And you thought Google\’s €50 million data privacy fine was \”massive.\” (See my analysis here.)
Now the ICO (the UK data protection authority) has announced their intention to fine British Airways and Marriott International a total of over $352 million (about €312.5 million).
Both companies were found to have violated GDPR requirements and responsibilities regarding data security. British Airways suffered a data breach that was believed to have started in June 2018 and was discovered in September. User traffic was diverted to a fraudulent site, exposing the data of some 500,000 customers. The announced fine (which technically applies to the parent group, International Consolidated Airlines Group, or IAG) of £183.39 million ($228.7 million) was evidently calculated as 1.5% of BA\’s 2017 global gross revenue. On that basis, the maximum GDPR fine of 4% would be over $610 million.
Marriott\’s case is more complicated. The hotel conglomerate acquired Starwood hotels in 2016. Unknown to anyone at the time, Starwood\’s systems had been compromised in 2014; the breach was discovered and reported by Marriott in November 2018. Personal data from some 339 million guest records were exposed, of which 31 million were from the EU and seven million from the UK. The ICO found that Marriott did not undertake sufficient due diligence when it acquired Starwood, and announced a fine of £99.2 million ($123.7 million).
Both companies have announced they will appeal the findings. British Airways said they had \”responded quickly to a criminal act to steal customers\’ data.\” Speaking to the Wall Street Journal, however, ICO chief Elizabeth Denham said that they had found \”lack of some of the most basic protections that people would expect, [such as] encryption of credit card data. The CVV codes on credit cards at British Airways were open.\”
Regarding the size of the proposed fines, Denham added:
Our fines have to be effective, proportionate and dissuasive. For a fine to be dissuasive against a company that has a turnover in this stratosphere, we have to provide the fine accordingly. This is not a small business. This is not a charity. This is a large business that you’d expect would take care of personal data.
A big headache for IT, but marketers will also feel the pain
You might think that data security and breach prevention are hardly concerns for marketers and CX teams. On the contrary: First of all, in the looming battle for precious personal data, marketing\’s ownership of the customer relationship is going to be more crucial — and more difficult — than ever. When you revise your currently miserable, CX-hostile, and probably illegal cookie consent notices and make compelling value propositions in exchange for data . . . you\’d better be damn sure that the organization can deliver on your promises. Keeping consumer data secure is a relatively small aspect of the overall \”data-exchange experience\” — but we know that it has massive influence on the consumers judgement and perception of the brand.
Second, Elizabeth Denham\’s emphasis on \”effective\” and \”dissuasive\” fines — meaning that they hurt so much you won\’t risk that behavior again — apply equally and directly to the marketing side of data processing.
The ICO has also recently released a report and fresh guidance on digital advertising and the use of cookies. (See \”Come Back to the GDPR, RTB, RTB.\”) These expose \”systemic\” violations of the GDPR in commonplace and pervasive advertising and marketing practices. (See the analysis of cookie consent violations here.) They also serve as fair warning to all companies deploying such practices to reform their ways immediately. If not, you can bet that the fines will be equally \”dissuasive.\”
Contact us if you\’d like to discuss reviewing and rethinking your marketing practices in the era of \”beg data.\”