Privacy Fines: It’s No Longer If But When
The internet wasn’t built for privacy, and companies are paying the price
As more and more EU countries get active in enforcement and more countries adopt GDPR-like privacy regulations, there is bound to be a compounding growth effect in the number of fines levied against companies of all sizes. Gartner projects that by 2023 65% of the world’s population will be covered by some form of GDPR style privacy regulation. And it’s not just big tech and multinational companies getting fined.
As of the writing of this article, there have been 209 GDPR fines issued in 2021 alone, totaling €49,625,604 ($58,719,507) which creates an average penalty of €237,443 ($279,676). The median GDPR fine was €15,000 ($17,668). The message this is sending is clear, everyone is subject to GDPR and will be held responsible. Keep in mind that the Data Protection Authorities (DPAs) can fine companies up to either 2% or 4% of their annual revenue, depending on the scope and severity of the violation.
A lack of privacy on websites is a feature, not a bug
The basic architecture of most websites makes it almost impossible for companies to use modern cloud services without putting them at risk of a privacy violation.
Over the last decade, most companies have chosen to build websites using critical components supplied by third parties. These components include essential services and user tracking and analytics, hosting, marketing, and other tags. The problem is that companies lack any visibility into informational transactions occurring between their web visitors and the third parties powering these same essential web functions.
Lokker.com released a free privacy scanner to help companies see how easily their third-party website vendors can access, collect, and share user information. The scanner reveals how efficiently personal user information can spread from a single page of a website to dozens of third-party domains and data brokers.
User privacy loss and the “Third-Party App Problem.”
Cybersecurity firm Reflectiz reported that in 2019, 85% of websites were found to have over 15 apps tracking users. Reflectiz also noted that the average number of 3rd-party apps per website rose 90% over the last four years to 35, while the average number of 4th-party apps per website rose 300% to 31.
Few companies have the resources to monitor 60+ cyber third-fourth parties, each independently interacting with thousands if not hundreds of thousands of online users in real-time as they browse and interact with their websites.
The paradox of modern web architecture is that companies “own” websites made up of as much as 70% of web code owned and operated by 3rd-party vendors. While companies have few other options, this dynamic makes them responsible for third-party behavior they have little oversight or control over.
Aside from compliance fines and security vulnerabilities, this reality opens Pandora’s box of privacy issues that exposes our collective identity online and explains why things like identity theft and corporate information theft have become the digital plagues of our time.
Consent Management Platforms aren’t enough
Since May 2018, when the GDPR went into full effect, Consent Management Platforms (CMPs) have become the most widely used privacy management tool. However, GDPR fines have been skyrocketing each year for companies large and small. Why?
According to the GDPR, consent is the legal basis a “controller” (the responsible party for any data subjects’ personal information) must have to track users on the web. The problem is that third-party code is dynamic, and it’s not just about cookies. A recent web privacy research project conducted by Cornell University found that 750,000 out of 1,000,000 websites are tracking users via other methods such as “first-party ID leaks, ID synchronization, and browser fingerprinting, …even after users rejected all cookies.”
The implications of this are easy to understand: companies are not in control of their users’ web privacy and are therefore at continual risk of fines or lawsuits.
Privacy isn’t just a legal problem to solve
The GDPR makes precise requirements about displaying consent and privacy notices but offers little to no recommendations on how companies should protect users against sophisticated and complex tracking technologies deployed by commonly used third-party applications.
CMPs were quick to come out and offer solutions for handling the consent management piece of the regulation requirements, which is a significant first step. Companies assume that as long as they have user consent under control, they cover themselves from a compliance standpoint. But this is proving not to be true.
Looking at the violation by type data, a pattern is clear: most of the fines are catching companies due to a lack of data processing control. 93% of GDPR fines come from violations involving mismanagement of data rights, processing, or permissions. Why are these specific categories of penalties growing?
The accepted “privacy practice” needs to change
Security-focused companies have traditionally sought to deploy reactive threat solutions such as Content Security Policies (CSP), I-Frame Sandboxing, Blacklisting / Whitelisting libraries, and more. But these primarily security-focused solutions won’t prevent new or active privacy threats that haven’t been detected yet. Some companies deploy sophisticated and expensive Remote Browser Isolation (RBI) technologies to reasonably protect their employees’ web privacy. Still, these solutions are not scalable or designed to protect end user’s privacy as they interact with commercial websites.
Unfortunately, from a customer perspective, these approaches only detect and prevent known privacy threats and vulnerabilities at infrequent intervals. While useful, these solutions don’t truly capture most of what happens between users’ browsers and third-party applications in real-time. They are also not well designed to give sites sovereignty over their data as they flow through a website.
So what’s the fix?
Websites Desperately Need A New Privacy Model
A new model for web privacy is needed, which addresses the technical complexity inherent in the application-based cloud architecture upon which websites operate today.
Lokker offers one such solution specifically designed to provide companies with a complete privacy solution for Continuous Privacy Monitoring and Protection (CPMP). This new category of privacy technology represents a genuinely new model for web privacy, one that addresses the technical problems inherent in the cloud architecture of modern websites.
Lokker is unique because it is the only inline privacy solution that restores data controller permissions to the website owner in a demonstrable way. Universal 3rd-party access control is precisely the technical level of control you need to show you can see and act under consent-based user information processing guidelines.
In the end, it’s simple. If companies are responsible, they need to be in control.
Lokker is all about giving technical user privacy controls back to the companies who need them most.
- The GDPR Enforcement Tracker
- Gartner – Press release – By 2023, 65% of the World’s Population WIll Have Its Personal Data Covered Under Modern Privacy Regulations
- Reflectiz – Looking at the Figures of Third-Party Application Security on Websites
- Osterman Research – White Paper – Third-Party Code: The Hidden Risk in Your Website
- GDPR – What is GDPR?
- Cornell University – User Tracking in the Post-cookie Era: How Websites Bypass GDPR Consent to Track Users
- Imperva – What is Content Security Policy?
- Tala Security – What is iFrame Sandboxing?
- Consolidated Technologies, Inc. – Blacklisting vs. Whitelisting
- McAfee – What is Browser Isolation?