Well that escalated quickly.
It took less than 24 hours of GDPR enforcement for the gloves to come off. According to a report by The Verge, Facebook and Google—the two companies who had done the most to prep themselves in the run up, but who were also the most likely targets of these new regulations—were hit with a combined $8.8 billion in lawsuits relating to alleged GDPR violations.
Filed by Austrian privacy activist and longtime critic of those companies’ data collection practices Max Schrems, the lawsuits seek roughly $4.5 billion in damages from Facebook and $4.3 billion from Google. Schrems, in an interview with the Financial Times, says that the new policies and products that both companies rolled out didn’t go far enough and still leave them in violation of GDPR. In particular, he points to the way they obtain consent for their privacy policies by asking users to check a box in order to access their services. That’s a very normal and popular way for companies to get users to opt into a service, but Schrems’ complaints argue that it forces the user into an all-or-nothing situation, which is a violation of GDPR’s policies around “particularized consent.”