By Emily Ashley[i]
In a world that believes “privacy is dead”[ii] and “data is the new oil,”[iii] privacy professionals are met with the tricky task of persuading cross-functional teams to seriously consider privacy-forward goals. To effectively advocate to those who budget for or implement privacy programs, address the bottom line by presenting the value-add of privacy. Skip the academic discussions on the intricacies of laws surrounding data and privacy, and instead present the numbers and impact. Powerful companies have faced significant consequences, so whether you are a privacy advocate or someone who embraces the idea that privacy is no longer a social norm,[iv] there are key lessons to be gleaned from those companies’ mistakes to avoid costly data incidents.
Below are some talking points to convince key stakeholders to build a strong privacy and data protection program.
Executive job security
The scope of harm for a data incident expands beyond the entity itself. CEOs have been forced to resign after data breach incidents, notably including those from Target, Sony, and Equifax.[v] Data collection and processing can lead to valuable insights, which can be appealing to executives; however, placing privacy and security protections on data practices will help mitigate consequences on a personal level that could be life-changing for those held publicly responsible if a data disaster occurs.
Building a brand of trust is critical for a company’s survival.[vi] In fact, a 2020 Pew study indicated that 52% of Americans have decided not to use a product or service because of data protection concerns.[vii] Apple has taken note of these trends and leverages its privacy brand to distinguish itself from competitors.[viii]
Data incidents impact market value. Facebook’s stock dropped 7% in a single day after news of the Cambridge Analytica scandal, and the loss cut its market capitalization by around $43 billion.[ix] Facebook is not alone: in one study, 21 out of 40 companies that faced breaches saw lower stock performance in the six months after a breach than in the six months prior, with tech and finance companies seeing the largest drops in share prices.[x] These losses show that the cost of data mishaps go beyond legal penalties and can lead to more long-term effects.
Numbers speak volumes
Privacy laws come with a price tag. The chart below highlights penalties associated with existing privacy laws, emphasizing the importance of establishing a strong compliance program.
|CPRA||Virginia CDPA||Colorado CPA||GDPR|
|Cost of Non-Compliance||$2,500 for each violation (or $7,500 per violation if it was intentional or if involved minors)||Up to $7,500 per violation + “reasonable expenses” to Attorney General for handling case (including attorney’s fees)||Up to $20,000 per violation (fines governed by Colorado Consumer Protection Act)||Up to €10,000,000 or 2% of total worldwide turnover of the preceding financial year, whichever is higher|
Figure 1: Penalties Imposed by Privacy Laws[xi]
Some laws impose joint liability if companies collaborate with another entity that violates the law, so partners and third-party vendors should be properly vetted by a privacy professional.[xii]
Data breaches or incidents stemming from questionable data practices are also costly. Facebook notably faced $5 billion in fines from the Federal Trade Commission for data practices that were deemed deceitful,[xiii] and it paid another $650 million to settle a class action lawsuit alleging that its facial recognition practices violated an Illinois biometric privacy law.[xiv] Other companies have faced serious privacy repercussions as well. The table below highlights other notable privacy incidents with hefty price tags.
|Company (Year of incident)||Penalty|
|Anthem (2014)||$8.69 million|
|Comcast (2015)||$33 million|
|Equifax (2017)||$600 million|
|Lenovo (2017)||$3.5 million|
|Target (2013)||$18.5 million|
|Uber (2016)||$148 million + an additional $100k to hackers|
|Wells Fargo (2016)||$8.5 million|
Figure 2: Notable Privacy Enforcement Actions[xv]
Incoming influx of laws
The privacy law landscape is ever-changing, so companies need to be ready to adapt. Several states have enacted comprehensive privacy laws, and over 25 states have introduced similar bills (at least 7 of which include a private right of action for violations, opening the door for lawsuits).[xvi] Beyond the statutory landscape, litigation – for instance, Schrems II,[xvii] which impacted cross-border data transfers – can unexpectedly uproot the way companies handle personal data. Rather than scrambling to comply with each new law that is enacted, recommend a robust privacy program, complete with skilled privacy professionals and necessary tools, to prepare companies to seamlessly adapt to the influx of legal considerations.
