Consumer data protection laws are increasing in number and severity, presenting new challenges for organizations every day. Even if your business is based in an area that doesn’t have comprehensive data legislation, simply collecting data on users where laws do exist is enough to force you to comply. With fines that can reach into the tens of millions of dollars, data compliance has become more important than ever.
So, what data compliance laws does your business need to know about? How much can a business be fined for a breach of data protection?
5 Data Compliance Fines and Their Cost to Your Business
We’ve chosen 5 significant data laws to date to discuss:
- The GDPR, which applies to data collected from E.U. citizens (even if the company is not based in Europe);
- The CCPA, which covers data collected from residents of the state of California (currently there is no comprehensive federal U.S. privacy law like there is in the E.U.);
- PIPEDA, Canada’s privacy law
- HIPAA, a U.S. federal data law protecting medical data; and
- LGPD, Brazil’s new data protection law.
1. GDPR Fines
The General Data Protection Regulation was enacted by the European Union in 2016 and went into effect in 2018. Remember that you do not need to be based in Europe for these rules to apply to your business. Just possessing data on European citizens is enough.
GDPR fines come in two tiers. There are lower-level fines of up to €10 million or 2% of annual global turnover, whichever is greater, and higher-level fines double those amounts, up to €20 million or 4% of annual global turnover. The GPDR has already fined businesses over €50 million this year alone, and most of the fines stem from violations of a few select articles of the regulation.
Articles 5 and 6
Articles 5 and 6 determine how data can be processed and are where most violations have occurred. Article 5 covers data processing principles, including what information can be collected and how long it can be retained. Article 6 involves consent and the purposes of data collection.
Fines are imposed on a case-by-case basis, so whether you get a higher tier fine or a lower one usually depends on how you responded to the incident and whether it could have been prevented. Negligence and failure to respond lead to higher fines.
Article 32This article pertains to data security. If your system fails to meet the requirements, it could lead to a breach. For example, if you fail to use encryption or back up your data, then the GPDR can impose lower-tier fines for these violations if found in an inspection.
2. CCPA Fines
The CCPA is California’s new consumer protection act, and it’s the strongest such law in the United States. Even organizations that are not headquartered in California but have business in the state are required to comply with the CCPA. Collecting data on any individual in California can demand data compliance.
In fact, the CCPA applies even to the data of anyone who was even in California temporarily! If someone goes there while on vacation and you record data on them while they are there, then that data is protected by the CCPA. Similar to the GDPR, the CCPA splits fines into two categories: intentional and unintentional violations.
Intentional violations are fined $7,500 per record. This can add up very quickly since violations usually occur across large databases and not just to individuals. Intentional violations can include failing to notify consumers about data collection, failing to respond to data requests or deletion requests, or selling data after a client has specifically requested the company not to do so.
Unintentional violations cost $2,500 per record. This is usually applied in breaches where adequate security measures were in place.
The CCPA also allows consumers to file class-action lawsuits against companies who are fined. Individuals may seek compensation between $100 and $750 for each event, but the damages can go even higher. This can make breaches incredibly expensive.
3. PIPEDA FinesCanada’s Personal Information Protection and Electronic Documents Act, or PIPEDA, unifies several different provinces’ laws under a single standard. Although it has been in effect for several years, it was strengthened in 2018 after the law required companies to report breaches immediately.
If you collect data on Canadian citizens, you may be subject to PIPEDA fines if a breach occurs. Breaches must be reported immediately, and you have to keep records of the incident for at least two years. Any attempt to cover up a breach, stymie investigations, or even punish employees who act according to PIPEDA rules can lead to fines of up to $100,000 CAD.
4. HIPAA Fines
The Health Insurance Portability and Accountability Act is one of the oldest US federal privacy laws. Conceived in 1996 as a way to make it easier for people to change medical providers, it also contains important rules for protecting patients’ data.
Given the sensitivity of medical data, it makes sense that HIPAA rules would be strict. Fines are smaller than what you might see from the CCPA or GPDR, but that’s only because many medical practices are small offices.
HIPAA breaks down violations into 4 tiers according to the degree of responsibility held by the company. At the first tier, the company has no fault and could not have prevented the breach. In the third tier, the company can be found negligent. The last tier includes negligence and failure to respond quickly to the problem.
Depending on the tier, fines can range from $100 to $50,000 per incident, with a maximum of $1.5 million.
5. LGPD Fines
The LGPD is Brazil’s new General Data Protection Law (Lei Geral de Proteção de Dados Pessoais), which was passed in August 2018 and set to take effect on August 16, 2020. Similar to the GDPR, the LGPD applies to companies that may not even be located in Brazil. The LGPD applies to any entity that processes personal data in Brazil, processes personal data that was collected in Brazil, or processes personal data to offer or provide goods or services in Brazil.
Under the LGPD, fines can reach up to 2% of the Brazil-sourced income of the entity for the prior fiscal year, limited to R$ 50 million per violation (roughly equivalent to $11 million), with the additional possibility of daily fines to further incentivize compliance.
Prevent Data Compliance Fines With AparaviThese five regulations are causing many businesses to rethink their compliance approach, but the list doesn’t end here. Other regulations, like COPPA (Children’s Online Privacy Protection Rule), the FCRA (Fair Credit Reporting Act), the GLBA (Gramm-Leach-Bliley Act), and PCI DSS (Payment Card Industry Data Security Standard), may also lead to major data privacy fines for your company. To learn more about these other laws, and which data privacy laws apply to your organization and what fines you can expect from each, download our e-book: [Data Privacy and Compliance: Are You Ready for an Influx of Information Requests?](/us/data-compliance-fines-how-much-cost-you/#popmake-8610)
Failing to properly handle data can cost your company millions. If you want to prevent data mishaps and protect your company, contact Aparavi today. Our seamless, cloud-based Data Intelligence & Automation Platform reduces response time and costs with automation and helps you find what you need, when you need it, across any location. 140+ industry-specific, pre-defined classification policies and 800+ different global patterns, automatically updated regulations, and laser-focused searches make it easier than ever to comply with data privacy regulations. With Aparavi, data chaos becomes data innovation.