That's not unreasonable in principle, but then it gets more complicated: do you propose to hold the entire company accountable for the actions of a small part of it? If not, then it devolves into the kind of accounting complexity that results in random internet outrage because it's beyond the understanding of most people.
If you do propose to hold the entire company accountable for any action taken in its name, then consider what you are enforcing: this would mean companies would be immediately obliged to disempower their entire staff from making decisions at any level, and require review and approval for all actions, to make sure that nobody ever makes a mistake that could be punitively expensive.
Neither of these is going to turn out to be a simple solution to a complex problem.
Worse, you can't even use a simple rule here, because what do you do about companies that aren't making a profit? Do they effectively have carte blanche to violate the law in order to improve their situation? That's probably not what you want, so you'd end up with some complicated mix of both systems.
That's not unreasonable in principle, but then it gets more complicated: do you propose to hold the entire company accountable for the actions of a small part of it?
Of course.
this would mean companies would be immediately obliged to disempower their entire staff
No.
Their entire staff is already "disempowered" to make decisions that could put the company in legal trouble. Also this is intended, not merely reckless. Do you really believe this was some nobody's idea? Come on!
Please, someone with real legal knowledge could you explain why this is not like Volkswagen.
I suspect that privacy violations are not quantified or else a "class action" would dry any and all the profits.
There's a big difference between "not authorised" (the current reality) and "disempowered". You are not authorised to send emails that place the company in legal jeopardy. You are disempowered from doing so if every email that you send has to be reviewed by a company officer first. The norm today is that you are trusted to not exceed the limits of your authority.
How about every line of code that you write being reviewed by legal to make sure it was within the bounds of the law?
There's plenty of scope here for a far more defensive position on ensuring compliance. That is what you would expect and desire from any attempt to massively increase the liability of errors, no?
In theory it would be great to if the fine was based on the extra profit generated from using the super cookie (compared to using a legal cookie). Next thing to take in to account is the degree/duration of the privacy violation and multiply this number by the number of users who have had their privacy violated.
Deciding this number is beyond my economics skills -- and quite beyond my point -- because I want to say that it is more reasonable to base the fine on the actual violation and not the business as a whole.
If you do propose to hold the entire company accountable for any action taken in its name, then consider what you are enforcing: this would mean companies would be immediately obliged to disempower their entire staff from making decisions at any level, and require review and approval for all actions, to make sure that nobody ever makes a mistake that could be punitively expensive.
Neither of these is going to turn out to be a simple solution to a complex problem.
Worse, you can't even use a simple rule here, because what do you do about companies that aren't making a profit? Do they effectively have carte blanche to violate the law in order to improve their situation? That's probably not what you want, so you'd end up with some complicated mix of both systems.