On December 17, 2021, a Luxembourg judge proclaimed the court orders regarding Amazon’s GDPR breach not “sufficiently clear, precise, and without uncertainty.” As such, the judge suspended them until further revisions are made.
Earlier in the year, the court mandated that on top of paying the record-breaking fine—in the form of $750,000 daily installments—the company had to enact the corresponding practice changes by January 15th or else face further sanctions.
Amazon appealed the ruling months ago, asserting that the fine was out of proportion. It claimed there was no data breach and that the ruling’s lack of clarity made the deadline impossible to meet.
“We have no guidance about what we need to do, so how do we do it?” said Amazon’s lawyer at a hearing.
The ecommerce giant was first accused of misusing customers’ personal data back in May 2018. However, it wasn’t until July 2021 that Amazon lost the battle against the Luxembourg Data Protection Agency (CNPD).
According to the data protection experts, the penalty was never about customers’ Personally Identifiable Information (PII) being exposed. It was about the lack of user consent for behavioral tracking within the website.
“The targeted ad system that Amazon forces onto us is not based on free consent, which is a violation of the GDPR,” declared digital advocate group La Quadrature du Net.
The Intricacies of GDPR Compliance
Jeff Bezos’ brainchild is not the first multinational company that has encountered issues with the GDPR. Still, it is the one that boasts the highest financial penalty to date.
The previous title-holder, Google, had to pay just over $50 million for a similar transgression back in 2019.
Since the GDPR came into effect in 2018, the watchdogs can levy up to 4% of a company’s annual turnover. This makes non-compliance an even more ominous risk for enterprises, SMBs included.
Most ecommerce hosting solutions, for instance, are SSL-certified and PCI-compliant. This means they can handle credit card transactions securely and lawfully. Still, that doesn’t cover all the data protection requirements businesses need to meet.
Any company that collects user information, has a website that employs cookies, or shares data with third parties (say, shopping cart software or cloud storage solutions) without getting the users’ consent beforehand, could get in trouble with privacy laws.
How to avoid that?
Some terms of service generators have regulations down to a T. They offer their services to help companies avoid the risk of breaching privacy protection decrees, too. iubenda, for example, is one of the best for GDPR compliance.