Data protection practices lead to efficient spending
All 50 states have enacted data breach laws requiring companies to provide notice to customers when a breach occurs, potentially leading to expensive communication strategies and a negative impact on the brand’s public image. Many states, however, include safe harbor provisions that allow companies to classify security events as an “incident” rather than a “breach” if the data in question has been encrypted, evading the need for notice.[xviii] Encryption thus protects both companies and individuals if a breach occurs.
Beyond encryption, other tools and privacy-enhancing technologies exist. Investing in these tools before a breach will not only mitigate the costs of an incident, but will also allow for thoughtful integration into existing systems rather than hastily buying resources that are not a good fit in response to a breach.[xix]
Data valuation and privacy rights
Some privacy laws provide a right to non-discrimination, preventing companies from treating consumers differently if they exercise their privacy rights granted by the law. This requirement may have a loophole: companies can offer deals and discounts to consumers who share data, so long as it’s reasonably related to the personal data’s value.[xx] This forces companies to think more concretely about the value of personal data, opening the door for future conversations about data’s place on the balance sheet.
Data collection and analytics have become so ubiquitous that some experts believe that privacy as a separate consideration is dead. But for those grappling with the real-world consequences of data incidents, privacy is very much alive and well, and prioritizing it will protect an organization’s funds, market value, brand and reputation, and jobs—all of which all affect their bottom line.
To join the IPLC, submit an application online here. Business Law Section members may apply at no additional cost. For more information, contact IPLC leadership.
[i] Emily Ashley is a Privacy Law Certificate and 4L J.D./MBA Candidate, Class of 2021 from the Santa Clara University.
[ii] For example, see Christopher Mims, “Privacy is Dead. Here’s What Comes Next,” May 6, 2018 for The Wall Street Journal at https://www.wsj.com/articles/privacy-is-dead-heres-what-comes-next-1525608001 (Last Accessed: October 27, 2021)
[iii] For example, see Kiran Bhageshpur, “Data is the New Oil – and That’s a Good Thing,” November 15, 2019 for Forbes at https://www.forbes.com/sites/forbestechcouncil/2019/11/15/data-is-the-new-oil-and-thats-a-good-thing/?sh=6fd211007304 (Last Accessed: October 27, 2021)
[iv] Bobbie Johnson, “Privacy No Longer a Social Norm, says Facebook Founder,” January 10, 2010 for The Guardian, https://www.theguardian.com/technology/2010/jan/11/facebook-privacy (Last Accessed: October 27, 2021)
[v] Brian Nesmith, “CEOs: The Data Breach is Your Fault,” June 26, 2018 for Forbes, https://www.forbes.com/sites/forbestechcouncil/2018/06/26/ceos-the-data-breach-is-your-fault/?sh=f31f7a258b0f (Last Accessed: October 27, 2021)
[vi] Carolyn Vadino, “Why Building Trust is just as Important as Building Your Brand,” November 10, 2020 for Forbes, https://www.forbes.com/sites/forbescommunicationscouncil/2020/11/10/why-building-trust-is-just-as-important-as-building-your-brand/?sh=706119945041 (Last Accessed: October 27, 2021)
[vii] Andrew Perrin, “Half of Americans Have Decided Not to Use a Product or Service Because of Privacy Concerns,” April 14, 2020 for Pew Research Center, https://www.pewresearch.org/fact-tank/2020/04/14/half-of-americans-have-decided-not-to-use-a-product-or-service-because-of-privacy-concerns/
