Compliance: The Strategic Risk That Could Stunt Your Growth

Compliance might not seem like the sexiest topic, but it’s one tech companies need to have on their radar. In the last years, (EU) regulators have raised the size of fines to hundreds of millions of USD. The number of violation fines is steadily growing and targets have expanded well beyond big tech players and now include small regional companies as well.

The key question is: how can you embed compliance at the root of the business to minimize violation risk?

Compliance violations are getting pricier

GDPR fines grew from small nibbles into painful punishments. This year, Ireland’s data protection commission fined Meta 414M USD for forcing users to accept the Terms of Service, in which users agree Meta can use behavioral data for tracking purposes.

This is the fourth installment of a series of 3 fines for privacy infringements since 2021 that sum up to over one billion USD:

1. September 2021: $400M for mistreating children’s data
2. November 2022: $275 for data leak leading the personal data of 500M users to be published online (Irish regulators claimed Facebook wasn’t protecting its platform against scraping, which allowed hackers to extract data)
3. January 2023: $414 for forcing users to accept the ToS

You could argue $1B in fines don’t hurt a giant that made over $23B in profits in 2022 (it’s only 4%), but when you look at the ~20,000 employees Meta recently laid off and the gaping hole of ~$10B in lost revenue from ATT (Apple Tracking Transparency), that billion starts to look very different.

Meta is not alone. Many tech and non-tech companies got sizable fines over the last years:

• 2022: French data protection authorities (CNIL) fined Google 169M Euros (and Meta $60M Euros) for making it hard for users to refuse cookies
• 2021: Amazon got fined $877M for cookie consent
• 2021: Notebooksbilliger got fined $12.5M for using an employee monitoring system
• 2020: H&M was fined by Germany ($41M) for monitoring several hundred employees, British Airways got fined $26M for a data breach that affected 400,00 customers, Marriott got fined $24M for a data breach

And just like Meta, most big tech companies saw revenues drop in late 2022 as a result of the “pandemic hangover” and started to lay off many of the employees they hired during the pandemic. Budget hits from compliance violations are the last thing tech companies need at the moment.

A big part of the problem is access to first-party data for fast-growing companies. A large part of the web is built on advertising (referred to as “the original sin of the web”), but 3rd cookies are dying out. Google and Apple have started to develop cohort-based alternatives that are less accurate but more privacy-friendly.

As a result, targeting capabilities get less accurate, and, therefore, ads become more expensive, and ad revenue for ad marketplaces shrinks. GDPR (and CCPA) guidelines reduce tracking capabilities even further, which is why a lot of big internet platforms are hesitant to implement the guidelines – at a higher and higher risk.

Another problem, of course, is that few companies have taken GDPR violations seriously. Fines have grown over time because initial penalties weren’t impactful enough. Now, getting fined can significantly shrink the bottom line and come at the cost of customer trust. The 2016 Cambridge Analytica scandal, for example, damaged Facebook as a brand so severely that the company rebranded to Meta.

Managing compliance risk at the product level

Compliance as a risk needs to be managed at the core of companies: product building. Growth product managers and marketers must change their mindsets from seeing compliance violations as a necessary evil that lawyers take care of to a managed risk in the product development process.

As data breaches and privacy violations become more common, it is essential for product managers and UX designers to embrace privacy-first principles:

• Be transparent about what data is collected, used, and stored
• Provide opt-out options for data collection, usage, and storage
• Enhance privacy with technology like encryption and anonymization
• Collect only mission-critical data
• Ask for consent before processing data
• Educate users about their rights
• Protect data from unauthorized access, loss, or damage
• Make it easy for users to extract their data

The most critical touchpoints between companies and users when privacy principles matter are when any communication or transaction happens. For example, PMs and designers should build user interfaces with easy access to data in mind. Marketers should include opt-out links in any customer communication.

Yes, these principles can slow the classic Silicon Valley style of product building by moving fast and breaking things down. However, unmanaged compliance risks can slow company growth even more.

Rethinking growth in the age of privacy

Compliance is a major challenge for EU startups trying to compete on a global level due to the extra costs associated with GDPR. Big Tech companies have more resources to find workarounds and adapt to privacy regulations, giving them an added advantage over smaller businesses with fewer resources.

To build trust with customers, businesses must go beyond tracking transparency and truly commit to compliance. Failing to do so can result in severe consequences such as fines, loss of reputation, and legal action making compliance a critical factor for success in the digital age.

Compliance might not seem like the sexiest topic, but it’s an important one tech companies need to have on their radar. Over the last years, (EU) regulators have raised the size, number, and targets for fines for privacy violations.

Compliance has become a real risk for marketers, and product managers need to start factoring into Growth strategies.