Don’t expect jailed CEOs, but Wyden at least puts consumer privacy on the table

But “discussion” doesn’t mean the draft survives intact. It usually means it gets modified. So don’t expect to see CEOs getting frog-marched to jail, or some of the other more punitive elements of Wyden’s draft—up to $500,000 in fines for executives and up to 4% of the annual revenue of a company—becoming law. There are at least two reasons.

First, the lobbying clout of big business is bipartisan. Which party controls Congress is not a major factor. As Engadget put it, “Turning it into law will likely present a major challenge. While consumer advocates and privacy-minded companies … have lent their support, companies with massive amounts of user data and equally big lobbying budgets are likely to push back against it.”

Second, a discussion draft is just that—an opening gambit, much like proposals that labor and management bring to the table to start contract negotiations. They want what they’re proposing, but they don’t expect to get it all. They want to give themselves some negotiating room.

Wyden’s office isn’t saying how much of the discussion draft the senator hopes will make it into the final draft. Wyden press spokesman Keith Chu said he, “won’t have anything to add before we get back comments on the current draft.” The office is accepting comments at PrivacyBillComments@wyden.sen.gov.

The press release from Wyden said the Consumer Data Protection Act would “create radical transparency for consumers, give them new tools to control their information and back it up with tough rules with real teeth to punish companies that abuse Americans’ most private information.”

It would add 175 people to the staff of the Federal Trade Commission (FTC) and give the agency the authority to “be an effective cop on the beat.”

It would require companies with revenue of $1 billion per year, or that collect and store data on more than 50 million consumers or consumer devices, to submit “annual data protection reports” to the government detailing how they are complying with the Consumer Data Protection Act.

It would also empower the FTC to:

• Establish minimum privacy and cyber security standards.
• Impose fines (up to 4% of annual revenue), on the first offense for companies that violate the law, and 10- to 20-year prison sentences for senior executives who submit false statements to the FTC in their annual data protection reports.
• Create a national “Do Not Track” system that lets consumers stop third-party companies from tracking them on the web by sharing data, selling data, or targeting advertisements based on their personal information. To help companies make up that lost revenue, it would permit them to charge consumers who want to use their products and services but don’t want their information monetized.
• Give consumers a way to review what personal information a company has about them, learn with whom it has been shared or sold, and challenge inaccuracies in it.
• Require companies to assess the algorithms that process consumer data to examine their impact on accuracy, fairness, bias, discrimination, privacy, and security.

Most cyber experts applaud better privacy and security standards. Dan Lyon, principal consultant at Synopsys, notes that multiple private-sector standards already exist, for multiple industries.

“One example is for consumer technology,” he said. “CEB33 was published by the Consumer Technology Association. Others include IEC 62443 (for industrial control systems) and UL2900 (for medical devices). Pulling from an appropriate industry standard is a great way to start.”

But he acknowledges that the downside to mandatory standards is that “many organizations will then only do the bare minimum for compliance.”