Danger of sharing customers’ data without permission
Facebook was ordered to pay $1.4 billion by the Attorney General of Texas for sharing customers’ data without them knowing.
Picture: Sillicon Republic/Shutterstock
Any business that shares customers’ data without permission will be contravening the Protection of Personal Information Act (Popia), and they could be fined thousands of rands.
Popia is an act that protects protect people’s personal information; and regulates how companies and organisations handle personal data. The act also gives individuals control over their own information.
Tayyibah Suliman, head of the technology and communications sector at Cliffe Dekker Hofmeyr (CDH) says there are dangers in sharing customers’ data and some businesses are not aware of them.
Customers’ data breach: Facebook ruling
Before sharing the dangers, she first makes an example of when Facebook was ordered to pay $1.4 billion by the Attorney General of Texas for sharing customers’ data without them knowing.
Suliman says the Facebook ruling should serve as an example to many businesses who have access to people’s personal data. In 2022, Facebook was fined for capturing the biometric information from its Texan users’ photographs and videos for commercial purposes without their consent.
She adds that Facebook disclosed it illegally collected personal information for other entities while failing to destroy this information within a reasonable time. “Secondly, Facebook engaged in false, misleading, and deceptive acts and practices which were alleged to violate the Texas Deceptive Trade Practices Consumer Protection Act, Tex. Bus. & Com. Code 17.41.”
The lawsuit against Facebook for the two violations amounted to $35 000, but because violations like these could reach hundreds of billions of dollars, Facebook decided to enter into a settlement agreement of $1.4 billion with Texas.
ALSO READ: Google blocked 5.5 billion ads for policy violation in 2023 – report
Lessons to businesses from the Facebook incident
Suliman says it is important for businesses to ensure that their data compliance policies and practices are aligned with the relevant legislature to avoid potential liability.
She encourages businesses to process data for the purposes which the data subject has consented to.
It is also advisable that personal data should not be stored for a long period of time to avoid it being stolen for ill means.
“Every single business needs to be honest about the purpose for which they are collecting the personal information and the intended processing of the information.”
Customers’ data and consequences of Popia
Anybody who contrives the Popia faces 10 years imprisonment and/or a fine, which is not included in the Act.
“In terms of section 108, a magistrate’s court will have jurisdiction to impose any of the penalties in section 107 of the Act. Under section 109, the Information Regulator may also impose penalties against a business for the contravention of Popia.”
ALSO READ: Dis-Chem investigating after hackers access people’s personal information
How businesses can protect consumers’ data
She shares eight tips which businesses can follow when it comes to protecting the rights of consumers regarding their data.
- Ensure there is permission obtained from the data subject before processing their personal information;
- The data must be processed in a lawful and reasonable manner;
- The reason for which the data is to be processed must be disclosed to people when obtaining consent to process the data;
- A business must take reasonable steps to ensure that only the mandatory information obtained is processed and that only certain persons should be granted access to this information;
- Provide measures for the data subject to enquire about which of its data is held and request that data be corrected or deleted;
- In cross-border transactions, it must be carefully considered whether the receiving country has adequate data protection legislation in place;
- A data protection officer must be appointed to ensure compliance with Popia; and
- If a business becomes aware of a suspected data breach, it must be disclosed to the Information Regulator as well as people who have shared their data as soon as reasonably possible.
“It is important for businesses to carefully consider their existing data processing policies and ensure that they are Popia compliant.”
NOW READ: Information regulator slaps DoJ with R5m fine for contravening privacy act
For more news your way
Download our app and read this and other great stories on the move. Available for Android and iOS.