U.S. companies would face stiff fines and executives could serve several years in prison, for violating regulations in a new consumer privacy bill.
Ron Wyden introduced the Mind Your Own Business Act on Oct. 17. The Democratic senator described the bill, which targets online data collection, as stronger than the European Union’s General Data Protection Regulation.
Some privacy advocates applauded the bill, while critics said it could bring significant upheaval to online business models that depend on consumer data.
Wyden’s bill would give the Federal Trade Commission the authority to establish minimum privacy and cybersecurity standards. It would allow the FTC to issue fines of up to 4% of a company’s annual revenue on the first offense. Senior executives who lie to the FTC about their data privacy practices would face prison sentences ranging from 10 to 20 years.
The legislation would also create a national “do not track” system that lets consumers prohibit companies from tracking them on the web, selling or sharing their data, or targeting them with advertisements based on their personal information. Companies that wish to offer products and services conditioned on the sale or sharing of consumer data must offer an alternate but similar privacy-friendly version of their product, for which they can charge a reasonable fee.
Digital privacy expert Attila Tomaschek from the privacy tools review site ProPrivacy.com praised the legislation, saying it’s “pro-consumer.”
But the “do not track” provision “would certainly be a hard pill for major tech companies like Facebook and Google to swallow,” Tomaschek added. “These companies’ business models are naturally based upon data collection and analysis of user activity, so it is undeniable that this legislation would have a negative impact on how big tech businesses operate.”
Tomaschek predicted “aggressive pushback” from web-based companies, even though trade groups representing them have been silent about Wyden’s bill so far. The Internet Association, representing Google, Facebook, Amazon, and eBay, declined to comment on the record.
The bill adds accountability for privacy violations, said Lecio de Paula Jr., data privacy director at security training vendor KnowBe4.
“Many organizations are simply just OK with receiving a fine and a slap on the wrist, which we have seen with the past few FTC fines of the large tech players,” de Paula said. “When an executive is held personally accountable, that’s when things start to change.”
Still, like Tomaschek, de Paula expects some resistance to the legislation. “The biggest challenge this bill will face is from organizations who are making millions of dollars collecting, using, and selling personal data in a nontransparent manner,” he said.
The bill has little chance of passing given that there’s not yet a Republican sponsor, said former Republican Rep. Rick Lazio, now serving on the advisory board of management consulting firm Alliantgroup. Instead, Wyden may be laying down a marker for future privacy efforts.
Lazio isn’t a fan of the legislation. “Much of the bill is punitive as to business,” he said. “It would be refreshing if the government model was to help the private sector protect themselves and consumers through grants, partnerships, and information sharing rather than simply proposing fines and penalties.”
Some privacy advocates noted the Wyden bill doesn’t preempt state privacy laws, meaning states would be free to pass stricter legislation. Many Republicans in Congress have pushed for a national law that would preempt wide-ranging state privacy regulations, including the California Consumer Privacy Act, which goes into effect next year.
It’s time for Congress to pass a privacy law with teeth, some privacy advocates said.
“Big tech companies get caught red-handed violating user privacy time and time again, proving that stronger deterrents are needed,” said Harold Li, vice president at ExpressVPN. “Users should be in the driver’s seat when it comes to control of their personal data.”
