In this guide, I outline some of the most common data privacy violations businesses commit and provide simple tips for how you can avoid making the same mistakes.
It’s important for businesses to know this information because you might be subject to following data privacy laws, which outline strict penalties if you’re caught breaking their rules, knowingly or unknowingly.
Read on to learn more about these common violations, why they happen, and what you can do differently. At the end, you’ll see how Termly can help simplify your business’s data privacy compliance even further.
Do Data Privacy Laws Impact Your Business?
If you collect personal data from your consumers, then there’s a very good chance that data privacy laws impact your business.
Every data privacy law is different, but may apply to you depending on the following factors:
- Where your business is located,
- Where your consumers are located,
- How much personal data you collect,
- The kind of personal data you collect (i.e., special categories of data like sensitive personal data, children’s data, medical data, etc.).
In some cases, there are additional considerations, like your gross annual revenue and the amount of data you share or sell.
For example, the GDPR has a very broad threshold, impacting entities small and large around the world, because it applies to all entities in the EU/EEA, and anyone outside the EU/EEA that:
- Offers goods or services in the region, and
- Monitors the online behaviors of people in the EU/EEA.
Similarly, CalOPPA, the California state-level law credited with regulating the contents of privacy policies, applies to any website with visitors from the state of California.
But the CCPA, on the other hand, considers other factors, like how much income a business makes in a year, and how much personal data they collect, even though it’s also a California state-level law (and the strictest privacy laws so far in the U.S.).
These threshold variations are one of the reasons why keeping up with all the different requirements from each applicable law can feel like a full-time job.
Determining which ones you must follow can feel like a confusing hurdle for many businesses.
What Are the Consequences for Violating Data Privacy Laws?
Data privacy laws outline several obligations businesses must follow, or else a supervisory authority could penalize you if you’re caught breaking these rules.
Punishment depends on the specific law, but could include fines, the cessation of data processing, possible criminal penalties, damage to your brand reputation, and a loss of consumer trust.
The table below lists major privacy laws and the penalties for breaking them:
| Law | Max Penalty | Enforcement Authority | Official Source |
| GDPR | €20M or 4% of global annual turnover | Data Protection Authorities (DPAs) | Article 83 GDPR |
| LGPD | 2% of Brazilian revenue, capped at BRL 50M per violation | ANPD (National Data Protection Authority) | LGPD Official Text |
| CCPA | $2,500 per violation (unintentional), $7,500 per violation (intentional/minors) | California Attorney General | Cal. Civ. Code §1798.155 |
| Colorado Privacy Act | Up to $20,000 per violation | Colorado Attorney General & District Attorneys | Colo. Rev. Stat. §§6-1-1301–1314 |
| Connecticut Data Privacy Act | Up to $5,000 per willful violation | Connecticut Attorney General | Conn. Gen. Stat. §42-515 et seq. |
| Virginia CDPA | Up to $7,500 per violation | Virginia Attorney General | Va. Code Chapter 53 |
| PIPEDA | Up to CAD $100,000 per violation | Office of the Privacy Commissioner & Federal Court | PIPEDA Full Text |
| Australia Privacy Act of 1988 | Up to AUD $50M or 30% of turnover | OAIC (Office of the Australian Information Commissioner) | Privacy Act 1988 |
| South Africa’s POPIA | Up to ZAR 10M or 10 years imprisonment | Information Regulator | POPIA Official Text |
What are the Most Common Data Privacy Violations?
Now that we’ve covered which laws might impact your business and why it’s important to follow the rules outlined by them, let’s look at the most common data privacy violations businesses make so you can more easily avoid them.
1. Insufficient Legal Basis for Data Processing
For entities subject to following the GDPR, the most common violation is ‘insufficient legal basis for data processing,’ according to the GDPR Enforcement Tracker.
At 785 fines totaling around €3 billion ($3.5 billion), it’s the top violation for both sum of fines and number of fines.
Why Does This Happen?
