Back to main menu

Why risking fines is not a sustainable data privacy strategy for enterprises

Posted: March 3, 2025

If asked, any seasoned privacy professional who practiced 10-20 years ago will say that a common business response to the admonition that a personal data collection or use activity risked non-compliance was: “Well, how much will it cost if we do it anyway and get caught?”

Today’s business responses to privacy warnings are much more likely to be a version of: “What do we need to do and how fast can we do it?” Businesses today are just as practical as businesses in the early 2000s.

However, the internal and external pressures related to personal data and its handling are dramatically different, causing a commensurate shift in today’s privacy compliance conversation. Top reasons for the change include:

 

High cost of non-compliance

Higher fines/penalties

In the past, a company performing a basic cost-benefit analysis about privacy might well reasonably decide that costs for compliance far outweigh the potential cost for noncompliance. Past fines and penalties were low, comparatively speaking. For example, even in a region well known for holding to the gold standard of privacy, the older privacy law in the European Union, the Directive 95/46/EC, resulted in slightly different but lower Member State-driven fines and penalties.

The next evolution in EU privacy law was the General Data Protection Regulation (GDPR), which went into effect in 2018. That more recent law is famous for setting the standard for fines of up to a staggering 4% of annual global turnover or twenty million euros (whichever is higher). Later regulations in other jurisdictions follow similar high thresholds. For example, Brazil’s LGPD, which contains many parallels with the GDPR, provides for fines up to 2% annual revenue.

It is not only companies that are paying the price for non-compliance. Even more concerning to some corporate decision makers, regulators are more willing to hold executives personally accountable for privacy issues. This raises the stakes and makes it harder for the C-Suite to be willing to play privacy roulette.

 

Higher probability of being caught

Regulators care about privacy, and the number of laws and regulators is growing around the world. The combination of more active enforcement by existing regulators, a greater number of privacy laws to enforce, and the establishment of more regulatory authorities conducting investigations results in a greater likelihood of a company being caught short on compliance. The marketplace is seeing the cumulative impact of these factors. One 2024 report shows that regulators have levied $US 7.3 billion in fines since 2020.

Moreover, many regulators publicly post information about companies they have found guilty of privacy violations. Media outlets regularly cover data breaches and privacy issues. This can lead to significant brand damage, lower sales, and decreased stock prices. Moreover, consumer awareness of privacy issues within a company can lead to higher unsubscribe requests and more individual rights requests – all of which cost money and reduce marketing opportunities.

 

Business efficiency

Imagine a company paying shipping costs to send a letter to someone who not only does not want to hear from it but also will never open the envelope. Multiply that cost by thousands or millions of customers, and add in email, social media, text messages, and other channels. That company will spend an enormous amount of time and money in pursuit of customers who will never buy anything.

On the other hand, imagine targeting marketing dollars only to individuals who have expressed interest in the company and its products or services. Imagine further that those individuals can tell the company exactly what types of messages interest them – channels, topics, frequency, products. Now the company has spent money to communicate with an engaged audience and eliminated unnecessary costs associated with talking with uninterested individuals.

Privacy, and its twin sister, consent-driven personalization, does exactly this. In addition to adhering to laws and regulations, privacy done well also increases efficiency and efficacy of marketing campaigns and experience designs by giving consumers the opportunity to tell the company exactly which letters (and emails, and text messages) they will open.

 

Customer expectations and trust

The risk of privacy done wrong does not only relate to regulator attention, fines, and litigation. The largest bottom-line impact is on customer trust and the resulting decrease in customer engagement, data collection, and sales. Study after study reports that customers care about privacy and are more likely to provide personal information to, interact with, and buy from organizations that they trust with their privacy.

According to a 2023 study, 86% of individuals are concerned about privacy, 68% are concerned about the information companies collect from them, and 40% do not trust companies with their personal data. Another source outlines how 83% of consumers will not do business with organizations that they do not trust.

The positive side of this equation is that organizations that provide transparency about practices, handle personal data in a privacy-sensitive manner, and give consumers control over their personal data will reap the benefits of the trust these practices engender. In this way, privacy is a revenue-boosting lever that costs a little budget but returns on that investment several times over.

 

Best practices to boost privacy

A practical company that wants to benefit from privacy will want to keep in mind a few best practices that can enhance its privacy strategy – not only by reducing risk, but also by increasing efficiency, customer trust, and revenue.

  • Be transparent about practices – customer experiences that clearly communicate how the company is using the data it collects will enhance that all-important customer trust. Consider not only ways to make the online privacy notice simpler to read but also think about how just-in-time disclosures throughout the customer experience can give information about data handling practices in context, when they will make more sense to the customer.
  • Offer choices – it is far better to lose a customer’s consent for one data handling practice or another than to lose the customer altogether. A company that allows customers to say no and express preferences will increase that customer’s trust and enjoy the retention, engagement, and revenue that goes with that trust.
  • Follow through on promises – though managing choices and preferences across jurisdictions is challenging, it is essential that a company follow through on promises made in privacy notices and data collection processes. In addition to the importance of complying with laws, operationalizing privacy promises is a critical component of earning customer trust.

 

Summary

The benefits of sound privacy practices are not just limited to cost avoidance, though certainly the fines, penalties and brand damage associated with negative regulator attention are significant. Privacy done well is also a bottom-line enhancer, increasing customer trust/engagement/sales and improving marketing efficiencies.

How to measure the ROI of privacy programs

Download guide
Data-privacy-metrics-How-to-measure-the-ROI-of-privacy-programs

You might also like to read:

protect data

How to protect data at an enterprise level

How to protect data at an enterprise level

The need to protect data is crucial for enterprise brands and organizations. Discover actionable tactics in our latest blog.

Read more
The Benefits of Enterprise Preference Management

The benefits of enterprise Preference Management

The benefits of enterprise Preference Management

As customer data privacy regulations become increasingly stringent, enterprise preference management is a crucial solution for businesses.

Read more