Taking a tough stance, Sen. Ron Wyden (D-Ore.) introduced a draft of his new privacy bill that would provide for consumer protections and impose stiff penalties and steep fines.
Seeking to “empower consumers to control their personal information,” the Consumer Data Protection Act would establish a national Do Not Track program, giving consumers the ability to learn what information about them is stored by third parties and a process by which to challenge inaccurate data. Consumers would also be able to use an opt-out system created by the Federal Trade Commission in order to prevent information about them from being shared or sold by companies.
In addition to oversight of the Do Not Track program, the FTC would be given the authority to establish and implement “reasonable cyber security and privacy policies, practices and procedures to protect personal information.”
The bill features a broad definition of “personal information” that includes device identifiers and cookies. It would also amend the definition of “substantial injury” in Section 5 of the FTC Act to include “those involving noneconomic impacts and those creating a significant risk of unjustified exposure of personal information.”
The bill would apply to companies that have more than $50 million in annual revenue and that collect personal information on at least 1 million consumers. Entities that have more than $1 billion in annual revenue and collect information on more than 1 million consumers as well as companies that store, share or use personal information on more than 50 million consumers or consumer devices would be required to submit an annual data protection report signed by top executives. Those who certify false statements could be imprisoned up to 20 years and fined up to $5 million.
For companies found to be in violation of the statute, the bill proposes fines of up to 4 percent of annual gross revenue (similar to the European Union’s General Data Protection Regulation), even for a first violation. The proposal would not pre-empt state laws or private rights of action.
“It’s time for some sunshine on this shadowy network of information sharing,” Sen. Wyden said in a statement. “My bill creates radical transparency for consumers, gives them new tools to control their information and backs it up with tough rules with real teeth to punish companies that abuse Americans’ most private information.”
To read the discussion draft of the bill, click here.
Why it matters: No stranger to privacy legislation, Sen. Wyden has made prior attempts to enact a national bill, including the Consumer Privacy Protection Act in 2017 and 2015. Whether his latest effort can move forward—particularly in light of the current division in Washington, D.C., with Democrats now in power in the House of Representatives but Republicans retaining control of the Senate—remains to be seen. Recent high-profile data breaches and the looming effective date for the California Consumer Protection Act could push lawmakers into taking action.