Companies violating global data privacy laws like GDPR and CCPA not only have to concern themselves with bureaucrats and regulators, as class action lawsuits and complaints by consumer groups and private individuals are quickly filling up court dockets around the globe.
Why Are So Many High Profile Private Cases Being Filed?
Oracle and Salesforce face legal complaints over privacy related to cookie consent violations, and hotel chain Marriott is facing a lawsuit alleging a large-scale privacy breach; the latter case is also being enforced by the UK’s regulatory body so Marriott is fighting a two-front battle. These private cases are a reflection of the growing disappointment regulators struggling to investigate GDPR violation allegations and enforce penalties commensurate with those violations.
For example, France's regulator penalized Google with a €50 million fine in 2019 but payment has not yet been approved by the necessary parties to actually collect funds. Ireland's Data Protection Commission, which is in charge of overseeing many Silicon Valley companies due to regional bases established in the country, has been particularly slow to enforce GDPR violations. A 2018 breach of Twitter has dragged on for two years (all the while continuing to suffer security failures) and though a draft decision has been crafted, a formal dispute between regulators is now delaying a final outcome by many more months. These delays have motivated private parties to turn to the court system for speedier resolution of their complaints.
Why Are These Private Cases Important?
Regulators may not have the resources to investigate an individual complaint and take on a massive organization like Oracle or Salesforce, however private litigation provides three primary motivations:
1) A court case can provide a speedier resolution;
2) A financial incentive exists for private citizens and their attorneys as they can be compensated if they can prove the merits of the violations in court; and
3) Legal precedent can be set once a verdict is rendered.
The second reason above is quite the incentive, as regulatory fines do not provide compensation to individuals who had their data stolen. Additionally, if a private individual or group brings a lawsuit to court, they retain control over whether or not a settlement occurs rather than leave it up to a regulator’s discretion.
Is My Company Going To Be Sued?
Maybe, though the odds of that occurring go down if you’ve taken steps to be GDPR compliant, such as using a cookie consent tool (but not a cookie wall) and providing a mechanism for individuals to make a data subject access request. Additionally, going directly to court opens up a new front in the fight against data protection abusers, but is not necessarily straightforward, as it is complex, expensive and uncertain.
How Can Clym Help?
Clym provides a cost-effective, scalable and flexible platform to help companies comply with CCPA, GDPR, and other laws, with plans starting at just $10/month. Contact us today about how your startup can implement Clym to help manage your data privacy regulation compliance from a global perspective.