Security news that informs and inspires

Wyden Proposes Severe Fines, Jail Time for Corporate Privacy Violations

The push for a national data privacy law is growing stronger, with key legislators and tech executives recently calling for a comprehensive measure. Now, there’s a draft of such a bill circulating in Washington and it would provide severe financial and criminal penalties for violations and create a national Do Not Track system to prevent companies from monetizing consumers’ data.

Sen. Ron Wyden (D-Ore.) released a discussion draft of the proposed measure on Thursday and, in addition to the DNT and penalty sections, it would establish the FTC as the agency to create and enforce cybersecurity and privacy standards. Right now, the FTC has limited enforcement powers over corporations that violate various privacy regulations. The commission can’t fine companies for their first offenses and the fines for further violations are miniscule.

Wyden’s bill, called the Consumer Data Protection Act of 2018, would give the FTC the authority to fine companies up to four percent of their annual revenue for violations. It also would allow for criminal penalties of 10 to 20 years for senior executives of companies in violation of the law. Those penalties would be a 180-degree turnaround from what exists with today’s patchwork of industry specific and state regulations. The Equifax data breach in 2017, for example, affected nearly 150 million consumers, and the main consequence has been a fine of £500,000 from the U.K.’s Information Commissioner’s Office.

“Today’s economy is a giant vacuum for your personal information – Everything you read, everywhere you go, everything you buy and everyone you talk to is sucked up in a corporation’s database. But individual Americans know far too little about how their data is collected, how it’s used and how it’s shared,” Wyden said. “It’s time for some sunshine on this shadowy network of information sharing.”

Wyden and several other federal legislators have been pushing for national privacy legislation for several years, and last month Apple CEO Tim Cook said his company was in full support of such a measure.

"Today that trade has exploded into a data industrial complex. Our own information, from the everyday to the deeply personal, is being weaponized against us with military efficiency,” Cook said.

"We at Apple are in full support of a comprehensive federal privacy law in the United States.”

“It’s time for some sunshine on this shadowy network of information sharing.”

Consumer data has become the centerpiece of a large, thriving economy populated by companies that collect, store, analyze, parse, and sell that information to a wide variety of buyers. Most people have little to no idea what information these companies have on them, or who the companies even are. It’s often not until a data breach becomes public that people realize where their personal data might be stored.

However, it's not clear that the FTC is the right agency to handle the task of creating and enforcing data-protection standards.

"The FTC helps to safeguard consumers and to promote competition, but the FTC is not an effective data protection agency. The FTC lacks rulemaking authority. Moreover, the agency lacks authority to enforce basic data protection obligations and has failed to enforce the orders it has established," Christine Bannan, consumer protection counsel at the Electronic Privacy Information Center (EPIC) said.

Many democratic nations around the world have dedicated data protection agencies with strong authority and enforcement capabilities. The U.S. needs a federal agency focused primarily on identifying emerging privacy challenges, ensuring compliance with data protection obligation and identifying emerging privacy challenges.

Aside from the serious financial and criminal penalties, the other major provision in Wyden’s proposed bill is the establishment of a national Do Not Track system that would give people a central place to opt out of third-party tracking and data sharing. The system would include a website through which consumers could opt out to prevent “covered entities from sharing the personal information of the consumer with third parties, including personal information shared with or stored by the covered entity prior to the opt-out”.

At the moment, opting out of third-party trackers and information sharing is a painful, time-consuming process. Although all of the major browsers provide a Do Not Track mechanism, it relies on sites to respect the user’s choice, and many sites do not respect the DNT signal for various reasons. Wyden’s bill would require companies to “be bound by the opt-out of a consumer when the opt-out is conveyed through the opt-out website”.

Wyden’s draft bill has support from a variety of consumer groups and privacy focused organizations.

“Senator Wyden’s proposed consumer privacy bill creates needed privacy protections for consumers, mandating easy opt-outs from hidden tracking. By forcing companies that sell and monetize user data to be more transparent about their data practices, the bill will also empower consumers to make better-informed privacy decisions online, enabling companies like ours to compete on a more level playing field,” said Gabriel Weinberg, CEO of DuckDuckGo, which provides a private search engine that doesn’t track users or record search history.

EPIC's Bannan said that while there are some additional things the group would like to see in Wyden's bill, it's a good foundation.

"The bill should cover data brokers and we would like to see a separate data protection agency rather than expanding the authority of the FTC. But I will say overall I think Wyden’s bill is strong, especially the requirements for automated decision making and data protection impact assessments," Bannan said.

This story was update on Nov. 5 to include Bannan's comments.