Last updated: That’ll be $425 million: Amazon potentially facing massive GDPR fine

That’ll be $425 million: Amazon potentially facing massive GDPR fine


Listen to article

Download audio as MP3

Months after three Amazon executives say they were forced out of their roles for raising concerns surrounding data privacy policies and compliance within the global e-commerce behemoth, Amazon is facing a massive potential GDPR fine.

Few details of the violation are known, but Amazon is reportedly in trouble for its “collection and use of personal data.” Since the decision is not yet final, the penalty may increase, decrease, or disappear entirely.

According to the Wall Street Journal, Luxembourg’s data-protection commission, the CNPD, has drafted a decision against the tech giant saying there will be a GDPR penalty of $425 million.

No matter the outcome, this much is clear: GDPR fines are a growing risk for businesses.

CDPA vs CCPA vs GDPR: Differences in regional data privacy laws as penalties ramp up

On March 2, 2021, Virginia became the second state to pass a comprehensive consumer data privacy law. The Consumer Data Protection Act (CDPA) of Virginia draws heavily from the proposed Washington Privacy Act and includes similarities to the California Consumer Privacy Act (CCPA), and the supplementary California Privacy Rights Act (CPRA).

Got it? There’s no shame if the answer is “no”.

In a nutshell, state privacy laws are becoming a cluster of tongue twisting acronyms spreading from state to state. And companies doing business in Virginia or producing products or services targeted at Virginia consumers should seek to understand the key differences between the CCPA and the CDPA now before the latter goes into full effect on January 1, 2023.

Combined with growing risk of GDPR penalties, the expansion of US regulations is pushing data privacy to the top of the priority list for businesses everywhere. So, let’s look at how this situation is evolving, the challenges presented by the current landscape, and what you can do to navigate the terrain successfully.

Comparing Virginia’s CDPA to California’s data privacy laws

Like CCPA, the CDPA creates several privacy obligations for businesses while giving consumers more control over their data. However, the CDPA imposes more data assessment requirements for companies conducting business in Virginia. Modeled after the EU’s General Data Protection Regulation (GDPR) requirement for Data Protection Impact Assessments (DPIAs), the Virginia regulation will require that businesses conduct Data Protection Assessments (DPA).

What do these assessments mean? Essentially, they fall under the parent category of Privacy Risk Assessments (PRA). Their purpose is to give businesses an opportunity to detect privacy problems early to help avoid costly compliance mistakes.

Currently, California’s regulation doesn’t require anything similar. When the CPRA goes into effect in 2023, however, it will require businesses to submit a Regulators Risk Assessment (RRA) with respect to their processing of personal data.

And then eureka! We have another tongue twister – DPIA vs DPA vs RRA.

Comparing requirements for personal data control

The CDPA opt-in and opt-out rights for consumers have the potential to further unsettle marketers who despise tongue twisters (like me). The opt-out rights in the Virginia regulation include the right to opt-out of not just sales of personal data (like the CCPA) but also targeted advertising and certain profiling activities of consumers. The CDPA’s opt-in provisions on consumer consent are also more expansive versus the CCPA.

However, the CPRA will broaden its reach in 2023 to allow Californians to opt-out of the sharing and use of sensitive personal data beginning in 2023.

And don’t worry if this is all too much to handle right now. Google has already determined there will be no more tongue twisting shenanigans to consider in the opt-out game of state privacy laws. Check out how Google’s anti-cookie tracking move is good for consumer privacy, and even better for Google.

Attorneys General or Attorney Generals?

The answer to this question differs depending on if you’re in the US or the UK. In American English, attorneys general is the correct plural form. The British prefer attorney generals.

Luckily, the differences between the CDPA and the CCPA are not as complicated when it comes to penalty violation.

In general, the CCPA and the CDPA provide for a maximum penalty of $7,500 per violation. And both laws execute enforcement by their respective state attorney general’s office. However, one major difference is that the CDPA does not include a private right of action, meaning that Virginia residents cannot sue companies for CDPA violations.

How much does it cost to implement the necessary data management technology tools to comply with CDPA and CCPA standards? The IAPP estimates $100K.

With tightened budgets and limited resources to fully execute on all the necessary privacy requirements, some businesses may decide to forego doing business in Virginia and California to avoid this costly compliance challenge. Moreover, the possibility of losing customer trust steepens with each violation.

What’s next after the CDPA?

The effective dates of the CDPA and CPRA are only two years away. Businesses should start now to evaluate their current data privacy activities, identify potential gaps, and work to address compliance.

It’s also vital for businesses to keep one eye on the horizon. Beyond Virginia and California, 15 state governments are currently working on draft data privacy laws.

Businesses already in compliance with the CCPA are well positioned to tackle compliance with the CDPA, and the tongue twisty world of increasing state privacy laws.

The global view: GDPR risks increase as U.S. data privacy laws expand

The EU began enforcing GDPR three years ago. At the time, the business world wondered: Would enforcement agencies hand out the stiff penalties outlined in the regulation?

The answer has unfolded as an incremental build of severity. Fines increased by 40% from the first 20 months of enforcement to the second 20 months. And as of January 2021, GDPR fines had reached a total of £245 million ($332 million).

Shining a spotlight on consent and preference data management

All of this regulatory activity highlights the business need for a flexible, scalable consent and preference management solution.

With the right technology in place, businesses can adapt quickly as new regulations emerge. This not only helps to reduce compliance risk, but also strengthens customer trust and can protect brand reputation.

After all, executives may have different opinions about tongue twisters, but they all agree that making the news for violating a data privacy regulation is bad for business.

Your competition
wants your customers.
Is your brand built to keep them?
Unlock strategies to power your enterprise HERE.

Share this article


Search by Topic beginning with