Under the GDPR, there are six legal bases for data processing, and it’s up to the business to adequately prove that their reasoning falls within the specific guidelines.
Usually, this information goes into the entities’ privacy policy (or privacy notification).
If it is missing from the notification, or if the business cannot adequately prove that the legal basis is valid, they might get penalized for this violation.
How Can My Business Avoid It?
To avoid making this same mistake, ensure you have a valid legal basis for each type of data you collect:
- Consent collected from the data subject
- Contractual obligation
- Legal obligation
- Vital interests of the individual
- Public tasks/interest
- Legitimate interest
Also develop a valid way to prove that the legal basis makes sense for the type of data you’re collecting and stays in-line with the rules outlined by the Regulation.
For example, if consent is your legal basis, you must follow all the GDPR’s specific consent rules and obligations.
2. Insufficient Fulfilment of Data Subject Rights
According to the GDPR Enforcement Tracker, the total number of fines received because businesses insufficiently fulfilled data subject rights currently totals €103 million ($120 million).
This is another common violation, because all privacy laws obligate businesses to find ways to receive and respond to requests from individuals to follow through on their rights.
Why Does This Happen?
Privacy laws require businesses to respond to requests from consumers to follow through on their rights within a specific timeframe.
If a business fails to respond in time (or at all), they might receive a penalty for this violation.
It can also occur if the business wrongfully refuses to comply with the individual’s request, is unable to adequately fulfil the request, or if they don’t have a way to properly verify the identity of the person making the request.
How Can My Business Avoid It?
The best way to avoid this violation is to ensure your business has a DSAR process or workflow in place.
It also helps to provide clear avenues for your users to submit these requests, like adding a DSAR form to your website, and having a clearly labeled email just for these types of inquiries.
Streamlining your DSAR workflow this way makes it more efficient to identify, address, and respond to each one in a timely, legally compliant manner.
3. Inadequate Cookie Consent Options
Privacy laws impact how and when websites can use cookies and other trackers, and you must obtain adequate consent for these cookies otherwise you risk getting penalized.
Why Does This Happen?
This violation commonly happens when websites present users with inadequate cookie banners that may be missing key features, including:
- A ‘Decline’ button
- A ‘Preferences’ button
- A live link to an accurate cookie policy
- A live link to an accurate privacy policy
Consent rules change depending on which laws apply to the consumer viewing the consent banner, so try to use tools that have features like regional-consent settings.
How Can My Business Avoid It?
To avoid making this mistake, use a reliable consent management platform with a consent banner that you can configure to align with all laws that impact your business and your consumers.
Make sure you also perform regular website scans to find, categorize, and label all cookies your website wants to place on users’ browsers.
Present them with all of these details in a cookie policy linked to your banner; this way you know they’ll be fully informed, which helps keep you in line with privacy laws.
4. Ignoring User Opt-Out Signals
Internet users can set opt-out preference signals on their browsers or use browser extensions.
Some privacy laws consider this to be a valid form of following through on the individual’s right to ‘opt out’ of data processing.
If your website is ignoring these signals, you might get fined for violating laws like the CCPA.
Why Does This Happen?
This violation can happen when websites do not have the technical know-how, budget, or time to enable their site to honor universal opt-out mechanisms.
In some cases, nefarious websites might purposefully mislead visitors, which. Intentionality in this way often leads to more significant privacy law violations.
How Can My Business Avoid It?
To avoid getting penalized for violating this law, take the time to implement the proper technical measures on your site.
Ensure it can detect these opt-out signals and adjust accordingly, including disabling all advertising cookies.
It might detect the signal in the HTTP headers or JavaScript.
5. Vague (or Missing!) Privacy Policy Details
Privacy policies that are incomplete, dishonest, or not up to date put your business at risk of getting fined for violating privacy laws.
Not only are updated privacy policies required by laws like the GDPR, the CCPA, and more, but several laws state it’s unlawful to collect data not properly disclosed to the consumer.
