US senator working on bill that would jail CEOs for user privacy violations

Company execs could face up to 20 years in prison if they lie in privacy reports submitted to the FTC.

Oregon Democrat Senator Ron Wyden is working on a bill that would bolster US consumer privacy rights, bring them to the level of the EU General Data Protection Regulation (GDPR), and even take protections one step further by jailing executives at big companies for lying or not reporting privacy violations.

The new bill --named the Consumer Data Protection Act (CDPA)-- is only a draft for the time being, but Sen. Wyden has published a working version, asking for the public's feedback.

In its current state, the CDPA would grant the Federal Trade Commission new powers when enforcing consumer privacy rights.

For starters, the bill would establish minimum privacy and cybersecurity standards that companies would be forced to abide by or face the FTC's wrath. If companies fail, they risk GDPR-like fines of up to 4 percent of their total annual gross revenue.

Also: Senators demand Google hand over internal memo urging Google+ cover-up

Second, the CDPA would also mandate that large companies submit annual privacy reports with the FTC. Any company that manages the private data of more than 50 million users or has annual revenue of over $1 billion would have to do so, according to the CDPA.

Senior executives at these large companies, such as Chief Executive Officers, Chief Privacy Officers, or Chief Information Security Officers would personally vouch for these reports.

The reports would have to detail if and how the company complied with the CDPA's new privacy rules. If execs lie or fail to disclose privacy breaches in these reports, they could face up to 20 years in prison.

Among the new privacy protections mentioned in the current form of the CDPA, Sen. Wyden proposes that the FTC establish and enforce a "Do Not Track" system through which consumers are given a choice not to share their personal information with companies.

The CDPA also bans companies from blocking users from accessing their services if they decided not to share their personal data. Instead, the bill would allow companies to charge a user to access their sites or services with the equivalent of the user's data as an entrance fee.

Also: US Senate summons big tech companies over consumer data security

Furthermore, taking a page out of GDPR's book, the CDPA would also allow users a way to review what personal information a company has collected about them and learn with whom it has been shared.

Last but not least, the bill would also create over 175 new jobs at the FTC for employees tasked with watching out for US consumers' privacy, but the bill would also require the FTC to create an API that developers can use to build apps, which, in turn, would help consumers "request, receive, and process information they are entitled to under this Act, and to manage their opt-out preferences."

Related stories: