Two Days. Two Fines. $352 million. Does Data Privacy Have Your Attention Now?

And you thought Google’s €50 million data privacy fine was “massive.” (See my analysis here.)

Now the ICO (the UK data protection authority) has announced their intention to fine British Airways and Marriott International a total of over $352 million (about €312.5 million).

Both companies were found to have violated GDPR requirements and responsibilities regarding data security. British Airways suffered a data breach that was believed to have started in June 2018 and was discovered in September. User traffic was diverted to a fraudulent site, exposing the data of some 500,000 customers. The announced fine (which technically applies to the parent group, International Consolidated Airlines Group, or IAG) of £183.39 million ($228.7 million) was evidently calculated as 1.5% of BA’s 2017 global gross revenue. On that basis, the maximum GDPR fine of 4% would be over $610 million.

Marriott’s case is more complicated. The hotel conglomerate acquired Starwood hotels in 2016. Unknown to anyone at the time, Starwood’s systems had been compromised in 2014; the breach was discovered and reported by Marriott in November 2018. Personal data from some 339 million guest records were exposed, of which 31 million were from the EU and seven million from the UK. The ICO found that Marriott did not undertake sufficient due diligence when it acquired Starwood, and announced a fine of £99.2 million ($123.7 million).

Both companies have announced they will appeal the findings. British Airways said they had “responded quickly to a criminal act to steal customers’ data.” Speaking to the Wall Street Journal, however, ICO chief Elizabeth Denham said that they had found “lack of some of the most basic protections that people would expect, [such as] encryption of credit card data. The CVV codes on credit cards at British Airways were open.”

Regarding the size of the proposed fines, Denham added:

Our fines have to be effective, proportionate and dissuasive. For a fine to be dissuasive against a company that has a turnover in this stratosphere, we have to provide the fine accordingly. This is not a small business. This is not a charity. This is a large business that you’d expect would take care of personal data.

A big headache for IT, but marketers will also feel the pain

You might think that data security and breach prevention are hardly concerns for marketers and CX teams. On the contrary: First of all, in the looming battle for precious personal data, marketing’s ownership of the customer relationship is going to be more crucial — and more difficult — than ever. When you revise your currently miserable, CX-hostile, and probably illegal cookie consent notices and make compelling value propositions in exchange for data . . . you’d better be damn sure that the organization can deliver on your promises. Keeping consumer data secure is a relatively small aspect of the overall “data-exchange experience” — but we know that it has massive influence on the consumers judgement and perception of the brand.

Second, Elizabeth Denham’s emphasis on “effective” and “dissuasive” fines — meaning that they hurt so much you won’t risk that behavior again — apply equally and directly to the marketing side of data processing.

The ICO has also recently released a report and fresh guidance on digital advertising and the use of cookies. (See “Come Back to the GDPR, RTB, RTB.”) These expose “systemic” violations of the GDPR in commonplace and pervasive advertising and marketing practices. (See the analysis of cookie consent violations here.) They also serve as fair warning to all companies deploying such practices to reform their ways immediately. If not, you can bet that the fines will be equally “dissuasive.”

Contact us if you’d like to discuss reviewing and rethinking your marketing practices in the era of “beg data.”

Tim Walters, Ph.D.
Tim is a principal strategist and the privacy lead at The Content Advisory, as well as a partner at IOOI Group, and a founding partner of Digital Clarity Group. He is writing, advising, public speaking and aims to help both enterprises and solution providers come to terms with customer experience management (CEM) – while also respecting the privacy and personal data of consumers. For him, this means understanding the fundamental concepts – experience, customer journeys, the jobs to be done – and then designing and implementing the engagement strategies that deliver mutual benefit for both buyers and sellers. His publications include "The CEM Imperative,” an "Executive FAQ" about the General Data Protection Regulation (GDPR), and “Is Native Advertising the New Black?”. Prior to DCG, he was a Senior Analyst and Advisor at Forrester Research, and director of international marketing and strategy for FatWire Software. Earlier, he was a professor at the University of Rochester and New York University.
Tim Walters, Ph.D. on LinkedinTim Walters, Ph.D. on Twitter


Author: Tim Walters, Ph.D.
Tim is a principal strategist and the privacy lead at The Content Advisory, as well as a partner at IOOI Group, and a founding partner of Digital Clarity Group. He is writing, advising, public speaking and aims to help both enterprises and solution providers come to terms with customer experience management (CEM) – while also respecting the privacy and personal data of consumers. For him, this means understanding the fundamental concepts – experience, customer journeys, the jobs to be done – and then designing and implementing the engagement strategies that deliver mutual benefit for both buyers and sellers. His publications include "The CEM Imperative,” an "Executive FAQ" about the General Data Protection Regulation (GDPR), and “Is Native Advertising the New Black?”. Prior to DCG, he was a Senior Analyst and Advisor at Forrester Research, and director of international marketing and strategy for FatWire Software. Earlier, he was a professor at the University of Rochester and New York University.