US senator introduces privacy bill that would jail CEOs for user privacy violations

Sen. Wyden introduces new consumer privacy bill that puts even the EU's GDPR to shame.

wyden-feinstein-ap.jpg

Sen. Ron Wyden (left) speaking to Sen. Dianne Feinstein in June 2013 (Image: J.S. Applewhite/AP)

Sen. Ron Wyden (D-OR) announced today a new bill that introduces sweeping privacy protections for Americans' private information.

Named the Mind Your Own Business Act (MYOBA), the bill includes clauses that will give Americans "an easy, one-click way to stop companies from selling or sharing their personal information" and grants consumers the right to see how companies use and share their data.

In addition, the bill goes one step further than any other user privacy legislation around the world by also introducing prison times for executives at companies that misuse user data and then lie about it to the government.

"Mark Zuckerberg won't take Americans' privacy seriously unless he feels personal consequences. A slap on the wrist from the FTC won't do the job, so under my bill he'd face jail time for lying to the government," Wyden said, referring to the $5 billion fine that FTC imposed on Facebook, and which many critics called a mere slap on the wrist.

"I spent the past year listening to experts and strengthening the protections in my bill," Sen. Wyden said, referring to an earlier bill draft, known as the Consumer Data Protection Act (CDPA).

"[The new bill] is based on three basic ideas: Consumers must be able to control their own private information, companies must provide vastly more transparency about how they use and share our data, and corporate executives need to be held personally responsible when they lie about protecting our personal information," the senator added.

In its current form, Sen. Wyden said MYOBA goes even further into establishing consumer privacy protections than the EU's vaunted General Data Protection Regulation (GDPR).

The FTC getting the teeth it always wanted

Until today, the FTC usually handled user privacy slip-ups in the US. However, as FTC spokespersons told ZDNet in emails last year, the agency lacked the legal power to do anything about user data privacy abuses, other than imposing meager fines.

Sen. Wyden's MYOBA will finally give the FTC the teeth it wanted for so many years. According to the current form of the bill, MYOBA empowers the FTC to:

  1. Establish minimum privacy and cybersecurity standards.
  2. Issue steep fines (up to 4% of annual revenue), on the first offense for companies and 10-20 year criminal penalties for senior executives who knowingly lie to the FTC.
  3. Create a national Do Not Track system that lets consumers stop companies from tracking them on the web, selling or sharing their data, or targeting advertisements based on their personal information. Companies that wish to condition products and services on the sale or sharing of consumer data must offer another, similar privacy-friendly version of their product, for which they can charge a reasonable fee. This fee will be waived for low-income consumers who are eligible for the Federal Communication Commission's Lifeline program.
  4. Give consumers a way to review the personal information a company has about them, learn with whom it has been shared or sold, and to challenge inaccuracies in it.
  5. Hire 175 more staff to police the largely unregulated market for private data.
  6. Require companies to assess the algorithms that process consumer data to examine their impact on accuracy, fairness, bias, discrimination, privacy and security.

In addition, other notable clauses found in MYOBA include:

  1. Strengthen the impact of the "Do Not Track" opt-out to stop companies from mining user data to target ads on behalf of other companies, which was allowed under the draft bill. A company could continue use data it holds for its own benefit (for example, examine user emails to develop a spell-checker, or improve its own service). 
  2. Extend "lifeline" protections for privacy-friendly services to low-income users. The bill ensures that privacy does not become a luxury good by requiring companies to offer privacy-protecting versions of their products for free to consumers who are eligible for the FCC's Lifeline program. Companies will be able to recoup this lost income by charging higher-income consumers a slightly higher fee for privacy-friendly services.
  3. Permits state attorney generals to enforce the regulations created by the bill to get more cops on the privacy beat.
  4. Creates a right of action for protection and advocacy organizations. Each state will be able to designate one "protection and advocacy" organization that can file civil suits against companies that violate privacy regulations. This provision would allow dedicated watchdogs to sue companies over privacy violations on behalf of consumers. The bill allows the FTC to distribute some of the money it collects in fines to the designated nonprofits.
  5. Levies new tax penalties on companies whose CEOs lie about privacy protections. Companies whose executives are convicted will have to pay a tax based on the salary they paid to the officials who lied.
  6. The bill won't preempt any state privacy laws.

Sen. Wyden's bill is just the latest in a long list of user data privacy bills introduced in the Senate and House; however, among all, it is the most consumer-friendly of them all.

Chances of the bill passing are low. Industry lobby efforts have historically watered down any meaningful legislation, across multiple fields and industry verticals. Because of this, states -- like California -- have began looking at user privacy protections on their own.