[viii] Kif Leswing, “Apple is turning privacy into a business advantage, not just a marketing slogan,” June 8,2021 for CNBC, https://www.cnbc.com/2021/06/07/apple-is-turning-privacy-into-a-business-advantage.html (Last Accessed: October 27, 2021)
[ix] Shannon Liao, “Facebook Stock Tanks After Data Breach Report, Shaving Billions Off Company’s Market Value,” March 19, 2018 for The Verge, https://www.theverge.com/2018/3/19/17139642/facebook-stock-fall-market-cap-data-breach-cambridge-analytica
[x] Paul Bischoff, “How Data Breaches Affect Stock Market Share Prices,” February 9, 2021 for Comparitech, https://www.comparitech.com/blog/information-security/data-breach-share-price-analysis/ (Last Accessed: October 28, 2021)
[xi] See California Legislative Information, Title 1.81.5: California Consumer Privacy Act of 2018, https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5 (Last Accessed: October 27, 2021); Virginia’s Legislative Information System, Chapter 52: Consumer Data Protection Act, https://lis.virginia.gov/cgi-bin/legp604.exe?212+ful+CHAP0035 (Last Accessed: October 27, 2021); Colorado General Assembly, SB21-190: Protect Personal Data Privacy, https://leg.colorado.gov/bills/sb21-190 (Last Accessed: October 27, 2021) and Sarah Rippy, “Colorado Privacy Act Becomes Law,” July 8, 2021 for IAPP, https://iapp.org/news/a/colorado-privacy-act-becomes-law/ (Last Accessed: October 29, 2021); and General Data Protection Regulation (GDPR), https://gdpr.eu/tag/gdpr/ (Last Accessed: October 27, 2021)
[xii] See California Legislative Information, Title 1.81.5: California Consumer Privacy Act of 2018, https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5 (Last Accessed: October 27, 2021) and Virginia’s Legislative Information System, Chapter 52: Consumer Data Protection Act, https://lis.virginia.gov/cgi-bin/legp604.exe?212+ful+CHAP0035 (Last Accessed: October 27, 2021)
[xiii] Rob Davies and Dominic Rushe, “Facebook to Pay $5bn Fine as Regulator Settles Cambridge Analytica Complaints,” July 24, 2019 for The Guardian, https://www.theguardian.com/technology/2019/jul/24/facebook-to-pay-5bn-fine-as-regulator-files-cambridge-analytica-complaint (Last Accessed: October 27, 2021)
[xiv] Taylor Hatmaker, “Facebook will pay $650 million to settle class action suit centered on Illinois privacy law,” March 1, 2021 for TechCrunch, https://techcrunch.com/2021/03/01/facebook-illinois-class-action-bipa/ (Last Accessed: November 8, 2021)
[xv] State of California Department of Justice, Office of the Attorney General, “Privacy Enforcement Actions,” https://oag.ca.gov/privacy/privacy-enforcement-actions (Last Accessed: October 27, 2021)
[xvi] Sarah Rippy, “US State Privacy Legislation Tracker,” Last Updated September 16, 2021 for IAPP, https://iapp.org/resources/article/us-state-privacy-legislation-tracker/ (Last Accessed: October 28, 2021)
[xvii] EY, “What to do Now that the EU-US Privacy Shield Framework is Invalid,” September 28, 2020, https://www.ey.com/en_us/consulting/what-to-do-now-that-the-eu-us-privacy-shield-framework-is-invalid (Last Accessed: October 28, 2021)
[xviii] Alice Porch, “Safe Harbor from Data Breach Notification,” July 3, 2017 for AMP Legal, https://www.amp.legal/blog/safe-harbor-from-data-breach-notification/ (Last Accessed: October 28, 2021)
[xix] See, for example: TROPT Webcast Series: “Defining the Privacy Landscape with Nishant Bhajaria;” for The Rise of Privacy Tech, https://www.riseofprivacytech.com/about/resources/ (Last Accessed: November 10, 2021)
[xx] State of California Department of Justice, Office of the Attorney General, “California Consumer Privacy Act,” https://oag.ca.gov/privacy/ccpa#sectionf (Last Accessed: October 28, 2021)