If you think General Data Privacy Regulation (GDPR) fines are only for big companies like Facebook, you're wrong.
Yes, their fines make big news. Another €1M fine from Italy for Cambridge Analytica on top of €10M for misleading sign-in practices and €3M for What'sApp data plus a whole suite of investigations underway in Ireland makes for a lot of ink. Plus Facebook is a living test case for what is (and isn't) possible. (To say nothing of the $5 billion in fines levied by the U.S.!)
The quieter fines don't see quite as much press, but that doesn't mean that they're not happening. Just ask the Spanish soccer league La Liga or Portuguese hospital Centro Hospitalar Barreiro Montijo.
Motivation Intended (And Storing in Plain Text = Bad)
Data privacy fines also get a lot of ink and eyeballs because deterrents are viewed as great motivators, but a deeper look at Knuddels.de reveals that deterrents aren't the entire rationale behind the GDPR.
The first GDPR fine from Germany followed a hack of the chat app Knuddels.de. In September of 2018, 808,000 email addresses and passwords were compromised, with 330,000 unique users exposed. The company reported within the 72-hour requirement, but after the Landesbeauftragter für den Datenschutz (LfDl) investigation revealed that the passwords had been stored in plain text, they received a relatively low €20,000 fine.
It's helpful to consider that GDPR didn't just pop up out of nowhere. It evolved from existing data privacy laws and the intent to alter company behavior.
The GDPR report cited Knuddels.de's "exemplary cooperation" and, as LfDl Head Stefan Brink told the International Association of Privacy Professionals (IAPP), "As a DPA it is not important for the LfDI to compete for the highest possible fines. What counts in the end is the improvement of data protection and data security for the users concerned."
SIDE NOTE: If you're currently storing your passwords in plain text and feeling somewhat relieved because Facebook and Twitter have also done so, please stop. Not everyone is as forgiving as the LfDl and they might become less forgiving over time. We can also help you with more secure storage --- and it will be relatively painless. The key takeaways from above are that cooperation matters and the end goal isn't torturing tech companies --- the end goal is the improvement of data protection and security.
U.S Patchwork - New York Indicator
The recently failed New York Privacy Act would have required businesses to act as "data fiduciaries," meaning that companies would be required to put the interest of their people whose data they protect ahead of their own financial interests, much the way that doctors or lawyers are required to protect data (more on that in this Atlantic article.)
The bill would also allow "private right of action," which means private parties could bring lawsuits and it would apply to companies of any size. It also would have applied to businesses of any size.
Although a comprehensive New York Privacy Act looks unlikely, don't be lulled by the fact that this act recently failed. Parts of it could come back to life in the next session — and it's not the only U.S. state addressing data privacy.
Nevada recently updated their law to include opt-out rights for data sales--- and it goes into effect October 2019. Maine also passed a law reportedly tougher than CCPA, which will require users to opt-in before companies can sell data. It goes into effect on Jan. 1, 2020, and more are on the books.
Get Ahead of the Patchwork of Legislation
Many are already complaining about the disruptive impact of the patchwork of U.S. state data privacy laws. The U.S. Congress is working on putting something together before CCPA goes into effect.
By this time next year it's unlikely that anyone will forgive you for storing passwords in plain text.
Identity can be a great way to start getting your data house in order. You can learn more here about why our customers often begin with authentication or reach out to an Auth0 resource for info on how we can help with your specific needs.
Auth0, the identity platform for application builders, provides thousands of enterprise customers with a Universal Identity Platform for their web, mobile, IoT, and internal applications. Its extensible platform seamlessly authenticates and secures more than 2.5B logins per month, making it loved by developers and trusted by global enterprises. The company's U.S. headquarters in Bellevue, WA, and additional offices in Buenos Aires, London, Tokyo, Sydney, and Singapore, support its customers that are located in 70+ countries.