Meta’s Billion Dollar Data Handling Fine: What Have We Learnt?
You’ve likely heard the data team at work banging on about ‘GDPR’. And, no doubt you’ve sat through countless training sessions on data handling, too. We understand it can seem pretty dry. But GDPR and safe data handling practices are not, by any means, confined to the office and can have very real consequences — as Meta have just found out.
In this blog, we talk through Meta’s latest GDPR issue, discuss why it was so severe, and draw out some of the fundamental lessons we can all take away from it — from cookies and consent to permissions and the Privacy Sandbox project.
Meta’s GDPR fine explained
In May 2023, Meta faced the largest GDPR fine in history. Ouch.
As a result of the ‘improper use of data’, Meta was fined $1.3 billion by the EDPB (European Data Protection Board). According to the regulators, the error was made when Meta transferred user data from the EU to the USA without:
- The correct permissions to do so
- The appropriate safeguarding procedures in place
The infringements themselves were said to have happened since 2020 when GDPR rules were tightened to offer more consumer protection. The reason for such a hefty fine was owing to the scale of the data misuse. According to the EDPB, Meta put the privacy and security of millions of EU users at risk.
Andrea Jelinek, EDPB Chair, said that the EDPB found Meta’s infringement to be
“very serious since it concerns transfers that are systematic, repetitive, and continuous. Facebook has millions of users in Europe, so the volume of personal data transferred is massive. The unprecedented fine is a strong signal to organisations that serious infringements have far-reaching consequences.”
Let’s break it down a bit, shall we?
What can we learn from Meta’s GDPR fine?
While the numbers are in the billions and millions, the issues here can be stripped right down to some of the most fundamental GDPR principles there are, giving us some core learnings to take away.
First things first, Meta failed to stay compliant in their handling of data — a GDPR cornerstone. Part of what landed them in such hot water was their inability to adhere to recent policy changes. So, keep up to date with any changes in legislation and make sure to read the small print.
Permissions and consent
Meta also didn’t obtain the correct permissions to transfer their users’ data or, indeed, use it in the way that they did. If we translate this into a more relatable context — let’s say you’re a business owner looking to handle your users’ data correctly — what can we learn?
Under the EU’s General Data Protection Regulation, there is what’s known as ‘cookie compliance’. It is the legal responsibility of website owners and operators to make sure that the personal data of their users is collected and processed lawfully and with consent. For UK or US business owners collecting data from users inside the EU, these laws still apply.
One of the most common ways for user data to be collected (and shared) is through website cookies — for which there are very specific GDPR rules. Under these rules, websites can only collect personal information from users after they have explicitly given their consent (after being told the true purpose of its intended use). We are all familiar with the cookie banners that pop up a few seconds after visiting a website.
To break this down further:
- Consents must be what’s known as ‘granular’ EG: Specific and not all-or-nothing.
- Users should not be forced or tricked into giving their consent to their data being collected.
- Consents should be as easily redacted as granted.
- Any given is on par with legal documentation in how it must be stored.
- Consent should be renewed annually — though some national GDPR guidelines advocate for 6 monthly renewals.
All of the above rules should be adhered to by your business’ site.
At this point, it is worth bearing in mind the constant changes with cookies. As an example, Chrome is delivering greater privacy and part of this will depreciate third party cookies. According to Google’s Privacy Sandbox project, in Q3 of 2023, we should expect to see ‘Chrome-facilitated testing that allows sites to meaningfully preview what it’s like to operate in a world without third-party cookies’. Keep your eyes peeled for the results of that one!
Incorrect data handling can have serious consequences
GDPR isn’t a tickbox, nor will it ‘go away’: it is a constantly changing essential component of your business and the way you interact with your customers — on and offline.
As the EDPB’s hardline approach to Meta’s GDPR error has shown us, should an issue occur with the way your website is collecting and handling data, the financial risks can be significant.
Not being compliant poses a significant threat to your revenue. As an example, the ICO (that’s the ‘International Commissioners Office’) has the power to issue fines of up to £17.5 million (or 4% of a company’s annual worldwide revenue, depending on which is higher!).
The ICO also has numerous tools at their disposal to enforce GDPR laws including assessment notices, warnings, reprimands, enforcement notices, and penalty notices. In their own words, “we take a risk-based approach to enforcement […] to create an environment within which, on the one hand, data subjects are protected, while ensuring that organisations are able to operate and innovate efficiently”.
The implications of poor data handling can also put your business’ reputation at stake. With so much competition on the market, who’s to say users shouldn’t take their business elsewhere if your site is unable to guarantee that their personal data is safe and secure?
So, to avoid getting into hot water like Meta, what should we bear in mind when it comes to GDPR?
- Take GDPR seriously and understand the risks.
- Keep up to date with changing legislation to stay compliant.
- Understand the necessity of getting cookies correct.
- Check the different rules that apply to the regions you operate in (regional may differ from national and even local policies).
And, as for Meta, although they have appealed the fine, they have been instructed to not only review but update their data handling policies to ensure they can fully satisfy the rigorous GDPR standards held by the EU.
Got any questions?
Although we cannot advise you on how to manage your cookies, or whether you’re GDPR compliant, our fantastic Data Team can help you with the following:
- Advising whether your cookie banner functions how the ICO suggests
- Showing you comparisons for best practices
- Suggesting solutions and support in the setting up of your cookie banner from a technical perspective
- And ensuring all the relevant elements are firing at the right times