Making privacy non-negotiable —

Proposed data privacy law could send company execs to prison for 20 years

Privacy law would let consumers opt out of data sharing.

A man with white hair, wearing a button-down shirt and tie, standing behind the bars of a jail cell.
Getty Images | Ed Bock

A US senator has proposed a privacy law that could issue steep fines to companies and send their top executives to prison for up to 20 years if they violate Americans' privacy.

Sen. Ron Wyden, D-Ore. announced a discussion draft of his Consumer Data Protection Act yesterday. The bill would establish new privacy rules that major companies must follow and establish fines and prison sentences big enough to make even the largest companies take notice.

Consumers would have the right to opt out of systems that share their data with third parties. Companies that don't follow the proposed law could be fined up to 4 percent of annual revenue on their first offense. The FTC currently is unable to fine first-time corporate offenders, and "fines for subsequent violations of the law are tiny, and not a credible deterrent," Wyden's bill summary says.

Fines and prison for execs

Besides giving the FTC new powers, the bill would let the agency hire another 175 staffers "to police the largely unregulated market for private data," Wyden's bill summary says.

Under the proposed law, executives could be "fined not more than $5,000,000 or 25 percent of the largest amount of annual compensation the person received during the previous 3-year period from the covered entity, prisoned not more than 20 years, or both," the bill says. (The more readable bill summary is available here.)

The bill seems unlikely to pass, given the extreme penalties, lobbying clout of big businesses, and Republicans' control of Congress. But both Republicans and Democrats have been pushing for some kind of privacy law, and Wyden's proposal would make big fines and prison sentences part of the discussion. Wyden's announcement said his bill is supported by Consumers Union, search engine operator DuckDuckGo, and four former FTC chief technologists.

Private data is “tracked, sold and monetized”

"Today's economy is a giant vacuum for your personal information," Wyden said. "Everything you read, everywhere you go, everything you buy and everyone you talk to is sucked up in a corporation's database."

US residents know very little about how their data is collected, used, and shared, Wyden continued. "It's time for some sunshine on this shadowy network of information sharing," he said. "My bill creates radical transparency for consumers, gives them new tools to control their information and backs it up with tough rules with real teeth to punish companies that abuse Americans' most private information."

"Information about consumers' activities, including their location information and the websites they visit is tracked, sold and monetized without their knowledge by many entities," Wyden's bill summary said. Meanwhile, "corporations' lax cybersecurity and poor oversight of commercial data-sharing partnerships has resulted in major data breaches and the misuse of Americans' personal data, [and] consumers have no effective way to control companies' use and sharing of their data."

The legislation would affect large companies under the jurisdiction of the Federal Trade Commission. Specifically, the law would apply to companies that earn more than $50 million in average annual revenue or collect personal information on at least 1 million consumers or at least 1 million consumer devices.

The law would thus apply to big Web giants like Google and Facebook, big Internet service providers that face FTC jurisdiction, and any other large company that faces FTC jurisdiction and collects data on at least 1 million of their customers or consumer devices.

The law would also apply to data brokers or companies that collect and sell information on people who are not their customers, regardless of how much revenue they earn.

Data sharing opt-out system

The law's central mechanism is a data sharing opt-out system that the FTC would be required to create within two years. The system would let consumers "stop third-party companies from tracking them on the Web by sharing data, selling data, or targeting advertisements based on their personal information," Wyden's office said.

According to the bill text, this Do Not Track opt-out system would let a consumer prevent "covered entities from sharing the personal information of the consumer with third parties," unless the data sharing "is necessary for the primary purpose for which the consumer provided the personal information." Companies would have access to this system so they can determine which consumers have opted out of sharing information.

Companies would be prohibited from requiring consumers to change their opt-out status in the FTC Do Not Track system as a condition of using a product or service.

Companies could get consumers' consent to waive their opt-out status for a specific product or service under certain conditions, though. If a free service requires a consumer to opt out of privacy protections, companies would have to give customers "an option to pay a fee to use a substantially similar service that is not conditioned upon" giving up one's privacy.

That fee "shall not be greater than the amount of monetary gain the covered entity would have earned had the average consumer not opted out," the bill says. In other words, a company couldn't charge more than it would make by using your information for targeted ads or other purposes.

Companies would also be required to implement reasonable security and privacy policies, practices, procedures, and technical capabilities to protect customers' personal information.

Companies would have to let consumers request a copy of their personal information and provide "a reasonable means to challenge the accuracy of any stored personal information," the bill says. Companies would have to comply with a consumer's request within 30 business days, without charging the consumer.

The FTC would also have to set up a complaint process for consumers to challenge the improper use, storage, or sharing of personal information.

Companies would have to report on compliance

Companies with at least $1 billion in annual revenue that store, share, or use personal information on more than 1 million consumers or consumer devices would have to file an annual data protection report certifying their compliance with the law. Companies that store, share, or use personal information on more than 50 million consumers or consumer devices would also need to submit these reports, regardless of how much revenue they make.

These data protection reports would have to be certified by a company's CEO, chief privacy officer, or chief information security officer. The proposed law's fines and prison sentences would apply to executives who certify statements in annual reports that don't meet all the requirements. Prison sentences would be limited to 10 years for unintentional violations but could go up to 20 years for intentional violations. Similarly, fines issued to executives would be limited to the greater of $1 million or 5 percent of their annual compensation for unintentional violations, and go up to the greater of $5 million or 25 percent of their annual compensation for intentional violations.

Companies would also have to conduct analyses of the algorithms they use to process consumer data and make automated decisions so they can be examined "for impacts on accuracy, fairness, bias, discrimination, privacy, and security."

Enforcing the law would require changes at the FTC. Today, "the FTC does not have the power to punish companies unless they lie to consumers about how much they protect their privacy or the companies' harmful behavior costs consumers money," Wyden's bill summary says. Today's FTC also "does not have the power to set minimum cybersecurity standards for products that process consumer data, nor does any federal regulator."

Wyden's bill would change that and let the FTC boost its staff. The bill would establish a new Bureau of Technology at the FTC, with up to 50 employees, and authorize the FTC to add up to 125 employees to the Bureau of Consumer Protection.

"The FTC does not have enough staff, especially skilled technology experts," Wyden's bill summary says. "Currently about 50 people at the FTC police the entire technology sector and credit agencies."

Editor's note: An earlier version of this story incorrectly said that the proposed law would not apply to data brokers.

Channel Ars Technica