Data regulators are only just getting going.
French data regulator CNIL recently imposed a €50m (£44m) fine on Google for "lack of transparency, inadequate information and lack of valid consent regarding ads personalisation" - Google is appealing.
Spain's data protection agency (AEPD) fined the country’s football association La Liga €250,000 because its app did not seek enough consent from users before activating the phone’s microphone and location services in an attempt to pinpoint exactly which bars were showing matches without a license.
And the Republic of Ireland’s Data Protection Commission (DPC), the data regulator for many of the world’s consumer-facing tech giants, has launched 19 statutory investigations already, 11 of which focus on Facebook, WhatsApp and Instagram.
Twitter, LinkedIn and Google are also under investigation.
The DPC may reach decisions on some cases by as early as July or August, with final rulings – after all other EU member data protection regulators have had their say - by the end of the year.
“While enforcement has been limited to date, it is still early in the life of the regulation,” warns Paul Jordan, managing director of the International Association of Privacy Professionals Europe. “Expect enhanced frequency of activity in 2019 and going forward.
“Any grace period afforded organisations in this nascent timeframe is truly at an end.”
Expect more hefty fines to come.