they decided to block EU users due to the minimal traffic coming from these countries.
Unfortunately for those in the EU, at the time of writing on August 13, some of the sites in the report were still unavailable.
Businesses Reported a Huge Number of Breaches
In February 2019, DLA Piper found that more than 59,000 data breaches were reported in the eight months following the introduction of GDPR. According to the law firm, Netherlands, Germany, and the UK had the most breaches. However, at the time of the report, only 91 fines had been imposed under GDPR.
Complaints from the Public Increased
It wasn’t just business owners who were reacting to GDPR. Many reports suggested that consumers were also taking an interest in the regulation.
In August 2018, law firm EMW revealed that the Information Commissioner’s Office (ICO) received a 160% increase in complaints between May 25 and July 3, 2018 compared to the same period in the year before.
Other organisations in charge of privacy reported similar trends. The Irish Data Protection Commission (DPC) revealed in its year-end report that it received more than double the number of complaints in the part of 2018 following the introduction of GDPR compared to the first part of the year.
The DPC said the increase “demonstrates a new level of mobilisation to action on the part of individuals to tackle what they see as misuse or failure to adequately explain what is being done with their data.”
Fines Began to Hit Hard
When GDPR came into effect there were questions about how regulatory bodies would fine companies found to be in breach of the rules.
After a year of GDPR, the number of fines and the amount companies were being fined appeared to be relatively small.
Ius Laboris performed an in-depth look at the fines that had been handed out by May 2019. The report found that, at the time, many countries had issued zero fines. Of the countries that had been active, other than a 50 million euro fine handed out by France to Google, most of the fines were relatively small.
That all changed in July 2019 when the UK’s ICO hit British Airways with a fine of £183 million, amounting to around 1.5 percent of the airline’s total worldwide turnover. This was after a breach in which hackers were able to divert users of the airline website to a false site and steal their data.
The day after the British Airways fine, the ICO handed out a £99 million fine to US hotel group Marriott International due to a data breach that resulted in the information of around 339 million guests being exposed. This was around three percent of the company’s global revenue.
While the above fines were substantial, they could have been worse. GDPR regulations allow fines of up to four percent of a company’s annual turnover.
GDPR is Just the Start of the Privacy Revolution
GDPR is fully up and running. However, businesses still face new challenges when it comes to complying with data privacy rules.
The California Consumer Privacy Act (CCPA) is set to take effect from January 1, 2020. The law will deal with how businesses process the information of California residents. It will apply to all companies that collect personal information of more than 50,000 consumers a year.
Like the GDPR, the CCPA will affect all data a company collects, including the cookies on its websites.
There are plenty of other regulations being set in motion across the world. Argentina is said to be attempting to bring its data protection regulations more in line GDPR while India and Brazil amongst others have also introduced, or are in the process of introducing, new privacy regulations.
We’re a year into the privacy revolution and the prospect of complying with regulations around the world is something that businesses need to consider. If your company still has work to do to put in place compliant processes, sign up to CookiePro to see how we can help.