Mind Your Own Business Act beefs up privacy protections, gives consumers dominion over data, punishes execs
The Mind Your Own Business Act, privacy legislation introduced by Sen. Ron Wyden, D-Ore., Friday, aims to protect data and punish corporate executives who abuse it.
Billed by Wyden as going further than the
General Data Protection Regulation (GDPR), the bill would let consumers control
how their data is used – in a single click – and puts the authority for enforcing
the legislation on the shoulders of the Federal Trade Commission (FTC).
Facebook CEO “Mark
Zuckerberg won’t take Americans’ privacy seriously unless he feels personal
consequences. A slap on the wrist from the FTC won’t do the job, so under my
bill he’d face jail time for lying to the government,” Wyden said in a release. “I spent the past year listening to experts
and strengthening the protections in my bill. It is based on three basic ideas:
Consumers must be able to control their own private information, companies must
provide vastly more transparency about how they use and share our data, and
corporate executives need to be held personally responsible when they lie about
protecting our personal information.”
The contents of the proposed legislation reflects
feedback from that year of listening, strengthening “Do Not Track,” extending lifeline
protections for services aimed at low-income users, giving state attorneys
general the authority to enforce the bill’s regulations, creating right of
action protections for advocacy and protection groups, and levying tax
penalties on organizations when their CEOs lie about privacy safeguards.
While the proposed legislation looks similar to
GDPR in a number of ways, its “enforcement clearly has a much stronger edge
than other privacy bills either enacted or currently being considered. it will
usher in greater transparency from corporations, in particular those whose
business models are not dependent on ad-driven revenue, who have no choice
other than to undergo some fairly significant adjustments in the ways that they
manage customer data and in ensuring that they can meet right of access
requirements in a timely manner,” Cruz said, who expects “some corporations
will embrace in the increased scrutiny and use it as a differentiator, others
will respond to it as a business tax and seek to do the absolutely minimum to
satisfy state privacy officials.”
Under the terms of the legislation, the FTC would
have the authority to create minimum privacy and cybersecurity standards,
impose steep fines – as much as four percent of annual revenue – on companies
for a first offense as well as 10-20-year criminal sentences on executives who
deliberately lie to the commission and create the Do Not Track system that
consumers can use to stop organizations from tracking them, selling or sharing
their information or using it to target ads. The agency also would be able to
review the personal information companies have used and how it has been shared,
increase its staff by 175 employees and mandate that organizations evaluate the
algorithms they use to process consumer data and determine their effect on accuracy,
fairness, bias, discrimination, privacy and security.
Regulated corporations likely “will have a head
start in meeting these requirements, in that they are already accustomed to
actively managing the retention of data, and thus will start with a better
understanding of where personal data lives in their organizations and have had
the opportunity to implement governance policies to ensure that sensitive data
can be brought under control,” said Cruz. “For them, the biggest change will
likely be to create additional pressure to finally delete data that is
redundant or outdated and that has outlived its business purpose. That has been
a challenge for almost all organizations. For non-regulated firms that have not
been focused on proactive information governance controls, a larger amount of
work lies ahead.”
The new bill clarifies
that it will not preempt state legislation like the California Consumer Privacy
Act (CCPA), set to go into effect January 1 and which is more fleshed out in
some areas. “CCPA has a few provisions where it has been further developed,
such as in the areas of cybersecurity and protection of information from minors,”
said Cruz. “CCPA is also attempting to define personal information broadly,
including making devices associated with specific individuals subject to” its
provisions and offers an apparently unique 12-month reach back provision “where
firms’ obligations in response to requests will reach back up to a period of 12
months,” making them “potentially responsible for information they may be using
inappropriately at this very minute.”
Gloss