U.S. Senator Ron Wyden, D-Ore., introduced sweeping new privacy legislation, the Mind Your Own Business Act, to create strong protections for Americans’ private data and to hold accountable the corporate executives responsible for abusing information.
Wyden’s bill contains some of the most comprehensive protections for Americans’ private data ever introduced, and goes further than Europe’s General Data Protection Regulation (GDPR), says the press release. It would give American consumers an easy, one-click way to stop companies from selling or sharing their personal information, give consumers radical transparency into how corporations use and share their data and impose harsh fines and even prison terms for executives at corporations that misuse Americans’ data and lie about those practices to the government.
“Mark Zuckerberg won’t take Americans’ privacy seriously unless he feels personal consequences. A slap on the wrist from the FTC won’t do the job, so under my bill he’d face jail time for lying to the government,” Wyden said. “I spent the past year listening to experts and strengthening the protections in my bill. It is based on three basic ideas: Consumers must be able to control their own private information, companies must provide vastly more transparency about how they use and share our data, and corporate executives need to be held personally responsible when they lie about protecting our personal information.”
The Mind Your Own Business Act protects Americans’ privacy, allows consumers to control the sale and sharing of their data, gives the FTC the authority to be an effective "cop on the beat", and will spur a new market for privacy-protecting services, notes the press release. The bill empowers the FTC to:
- Establish minimum privacy and cybersecurity standards.
- Issue steep fines (up to four percent of annual revenue), on the first offense for companies and 10-20 year criminal penalties for senior executives who knowingly lie to the FTC.
- Create a national Do Not Track system that lets consumers stop companies from tracking them on the web, selling or sharing their data, or targeting advertisements based on their personal information. Companies that wish to condition products and services on the sale or sharing of consumer data must offer another, similar privacy-friendly version of their product, for which they can charge a reasonable fee. This fee will be waived for low-income consumers who are eligible for the Federal Communication Commission’s Lifeline program.
- Give consumers a way to review the personal information a company has about them, learn with whom it has been shared or sold, and to challenge inaccuracies in it.
- Hire 175 more staff to police the largely unregulated market for private data.
- Require companies to assess the algorithms that process consumer data to examine their impact on accuracy, fairness, bias, discrimination, privacy and security.
The bill incorporates feedback Sen. Wyden received over the past year, and strengthens a number of pro-consumer provisions:
- Strengthen the impact of the “Do Not Track” opt-out to stop companies from mining user data to target ads on behalf of other companies, which was allowed under the draft bill. A company could continue use data it holds for its own benefit (for example, examine user emails to develop a spell-checker, or improve its own service).
- Extend “lifeline” protections for privacy-friendly services to low-income users. The bill ensures that privacy does not become a luxury good by requiring companies to offer privacy-protecting versions of their products for free to consumers who are eligible for the FCC’s Lifeline program. Companies will be able to recoup this lost income by charging higher-income consumers a slightly higher fee for privacy-friendly services.
- Permits state attorney generals to enforce the regulations created by the bill to get more cops on the privacy beat.
- Creates a right of action for protection and advocacy organizations. Each state will be able to designate one “protection and advocacy” organization that can file civil suits against companies that violate privacy regulations. This provision would allow dedicated watchdogs to sue companies over privacy violations on behalf of consumers. The bill allows the FTC to distribute some of the money it collects in fines to the designated nonprofits.
- Levies new tax penalties on companies whose CEOs lie about privacy protections. Companies whose executives are convicted will have to pay a tax based on the salary they paid to the officials who lied.
- Clarifies that the bill does not preempt any state law.
Robert Cruz, Senior Director of Information Governance at Smarsh, says, “The proposed law is similar in many regards to GDPR, including penalties that can amount to 4 percent of annual revenue. However, enforcement clearly has a much stronger edge than other privacy bills either enacted or currently being considered. It will usher in greater transparency from corporations, in particular those whose business models are not dependent on ad-driven revenue, who have no choice other than to undergo some fairly significant adjustments in the ways that they manage customer data and in ensuring that they can meet right of access requirements in a timely manner. Some corporations will embrace in the increased scrutiny and use it as a differentiator, others will respond to it as a business tax and seek to do the absolutely minimum to satisfy state privacy officials."
How is the Mind Your Own Business Act different from the CCPA? "CCPA has a few provisions where it has been further developed, such as in the areas of cybersecurity and protection of information from minors. CCPA is also attempting to define personal information broadly, including making devices associated with specific individuals subject to the provisions of CCPA. CCPA’s 12 month reach back provision also appears to be unique, where firms' obligations in response to requests will reach back up to a period of 12 months, which makes firms potentially responsible for information they may be using inappropriately at this very minute. Finally, CCPA’s specific enforcement provisions and oversight will continue to be refined as more public commentary will be integrated within a window beginning January 1, 2020," says Cruz.