Insight Archive  | Subscribe to our insights >>

Aon  |  Professional Services Practice
Data Privacy Roundup (Q1 2022): Too Many Hands in the Cookie Jar?

Release Date: June 2022
pdf download Implications for D&O Litigation From Climate-Related Risk

The evolving data privacy landscape continues to hold the attention of professional service firms. Below is a selection of high-profile data privacy stories from 2021 and early 2022, involving regulatory enforcement, cybersecurity and other issues.

The HTTP Cookie Jar: France Fines Big Tech

GDPR fines tend to dominate the headlines, but business leaders should also be aware of the potential for penalties over the use of cookies.

In February 2022, the French data protection authority (CNIL) imposed significant fines on Google (€150 million) and Facebook (€60 million) over their use of HTTP cookies. According to CNIL, the tech giants had made life difficult for consumers with a confusing opt-out mechanism.

The enforcement action was based on the ePrivacy Directive, which governs the use of cookies in the European Union. Under this directive, companies are required to provide users with a simple method to either accept or refuse cookies. Google and Facebook users were forced to navigate through several pages to reject all cookies, while only needing one click to accept them.

Two Largest GDPR Fines: Amazon (€746M) and WhatsApp (€225M)

GDPR fines reached new heights in 2021, with Luxembourg's data protection authority fining Amazon a record €746 million (US$857 million) in July, charging that the company failed to abide by GDPR requirements for the processing of personal information. The fine is the single largest GDPR penalty imposed to date, and by some margin. Amazon has appealed the decision – time will tell if the record fine will be reduced as others have been in the past.

In September 2021, Ireland's Data Protection Commissioner imposed a €225 million (US$255 million) fine on WhatsApp, following a lengthy investigation into the instant messaging giant's practice of sharing data with its parent company Facebook (now Meta). The fine against WhatsApp represents the second largest GDPR fine to date and is currently being appealed before the Court of Justice of the European Union, with WhatsApp requesting a full annulment of the sanction.

Accounting Firm Data Breach Lawsuit

On the litigation front, a lawsuit was filed against a U.S. accounting firm in August 2021, highlighting the possibility of professional service firms, custodians of vast amounts of personal data, becoming targets for litigation in connection with breaches and other cyber incidents.

The lawsuit involved a data breach that allegedly compromised personal information of a client. Plaintiffs claimed that their personal information was used for purposes of identity theft and available for purchase on the “dark web”, while also alleging violation of the California Consumer Privacy Act (CCPA), which entered into force in 2020.

As of March 2022, a proposed settlement was pending approval before the court, though the terms of the agreement have not been disclosed.

Events in Europe Increase Risk of Cyberattacks

According to the Financial Crimes Enforcement Network (FinCEN) of the U.S. Treasury Department the conflict in Ukraine has given rise to an "unprecedented" increase in cyberattacks. FinCEN has cautioned companies to be vigilant in the face of ransomware attacks launched by Russian cyber gangs. Moreover, under a new law passed in March 2022, companies will now have 72 hours to report ransomware attacks to the U.S. Department of Homeland Security, and 24 hours in the case of a ransom payment. Should companies fail to meet the reporting deadlines, they could be referred to the Attorney General and run the risk of being fined.

Credit rating agency Fitch Ratings has also warned that cyberattacks emerging out of the Ukraine conflict could “further test the effectiveness of ‘war exclusion’ and ‘hostile exclusion’ language” in cyber insurance policies, which was called into question following a noteworthy ruling handed down by a New Jersey court in December 2021. The court ruled that Merck & Co's insurers could not rely on an "act-of-war" exclusion to avoid coverage for losses of US$1.4 billion emerging from the NotPetya ransomware attack, which had been linked to the Russian government.

Data Privacy Legislation Roundup

China’s Personal Information Protection Law (PIPL) came into effect in November 2021 with monetary penalties reaching as high as 50 million yuan (US$7.8 million) or five percent of a company's annual revenue. Additionally, foreign companies deemed to be a threat to China's national security could be banned from processing the personal information of Chinese nationals.

In the U.S., where there is no comprehensive federal privacy statute governing commercial activities, a handful of states have been successful in implementing comprehensive personal information privacy laws. As of March 2022, Utah was looking to join California, Virginia and Colorado as states regulating the way companies process personal information.


The Professional Services Practice at Aon will continue to monitor major data privacy developments pertaining to regulatory enforcement, legislative news and privacy related litigation. If you would like to discuss any of the issues raised in this article, please contact Daniel Hacikyaner or Rona E. Davis.

 Daniel Hacikyaner

Daniel Hacikyaner
Vice President and Director

Rona Davis

Rona E. Davis
Senior Vice President and Executive Director