The Mind Your Own Business Act, privacy legislation introduced by Sen. Ron Wyden, D-Ore., Friday, aims to protect data and punish corporate executives who abuse it.
Billed by Wyden as going further than the General Data Protection Regulation (GDPR), the bill would let consumers control how their data is used – in a single click – and puts the authority for enforcing the legislation on the shoulders of the Federal Trade Commission (FTC).
Facebook CEO “Mark Zuckerberg won’t take Americans’ privacy seriously unless he feels personal consequences. A slap on the wrist from the FTC won’t do the job, so under my bill he’d face jail time for lying to the government,” Wyden said in a release. “I spent the past year listening to experts and strengthening the protections in my bill. It is based on three basic ideas: Consumers must be able to control their own private information, companies must provide vastly more transparency about how they use and share our data, and corporate executives need to be held personally responsible when they lie about protecting our personal information.”
The contents of the proposed legislation reflects feedback from that year of listening, strengthening “Do Not Track,” extending lifeline protections for services aimed at low-income users, giving state attorneys general the authority to enforce the bill’s regulations, creating right of action protections for advocacy and protection groups, and levying tax penalties on organizations when their CEOs lie about privacy safeguards.
While the proposed legislation looks similar to GDPR in a number of ways, its “enforcement clearly has a much stronger edge than other privacy bills either enacted or currently being considered. it will usher in greater transparency from corporations, in particular those whose business models are not dependent on ad-driven revenue, who have no choice other than to undergo some fairly significant adjustments in the ways that they manage customer data and in ensuring that they can meet right of access requirements in a timely manner,” Cruz said, who expects “some corporations will embrace in the increased scrutiny and use it as a differentiator, others will respond to it as a business tax and seek to do the absolutely minimum to satisfy state privacy officials.”
Under the terms of the legislation, the FTC would have the authority to create minimum privacy and cybersecurity standards, impose steep fines – as much as four percent of annual revenue – on companies for a first offense as well as 10-20-year criminal sentences on executives who deliberately lie to the commission and create the Do Not Track system that consumers can use to stop organizations from tracking them, selling or sharing their information or using it to target ads. The agency also would be able to review the personal information companies have used and how it has been shared, increase its staff by 175 employees and mandate that organizations evaluate the algorithms they use to process consumer data and determine their effect on accuracy, fairness, bias, discrimination, privacy and security.
Regulated corporations likely “will have a head start in meeting these requirements, in that they are already accustomed to actively managing the retention of data, and thus will start with a better understanding of where personal data lives in their organizations and have had the opportunity to implement governance policies to ensure that sensitive data can be brought under control,” said Robert Cruz, senior director of information governance at Smarsh. “For them, the biggest change will likely be to create additional pressure to finally delete data that is redundant or outdated and that has outlived its business purpose. That has been a challenge for almost all organizations. For non-regulated firms that have not been focused on proactive information governance controls, a larger amount of work lies ahead.”
The new bill clarifies that it will not preempt state legislation like the California Consumer Privacy Act (CCPA), set to go into effect January 1 and which is more fleshed out in some areas. “CCPA has a few provisions where it has been further developed, such as in the areas of cybersecurity and protection of information from minors,” said Cruz. “CCPA is also attempting to define personal information broadly, including making devices associated with specific individuals subject to” its provisions and offers an apparently unique 12-month reach back provision “where firms’ obligations in response to requests will reach back up to a period of 12 months,” making them “potentially responsible for information they may be using inappropriately at this very minute.”