Millions of dollars at risk if companies don’t take consumer data protection seriously

Dare I use the term “datapocalypse?” Kidding aside, data privacy and security are becoming huge issues with major consequences for companies that fail to take necessary steps to comply or live up to their own promises.

Domestically, the Federal Trade Commission (FTC) is filing complaints against companies that represent one thing but do another; internationally, the EU’s General Data Protection Regulation (GDPR) will require much closer attention to consumer data privacy from US companies doing business in Europe.

Earlier this week, the FTC and Uber settled a privacy complaint that alleged Uber had failed to act in accordance with its promises to protect consumer and driver data from improper employee and third party-access. As part of the settlement, Uber will submit to twice-yearly privacy audits for the next 20 years.

This is the second FTC settlement in 2017 for Uber. Earlier, the company agreed to pay $20 million to settle a complaint that misrepresented driver earning potential and car financing terms.

In another recent settlement, the FTC forced the “disgorgement” (return) of lead-gen-related profits obtained by Blue Global Media, which ran websites that obtained consumer loan applications that were then sold to third parties. The company misrepresented how the personal data would be handled and to whom it was being made available.

The data was provided not to “trusted lenders” but to any paying third party, and “sensitive personal and financial information was shared and sold indiscriminately without consumers’ knowledge or consent.” The settlement required the company to return the entire $104 million it made selling consumer leads.

In Europe, the privacy and consumer-data earthquake known as the General Data Protection Regulation (GDPR) goes into effect in May 2018. It’s going to require more security, more disclosures and opt-in permissions for use of consumer data. It will also limit uses of consumer data by internet platforms and martech companies.

There may be significant fines for violations — in the millions of euros — and GDPR’s reach will extend to any company using EU citizens’ data, regardless of the company’s primary place of business. Here are a few overview and implications articles for GDPR:

• What is the GDPR, and why should martech care?
• What the GDPR means for your business
• The impact of GDPR on marketing technology and cybersecurity
• Here’s how ‘customer tech’ may rescue consumers and brands from GDPR
• Janrain offers one of the first GDPR portals for consumer data management

Startups and established companies alike are going to need to pay extremely close attention to data privacy and security compliance going forward — especially if they capture or use data from EU citizens, which most large US internet companies do. In the US, the same holds true, but the emphasis (at the FTC) generally is on consumer deception, and whether companies are complying with their own terms and policies.

Data privacy and security are no longer issues that companies can afford to be sloppy about. If they are, the consequences could be dire.