By the Data Security & Privacy Team
On November 1, 2018, Senator Ron Wyden, a democrat from the state of Oregon, introduced a bill that attempts to create a stronger consumer privacy act. The draft legislation, referred to as the Consumer Data Protection Act, SIL18B29 (the “Bill”), amends and increases the powers of the Federal Trade Commission (“FTC”).
According to Senator Wyden’s webpage, he drafted the Bill due to “[t]he explosive growth in the collection and sale of consumer information enabled by new technology poses unprecedented risks for Americans’ privacy,” which he believes the Federal Government continually fails to address.  Therefore, Senator Wyden’s Bill both imposes greater security protection standards and sharpens the FTC’s teeth in terms of enforcement.
The Bill permits the FTC, as the “nation’s main privacy and data security regulator” to fine and yes, even jail, American executives for failure to protect consumer information. Specifically, the Bill proposes the following powers and tools for the FTC, which Senator Wyden hopes will give Americans greater privacy and control over their own personal data:
- Establish minimum privacy and cybersecurity standards.
- Issue steep fines (up to 4% of annual revenue), on the first offense for companies and 10-20 year criminal penalties for senior executives.
- Create a national Do Not Track system that lets consumers stop third-party companies from tracking them on the web by sharing data, selling data, or targeting advertisements based on their personal information. It permits companies to charge consumers who want to use their products and services, but don’t want their information monetized.
- Give consumers a way to review what personal information a company has about them, learn with whom it has been shared or sold, and to challenge inaccuracies in it.
- Hire 175 more staff to police the largely unregulated market for private data.
- Require companies to assess the algorithms that process consumer data to examine their impact on accuracy, fairness, bias, discrimination, privacy, and security.”
Additionally, businesses with annual revenue exceeding $1 billion, which also store data of more than 50 million consumers, will have to submit an annual data protection report to the FTC detailing its compliance with relevant security regulations. What’s more, in proposed §1352(b), entitled “Failure of Corporate Officers to Certify Data Protection Reports,” Chief Executive Officers, Chief Information Security Officers, and Chief Privacy Officers may be jailed for failure to certify and file annual reports to the FTC that document company efforts to comply with the Bill.
An executive’s first offense of this section will result in a fine “not more than the greater of $1,000,000.00 or 5 percent of the largest amount of annual compensation the person received during the previous 3-year period…imprison[ment] not more than 10 years, or both[.]” The same section prescribes that “intentional[ly]” certifying false statements for annual reports will result in a fine of “not more than the greater of $5,000,000.00 or 25 percent of the largest amount of annual compensation the person received during the previous 3-year period” or imprisonment “not more than 20 years, or both[.]”
If passed, the Bill would represent a massive overhaul and increase in the FTC’s powers and available punishments. Generally, the FTC currently only has privacy protection powers under theories of “unfair trade practices.”