Companies Getting Fined For Tracking Users: How To Stay Private Online

This post may contain affiliate links and I may receive a small commission if you make a purchase using these links – at no extra cost for you. Please read my disclaimer here.

The past two years finally saw EU privacy regulators slapping hefty fines on tech leviathans for contravening the EU's General Data Protection Regulation (GDPR) laws. The top ten GDPR penalties since the start of 2021 amount to over €2.3 billion. Even Apple, which enjoys a reputation for providing better privacy than most tech companies, has been catching serious flak in Europe because their iOS13 tracked users without consent. 

GDPR penalty amounts increased sharply in 2021, a trend widely interpreted as an indication that EU data protection agencies are becoming more serious about their duties.

Meanwhile, in US privacy news

Over in the US, Google has finally quietly settled long-running privacy lawsuits and will pay users millions over their privacy invasions. 

How To Stay Private Online
  • 420,000 Illinois residents could receive about $154 each in a $100M settlement because Google’s face grouping tool violated Illinois’ biometric privacy law.
  • Individual users won't benefit directly from the $85M Arizona AG settlement where it was alleged that Google secretly obtained user data to sell advertisements.
  • Nor will individual users benefit from the $391.5M 40-state AG settlement where it was alleged that Google kept collecting location information using Wi-Fi and cellular connection information even after users disabled their location tracking.
  • The $23M California class action settlement came about because Google shared the plaintiffs' search queries with third-party advertisers without their permission.

In addition, TikTok has been banned from all devices managed by the US House of Representatives network because its privacy invasions are so severe they may cause a security risk.

Even in the US, companies are getting fined or sanctioned for tracking users and invading their privacy, making it clear that privacy is becoming more important to users everywhere.

What is the GDPR, and why does it matter to US citizens?

The European Union (EU) General Data Protection Regulation (GDPR) is currently the world's strictest privacy and security law. It imposes obligations on all organizations that target or collect data related to people in the EU.

Contrary to the privacy protection enjoyed by EU citizens, US laws regulate how your data should be protected but allow anyone to collect as much user data as they like. In fact, the government collects a fair bit itself without asking permission.

This distinction matters a lot.

Despite the Google privacy settlements, US users have no broad legislated protection against privacy invasions by tech companies. They have to take their own steps to guard their online privacy.

For US users, the GDPR can provide a benchmark for privacy regulations. Even if GDPR does not apply to your country, it can serve as a guideline for what US users should ask from US companies. Companies that stick to GDPR show that they care more about user privacy than companies that don't.

But, as things turn out, it also gives tech-savvy US users some practical anti-tracking internet options, as you'll learn from our privacy tips about VPNs below.

Will GDPR fines pave the way for US privacy laws?

Companies of all sizes have received fines for "not having a sufficient legal basis for data processing" or for collecting and processing consumer data "without informed consent." They can also be fined for not protecting consumer data or non-compliance with the GDPR principles.

data protection

Keeping Google's recent settlements for US privacy contraventions in mind, the EU top ten GDPR fine list makes for interesting reading as an indication of things that may come in the US: 

  • Luxemburg whacked Amazon with a €746 million GDPR fine for using cookies “without valid consent." Amazon also received a $42M fine from France for the same transgression.
  • Instagram (Meta) got fined €405 million for allowing 13-17-year-old users to open Instagram business accounts without being abundantly transparent that business accounts default to "public." They publicly published children's phone numbers and emails.
  • WhatsApp got a €225M penalty for failing to be transparent about how user data is gathered and shared. They forced users to navigate multiple layers of complex, lengthy documents.
  • Meta got whacked with €390M (2023-01-04) and €265M (2022-11-2) fines for failing to protect user data, while Facebook got another €60M (2021-12-31) because users had to click multiple times to refuse cookies. They made matters worse by burying a mislabeled 'reject' button on the second page of the consent interface.
  • Google got a €90M and a €60 million fine for non-compliant cookie consent mechanisms because users only had to click once to accept cookies but had to click multiple times to refuse cookies.

Tips for how to stay private online

Large companies that operate on the edges of privacy laws aren't the only ones we should worry about. Many smaller companies still use default cookie options on their websites and participate in mass data harvesting programs via third-party tracking without giving privacy a second thought.