The best way to disclose these details? In a properly written, comprehensive privacy policy.
Why Does This Happen?
This can happen when businesses change their privacy practices but forget to update their policy or do not properly inform their users about the changes.
It can also happen when businesses don’t prioritize following privacy laws.
For example, some might falsely believe privacy laws don’t matter, or their business is ‘too small’ to get fined for violating the law.
How Can My Business Avoid It?
To avoid having a vague privacy policy, or if you still need to make one for your platform, try using a privacy policy generator like Termly’s.
Backed by our legal team and data privacy experts, we literally built this tool to help businesses simplify the process of making privacy policies that align with applicable laws.
It asks simple questions about your business and how you collect and process data and includes details to help create different clauses as required by 30 privacy laws (and counting!).
6. Collecting Too Much Unnecessary Data
All data privacy laws limit how much data entities can lawfully collect.
Websites that choose to simply collect as much information from users as possible just for the sake of it put themselves at risk of getting fined (or worse) for violating these laws.
Why Does This Happen?
Collecting too much data commonly happens when businesses don’t take privacy laws or their consequences seriously, and it signifies a disrespect for consumer personal privacy.
Not only is storing large amounts of data lawfully irresponsible, but it also puts the information at a greater risk of getting unlawfully accessed or breached.
How Can My Business Avoid It?
To avoid this violation, perform a data audit so you know all personal data your business collects, why, and what you do with it.
If any information does not have a clear, lawful purpose for being collected and used, then it’s a good idea to stop the data processing.
Always ask yourself, is collecting this information necessary for my business? If the answer is no, then don’t do it.
7. Data Breaches, Leaks, and Unauthorized Access
Last on the list, but not necessarily the least common violation, are data breaches, leaks, and getting fined for other issues involving unauthorized access to personal data.
When personal data in your possession is leaked or breached, data privacy laws hold you financially and lawfully accountable.
Why Does This Happen?
Data leaks and breaches happen when businesses don’t properly secure the data they collect and store.
It can also happen due to internal error, primarily if your team isn’t properly trained to combat and recognize common cybercrimes or insecure online activities.
According to recent data, cyberattacks are on the rise, making this an important aspect of data processing that businesses must consider.
How Can My Business Avoid It?
To avoid unauthorized data leaks, breaches, and cyber-attacks, consider implementing the following best practices:
- Train your entire team to be aware of cybercrimes, including phishing attacks, spoofing, avoiding clicking on insecure links, and more.
- Implement strong password policies and enforce multi-factor authentication.
- Encrypt the data on devices, as well as any back-up data you have stored.
- Use firewalls and antivirus software.
- Regularly update all of your software, operating systems, and other security tools to avoid security gaps.
- Limit who on your team has access to data only to those who need to use it.
- Always vet third-party vendors for strong safety and security measures.
How Termly Helps Businesses Simplify Data Privacy Compliance
With Termly in your toolbox, it’s much easier to avoid these and other common data privacy violations.
Our tools help businesses simplify the process of aligning their website or app with applicable data privacy laws.
The Privacy Policy Generator includes clauses as required by 30 privacy laws from around the world, and our legal team and data privacy experts update it regularly to accommodate the evolving legal landscape and needs of our users.
Our Consent Management Platform is configurable to meet the opt-in and opt-out requirements of laws in 80 regions. It includes features like script auto-blockers, regional consent rules, consent logs, a user preference center, Google Consent Mode compatibility, and more.
The best part? You can manage all these tools from one convenient location, the Termly dashboard. Get started for free today!
More about the author
Written by Natasha Piirainen
Natasha is a Content Specialist with over 10 years of professional experience in research-driven content development. She graduated from Wheaton College with a degree in English and Philosophy. At Termly, she focuses on data privacy and consent management best practices and is responsible for maintaining and updating comprehensive data privacy materials.
More about the author
Reviewed by Teodor Stanciu, CIPP/E, CIPM Legal Coordinator & DPO
