Sensitive data is a goldmine for adversaries. Recently, the Italian Antitrust Authority fined Google Ireland Ltd. and Apple Distribution International Ltd. €10 million ($11.26 million) each, citing aggressive data practices. The agency stated that both companies had violated the Consumer Code practices during customers’ data acquisition and commercial use.
Both companies leveraged consumers’ data for commercial purposes, promoting their various products and services. As per data privacy laws, organizations should not leverage users’ data for commercial/promotional purposes without their consent.
Reasons for Penalty
The privacy regulator mentioned multiple reasons for its penalty:
- Google and Apple did not provide clear and immediate information on the acquisition and use of user data for commercial purposes.
- Google, both in the account creation phase, which is essential for the use of all the services offered, and during the use of the services themselves, omits relevant information that the consumer needs to consciously decide to accept that the Company collects and uses their personal information for commercial purposes.
- Apple, both in the phase of creating the Apple ID and on the occasion of accessing the Apple Stores (App Store, iTunes Store, and Apple Books), does not immediately and explicitly provide the user with any indication on the collection and use of your data for commercial purposes, emphasizing only that data collection is necessary to improve the consumer experience and use of services.
“In the account creation phase, Google pre-sets the user’s acceptance of the transfer and/or use of their data for commercial purposes. This pre-activation allows the transfer and use of data by Google, once generated, without the need for other steps in which the user can confirm or change the choice pre-set by the agency from time to time. In the case of Apple, the promotional activity is based on acquiring consent to use user data for commercial purposes without providing the consumer with the possibility of a prior and express choice on sharing their data. This acquisition architecture, prepared by Apple, does not make it possible to exercise one’s will on the use of one’s data for commercial purposes. Therefore, the consumer is conditioned in the choice of consumption and undergoes the transfer of personal information, which Apple can dispose of for its own promotional purposes carried out in different ways,” the regulator said.
Organizations need to be vigilant and practice robust cybersecurity measures while handling users’ classified information.