Security news that informs and inspires

Wyden Introduces Tough New Privacy Bill

Nearly a year after first putting out a discussion draft, Sen. Ron Wyden has introduced a data privacy bill that establishes harsh criminal and civil penalties for corporations and officers that violate its provisions.

The bill is known as the Mind Your Own Business Act and it has a number of interesting provisions, including the establishment of a national Do Not Track database that would give individuals access to a website that provides one-click ability to opt out of sharing all data with third parties. Wyden’s bill is designed to give the Federal Trade Commission the authority to assess steep fines--as much as four percent of a company’s revenue--for corporations that violate the law, and it also provides for lengthy prison sentences for executives who lie to the FTC about privacy protections.

Wyden has been at the forefront of consumer data protection and information security policy for many years, and has been quite vocal in criticizing corporations that mishandle consumer data. The new bill, which Wyden introduced on Tuesday, is meant to serve as a foundation of cybersecurity and privacy policy nationwide.

"Corporate executives need to be held personally responsible when they lie about protecting our personal information."

“I spent the past year listening to experts and strengthening the protections in my bill. It is based on three basic ideas: Consumers must be able to control their own private information, companies must provide vastly more transparency about how they use and share our data, and corporate executives need to be held personally responsible when they lie about protecting our personal information,” Wyden said in a statement.

Under the provisions in Wyden’s bill, attorneys general in each state would have the authority to enforce the regulations, while the FTC gains more authority to assess civil penalties. Currently, the FTC has some authority to enforce privacy provisions in the FTC Act, but the monetary penalties are negligible. Wyden’s bill would allow the FTC to fine covered entities “not more than an amount that is the greater of $50,000 per violation, taken as an aggregate sum of all violations, and 4 percent of the total annual gross revenue of the person, partnership, or corporation for the prior fiscal year.”

Wyden has made a number of changes to the bill since he began circulating a discussion draft of it last November. One of the larger modifications is to add more muscle to the Do Not Track system, which is meant to be a clearinghouse for consumers and a central method for people to declare their preference for data sharing. The language in the new bill would prevent companies from mining user data in order to help third parties target ads.

There’s a separate provision that allows each state to designate one dedicated consumer watchdog agency that can sue covered entities on behalf of consumers for violations of the law.

Unlike many other countries around the world, the United States doesn’t have a national privacy or cybersecurity law. Many states have their own privacy and data breach laws, but every effort to pass a federal law has come up short so far.