Company execs could go to jail for misusing data under proposed U.S. data privacy law

U.S. Senator Ron Wyden (D-OR) released a draft of federal privacy legislation on Thursday that would impose harsh penalties on senior executives of companies that misuse consumer data.

With fines up to 4 percent of a company’s annual revenue, Wyden’s Consumer Data Protection Act [pdf] mirrors elements of Europe’s General Data Protection Regulation (GDPR), which also assess fees of up to €20 million, or 4 percent of company’s revenue, whichever is higher.

But Wyden’s bill goes even farther, suggesting a penalty of 10 to 20 years in jail for senior executives who fail to follow the rules. It also requires companies to assess their data-processing algorithms to determine their impact on accuracy, fairness, bias, discrimination, privacy, and security.

Why you should care

A federal data privacy law could have far-reaching implications both for businesses that process data as well as those that rely on data for marketing and advertising purposes. It could limit the scope of data available for targeting. Wyden’s proposed bill is designed to have teeth, with the possibility of jail time for violations aimed at making executives think personally about how their firms manage data.

The U.S. has been hemming and hawing over a possible federal data privacy law for some time, but the passing of California’s strict GDPR-like law earlier this year instilled a greater sense of urgency at the federal level. In hopes of pre-empting California’s law, which is set to go into effect January 2020, businesses and tech firms have met with legislators to influence a potential federal law.

Wyden’s draft included commentary from businesses and consumer advocates.

“This is an important and thoughtful contribution to the long-overdue debate we’re having about privacy law in America …,” said Justin Brookman, director of privacy and technology policy at advocacy group Consumers Union.

Wyden said, “It’s time for some sunshine on this shadowy network of information sharing.”

“My bill creates radical transparency for consumers, gives them new tools to control their information and backs it up with tough rules with real teeth to punish companies that abuse Americans’ most private information,” Wyden said.

More on the news

• The proposal adds 175 new staff members to help the FTC police the new rules.
• The measure would provide consumers with a centralized Do Not Track list to prevent companies from sharing their data or using it for targeted advertising. Instead, the rules allow companies to block users who opt out and offer those users a paid version of the service or content in place of the tracking.
• As with GDPR, consumers will also be allowed to ask for, review and challenge any information that’s been collected on them.
• Larger companies with more than $1 billion in revenue will be required to submit regular data compliance reports to the FTC.