Amazon was recently fined €746 million by the Luxembourg National Commission for Data Protection (CNDP) for violating the EU GDPR. A statement from J Cromack, Lead Product Evangelist at DataGuard:
Details about the ruling are limited due to local laws in Luxembourg prohibiting information being published until the appeal process is concluded. It was only made public because Amazon disclosed the fine in a filing with the US Securities and Exchange Commission, and Bloomberg picked up on it.
But if we look at the initial complaint by the Association La Quadrature du Net (LQDN) and their recent blog, it’s clear the ruling is related to a lack of transparency and control offered to individuals.
“The decision, revealed by Bloomberg, suffers from no ambiguity: the targeted ad system that Amazon forces onto us is not based on free consent, which is a violation of the GDPR. As such, the corporation is fined to the tune of €746 million. Amazon’s reaction to this historic sanction is to complain to Bloomberg, pretending to not understand what is at stake: “There has been no data breach, and no customer data has been exposed to any third party”. Rightly so: it is the system of targeted advertising itself, and not merely occasional security breaches, that our legal action attacked. This historic fine hits straight to the heart of Big Tech’s predatory system and should be celebrated as such.”
Whilst it is difficult to comment in full without seeing details of the ruling, certain conclusions can be drawn, and businesses need to take note.
- Whatever currency you report this fine in ($888 million, £638 million or €746 million) – it’s huge. And one that Amazon will contest. But it is not for the usual headline-grabbing data breach. It’s because the lawful basis required for processing people’s data is deemed to be consent, and consent is being “bundled” into the terms and conditions of service. This is a high-risk strategy as regulators finally appear to be looking at consent mechanisms that violate the GDPR.
As per the original complaint from LQDN.
“The fact that certain data processing operations are covered by a contract does not automatically mean that these processing operations are necessary for its execution. For example, article 7,b, is not a suitable legal basis for profiling the tastes and lifestyles of a user based on his browsing experience on a website and the products he has purchased. Indeed, the contract was not concluded to carry out a profile, but to provide certain goods or certain services, for example. Even if these treatments were specifically mentioned in the details of the contract, this fact alone would not make them ‘necessary’ for the execution of the contract”.
- If it is concluded that consent is the correct lawful basis for Amazon’s processing activity, then for this consent to be valid an organisation must explain to people, in a way they can easily understand, that they are consenting to direct marketing. The latest “draft” guidance for the UK’s Information Commissioners Office (ICO) says;
“The request for consent needs to be prominent, concise, in plain language, and separate from your privacy information or other terms and conditions.”
- This indication needs to be unambiguous, and a clear affirmative action must be taken. Too many businesses still rely on lengthy privacy notices to provide this information, which they know very few people will read, and assume they have consent because the individual accepted the terms and conditions of service – this is risky business.
All the mainstream press picked up on this story and therefore, it was likely to have been read by your customers. This is further educating individuals that they have rights when it comes to their data, and they’ll be looking for ways to exercise those rights.
- To build trust, individuals need to be given short, easy to understand data processing notices and meaningful control of their data. It is no longer ok to have unclear data processing activities that are difficult to understand as this erodes consumer trust.
It’s a huge win to finally see businesses being challenged on the lawful basis they apply to processing our data. And that checks are finally taking place to ensure the correct mechanisms to collect consent in a way that is both transparent, specific, and controlled have been implemented.
The wording for the ICO’s draft direct marketing code of practice shines further light on this.
“Given that individuals have the absolute right to object to direct marketing, it is more difficult to pass the balancing test if you do not give individuals a clear option to opt out of direct marketing when you initially collect their details (or in your first communication if the data was not collected directly from the individual). The lack of any proactive opportunity to opt-out in advance would arguably contribute to a loss of control over their data and act as an unnecessary barrier to exercising their data protection rights.
Other examples of when it is very difficult for you to pass the balancing test include:
- processing for direct marketing purposes that you have not told individuals about (i.e., invisible processing) and they would not expect; or
- collecting and combining vast amounts of personal data from various sources to create personality profiles on individuals to use for direct marketing purposes. (Probably applies to the Amazon case)
"Remember if PECR requires consent then in practice it is consent and not legitimate interests that is the appropriate lawful basis.”
This further highlights the need to provide clear notices and meaningful control to the individual ahead of the processing of personal data.
I’m sure many businesses will see this fine and take a view that they’re too small to be picked up by the authorities, but I predict the increasing news flow about these opaque practices will continue to erode trust. This means it will impact even the smallest businesses, and they will see an increase in the number of data subject access requests received. It is essential all businesses review their processes for using, capturing, and recording consent as a lawful basis.
It’s time for businesses to get smart when it comes to consent. No more opaque and dark patterns designed to capture our consent without us noticing. Be open, be upfront, explain why you need individuals’ data and what they’ll get in return. Give them meaningful control and access to their consent history.
Getting Data Protection Right increases trust with consumers, which in turn will improve data quality and profit. We’re seeing our customers who adopt this approach not only increase their consent volume by up to 68%, but also capture improved insights and preferences.
If you would like to chat about improving the way you collect consent from your consumers and see if your approach is likely to upset the authorities, we’d love to hear from you.