The French data protection watchdog has imposed its harshest penalty on Facebook for six breaches of French privacy law.
The breaches include tracking users across websites other than Facebook.com without their knowledge, and compiling a massive database of personal information in order to target advertising.
The French National Commission on Computing and Liberty (CNIL) began its investigation of Facebook and its European subsidiary, Facebook ireland, after the company made changes to its terms and conditions outlining the practices in January 2015.
CNIL wasn't the only organization concerned by Facebook's changes: data protection authorities in Belgium, the Netherlands, Spain and Hamburg, Germany also began investigations around the same time.
After a year's digging, including visits to Facebook offices, CNIL sent the company a formal notice giving it three months to comply with the French Data Protection Act. Facebook asked for, and was granted, an extension, in order to respond.
Advertisement
Facebook's response, when it eventually came, did not satisfy CNIL, which has now decided to impose a fine -- the largest it can under French law -- of €150,000 (US$166,000).
That might be enough to persuade smaller businesses to change their behavior, but for Facebook it's just 25 minutes' profit, based on last year's financial results.
In future, though, similar infringements could result in much stiffer penalties. Today, businesses operating across the European Union must deal with privacy laws on a country-by-country basis, answering to each of the national regulators, few of which are able to impose dissuasive fines.
From May 25, 2018, though, the General Data Protection Regulation (GDPR) will introduce a single set of privacy rules across the EU's 28 member states, and raise the fines to €20 million ($22 million) or 4 percent of worldwide revenue.
Companies wishing to avoid the same fate should avoid the faux pas for which Facebook was fined:
- Combining all the information it has on account holders to display targeted advertising without a legal justification for the process: While users may control the display of targeted advertising, they cannot opt out of the data collection and combination behind it, CNIL noted;
- Tracking internet users via the “datr,” cookie planted by third-party sites using a Facebook plug-in, without giving clear and precise information about the tracking;
- Not providing clear information to internet users signing up for the service about their rights and the use that will be made of their data;
- Collecting sensitive personal information without explicit consent;
- Preventing users from blocking the storage of cookies on their phones and computers, and
- Storing, without good reason, all the IP addresses from which users have ever accessed their account.
Next read this:
- 15 IT resolutions for 2019
- The 9 new rules of IT leadership
- 20 ways to kill your IT career (without knowing it)
- IT manager’s survival guide: 11 ways to thrive in the years ahead
- 7 key IT investments for 2019 (and 3 going cold)
- 10 signs top talent may soon leave
- 11 red flags to watch for when hiring
- 7 things IT should be automating
- 8 digital transformation mistakes (and how to fix them)
- 8 IT cost cutting mistakes you need to avoid
- Why IT-business alignment still fails
- CIO resumes: 6 best practices and 4 strong examples
- 4 KPIs IT should ditch (and what to measure instead)
- 6 practices of influential IT leaders