Last week, Senator Ron Wyden of Oregon introduced draft legislation tentatively named the Consumer Data Privacy Act. The bill gives consumers the right to opt out of systems that share their data with third parties. Specifically, it calls for the creation of a national “Do Not Track” system to stop companies from tracking internet users by sharing or selling data and targeting advertisements based on their personal information. Under this system a consumer can prevent “covered entities from sharing the personal information of the consumer with third parties,” unless the data sharing “is necessary for the primary purpose for which the consumer provided the personal information.”
Where a company’s free service requires a consumer to opt out of privacy protections, the company would have to give customers “an option to pay a fee to use a substantially similar service that is not conditioned upon” giving up one’s privacy. In other words: sites would be allowed to charge for a version of their product that does not rely on user data to generate revenue. Moreover, the bill is limited to companies that earn more than $50 million in average annual revenue or collect personal information on at least one (1) million consumers or at least one (1) million consumer devices.
On a regulatory level, the bill would give the Federal Trade Commission (FTC) more staff and the power to write privacy regulations. And, the FTC would be able to fine companies for a first offense. Echoing the EU General Data Protection Regulation (GDPR), the bill sets maximum fines at four (4) percent of the revenue. Most controversially, in addition to fines of up to $5 million, senior executives who violate privacy and cybersecurity standards and knowingly mislead regulators could face up to 20 years in prison.
Notably, the bill doesn’t currently say whether the federal government should preempt state rules or address the ability of citizens to sue in certain privacy cases.
Given the drastic penalties, the bill is unlikely to pass in its current form. But, given the mixed industry reaction to California’s far-reaching Consumer Privacy Act of 2018, set to go into effect on January 1, 2020, this likely won’t be the last attempt at a federal data privacy law that we see between now and 2020.