Fresh Privacy Legislation Would Jail CEOs for ViolationsSenate Bill Would Give Consumers Control of How Their Personal Data Gets Used
With data breaches becoming more common and many companies receiving minimal fines, if any sanctions, Sen. Ron Wyden, D-Ore., on Thursday introduced new legislation aimed at strengthening people's privacy rights. Wyden says his bill will "bring meaningful punishments for companies that violate people's data privacy, including larger fines and potential jail time for CEOs."
Named the "Mind Your Own Business Act," he says the bill would give Americans "an easy, one-click way to stop companies from selling or sharing their personal information," as well as give consumers the right to see how companies use and share their personal data.
"Mark Zuckerberg won't take Americans' privacy seriously unless he feels personal consequences," Wyden says in a statement, referring to the CEO of Facebook. "A slap on the wrist from the Federal Trade Commission won't do the job, so under my bill he'd face jail time for lying to the government."
Officials at Facebook didn't immediately respond to a request for comment.
Wyden's legislation follows a draft version of the bill that he introduced last year. The legislation would give the FTC new powers to fine technology companies that violate users' privacy and expand the agency's remit, giving it greater resources to regulate the industry. The new bill would also allow state attorneys to enforce privacy regulations and sue companies on behalf of people impacted by data violations.
Wyden says his bill is based on three ideas: Consumers must be able to control their own private information, companies must provide vastly more transparency about how they use and share data, and corporate executives need to be held personally responsible when they lie about protecting our personal information.
What the Bill Proposes
Wyden's bill proposes several strict penalties for companies that violate consumers' data privacy. But the bill would also facilitate more wide-ranging changes. In particular, the bill would:
- Enable the FTC to issue steep fines (up to 4 percent of annual revenue) on the first offense for companies and up to 20 years in prison for senior executives who knowingly lie to the commission;
- Create a national "do not track" system that lets consumers stop companies from tracking them on the web, selling or sharing their data, while also encouraging companies to offer a privacy-friendly version of their product and charge a reasonable fee for it;
- Ensure that privacy does not become a luxury good by extending the Federal Communications Commission's Lifeline program for low-income people to obtain privacy-focused versions of products;
- Give consumers a way to review the personal information a company has about them, learn how it has been shared or sold, and to challenge inaccuracies;
- Hire 175 more staff to police the largely unregulated market for private data;
- Levy new tax penalties on companies whose CEOs lie about privacy protections;
- Avoid preempting any state privacy laws.
Focus: Giving FTC Greater Powers
The FTC does not have the power to fine companies unless they break a settlement agreement that they have already made with the commission.
In recent years, however, the FTC has fined several companies for violating the privacy terms of their settlement agreements, including Facebook, Equifax and Uber. However, the commission has drawn flak for not taking a stronger stand against these companies. For instance, the FTC fined Equifax $700 million over a data breach in 2017. Although this was the largest ever fine by FTC, it amounted to only 20 percent of Equifax's 2018 revenue of $3.4 billion. Under the EU General Data Protection rules that came into full effect in May 2018 - before the Equifax breach - the credit rating agency would've been liable for fines of up to 4 percent of its global annual turnover (see: Is the Equifax Settlement Good Enough?).
FTC Chairman Joe Simons has been asking Congress to give the commission the ability to fine companies for first-time privacy violations.
If approved, Wyden's bill would enable the FTC to establish minimum privacy and cybersecurity standards for technology firms.
"Consumers must be able to control their own private information, companies must provide vastly more transparency about how they use and share our data," Wyden says. "Corporate executives need to be held personally responsible when they lie about protecting our personal information."
Repeat Privacy Bill Attempts
Various states in the U.S. are in the process of introducing their own privacy bills. For instance, the California Consumer Protection Act, or CCPA, is due to take effect in January 2020.
Many lawmakers have continued to field their own draft privacy legislation. But no bills have passed into law, as technology companies, privacy advocates and lawmakers continue to fail to reach a common consensus.
Many technology companies continue to lobby for a federal privacy law, which they say would make it easier for them to comply, versus having to abide by a patchwork of state laws. "As a CISO it is not easy for me to follow 10 different privacy laws. There needs to be a common privacy law, at least as far as a nation is concerned," says Sridhar Govardhan, CISO with a global IT services company based in Bangalore, India.