Still, whether invasive tracking happens because of a careless mistake or not, there are clues that companies should take user privacy more seriously. Here's what to look for:

Check for a GDPR-compliant privacy policy

US laws regulate how your data should be protected, even if the government does not care that anyone can (and does) collect as much user data as they like. So, if you are concerned about your privacy, it makes sense to use existing laws, even if they don't apply to your country, as a general guideline for what to expect from companies that deal with your data. Companies that stick to GDPR show that they care.

Use a VPN and connect to a European server

Clear your cache (cookies) and connect to a European VPN server before you start browsing the internet.

use a vpn

After that, websites will see you as an EU resident and treat you accordingly (unless you give away your identity by surfing while you're signed in to your Google or Facebook account).

Set up a jump server for your home or office network

A jump server (jump box) is a way to establish a tunnel (bridge) between the internet and you. For example, you can set up a server as the control point between your home or company infrastructure, forcing users to log into that system to access the internet. It's a tried and tested, if somewhat elaborate and outdated, way to isolate users from direct contact with websites (other servers on the internet) and protect your privacy and security.

Limit browser add-ons

Shopping aids, coupon checkers, and gaming aids added aren't just harmless shopping tools. They're actually tiny programs with full access to everything you do on the internet.

browser addons

Your browser can poison all your attempts to stay (relatively) anonymous on the internet. So delete as many as possible. Apart from gaining better privacy, you will also be rewarded with faster browser speeds!

Use a Privacy-First browser with an advanced Adblocker

VPNs don't generally block cookies because your browser controls cookie management. However, a privacy-first browser like Firefox, augmented with uBlock Origin cookie blocker, will significantly lessen your privacy risks, especially if used with an advanced VPN that can block third-party trackers. Beware of fake cookie blockers that actually operate as super-trackers themselves.

Don't ignore the cookie banner

Some websites will automatically set cookies and privacy-menacing third-party trackers on your browser unless you explicitly decline or reject cookies via a cookie banner. If you ignore the banner and keep browsing, they will treat you as having consented to be tracked.

Check for a GDPR-compliant privacy policy

It should contain what information they will collect, keep, and share with third parties, and will provide a way for users to submit data subject access requests. It should be a manageable length and simple, as WhatsApp learned.

Check for dark patterns

Under GDPR, it is a violation to influence or trick users into accepting cookies, like providing an 'Accept all' button but not a 'Reject all' button. Google and Facebook have both received multi-million euro fines for consent interfaces that seemed to coerce users into accepting cookies.

Check their security awareness about sensitive data

Here, US users are on a much firmer foot because regulatory agencies can hold businesses responsible for protecting user data.

sensitive data

Companies should ensure data security and provide accessible documentation about their security practices. Look for information about their identity and access management, third-party regulation, and end-to-end encryptions.

Don't provide sensitive data without cause

According to GDPR guidelines, businesses should not request or process unnecessary information. The personal data they ask for must be:

  • Adequate (sufficient to fulfill their stated purpose);
  • Relevant (can be clearly linked to the stated goal); and
  • Limited (what is necessary to achieve the stated purpose).

There is no guarantee that organizations will protect your personal information

Phone apps are still sending sensitive user data, including health information, to Facebook without users' consent. For example, healthcare organizations (regulated under the Health Insurance Portability and Accountability Act or HIPAA) can still use third-party tracking tools, such as the Meta and Google Analytics Pixels, to analyze key data. They are, however, not allowed to expose private patient data to data vendors for marketing purposes.

And yet, in October 2022, Advocate Aurora revealed that 3M patients' health data had been exposed through tracking technologies that use an advertising ID that can be matched to a device or profile.

The official word is that users should look to their own defenses to protect their privacy. The website's tips include opting out from organizations' subscription lists and using a VPN to encrypt any data you send over a network.

About the author 

Peter Keszegh

Most people write this part in the third person but I won't. You're at the right place if you want to start or grow your online business. When I'm not busy scaling up my own or other people' businesses, you'll find me trying out new things and discovering new places. Connect with me on Facebook, just let me know how I can help.

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}