Many governments are following the European Union’s lead with GDPR [1] by enacting privacy laws that place significant burdens on data collectors. For example, on November 1, 2018, Canada enacted a new privacy law [2] that makes companies responsible for any losses caused by exposing consumers’ private data. While many countries are enacting comprehensive data protection laws, the United States currently has a patchwork [3] of state, federal and industry data protection laws.
Even though the United States may not be any closer to adopting uniform data privacy laws, U.S. legislators are still trying to keep the discussion moving. Just last week, Senator Ron Wyden of Oregon announced a discussion draft of the “Consumer Data Protection Act” [4] (the “Act”) that would establish new privacy rules for large American corporations. While the Act contains a number of provisions that will ultimately limit the chances it will become law (such as steep criminal penalties for corporate officers), there are a number of provisions in the Act that may be worth considering for privacy legislation in the future.
The overall purpose of the Discussion Draft for the Consumer Data Protection Act of 2018 [5] is to end consumer data from being used without the consumers’ knowledge or consent and to return control of the data back to consumers. To achieve this objective, the Discussion Draft gives the Federal Trade Commission a greater ability to address cyber and privacy threats. The Discussion Draft creates mechanisms that would allow the FTC to become what it refers to as a credible deterrent against failing to protect consumer’s data and, in turn, increases the FTC’s resources to enforce current and proposed regulations.
If adopted as drafted, the Act would amend the Federal Trade Commission Act to “establish requirements and responsibilities for entities that use, store, or share personal information, to protect personal information…” First, the Act would create deterrents for a corporation failing to bolster its security measures by issuing fines up to 4% of annual revenue and jail terms lasting anywhere from ten to twenty years for senior executives that fail to implement proper safeguards. Additionally, the Act would increase the FTC’s staff and other resources to allow for the laws to be enforced.
Commentators have stated that the Act is unlikely to pass in its current format “given the extreme penalties [and] lobbying clout of big businesses.” [6] However, even though the Act may never become law, there are a number of concepts short of large fines and corporate officer jail time that we may see incorporated into future data protection laws in the U.S:
- Consumer Opt-Out: If the Act was adopted, the FTC would have two years to create a system that would allow consumers to “opt-out” from having their data gathered, stored and traded by prohibiting information to be shared with third parties. The Act would allow consumers to waive their right to opt-out in order to use a specific product or services. Additionally, the Act would require the company to offer an option for the consumer to pay an additional fee to use a similar service that is not conditioned on waiving the right to opt-out.
- Compliance Reporting: The Act would also require any company with at least $1 billion in revenue and more than 1 million consumers to file an annual report certifying compliance with the Act. The report would be certified by the company’s corporate officers that could result in a jail sentence for both intentional and unintentional violations.
Once again, the Draft Discussion as proposed will at least start a dialogue concerning the next steps for privacy law in the U.S. At its most basic level, this discussion will address fundamental questions concerning U.S. privacy law including what federal agency should be responsible for enforcement of the new privacy laws and the resources that will make enforcement possible.