Consumer Data Protection Act, SIL18B29, 115th Cong. § 2 (2018)
In the wake of major scandals like 2017’s Equifax data breach and 2018’s Facebook’s Cambridge Analytica breach, Americans are increasingly conscious of the threat that big data poses to privacy. While consumers are most wary of companies’ misuse of and inability to protect their data, roughly half of Americans also do not trust the federal government to protect their data. As consumers’ trust in the use and security of their data has plummeted, the debate over government regulation of data privacy has intensified. While all 50 states have enacted some form of data privacy law, the federal government has not enacted an equivalent law. Has the time come for federal data privacy legislation?
Senator Ron Wyden (D-OR) believes that it has. In early November, Senator Wyden introduced a sweeping federal privacy law reform bill entitled the Consumer Data Protection Act (“CDPA”). The bill proposes giving consumers increased visibility into and control over the use of their personal information, as well as increasing the Federal Trade Commission’s (“FTC”) ability to monitor and penalize companies that collect and share consumer data. While extensive, the proposed regulations are limited to companies that generate over $50 million in annual revenue and collect personal information on over one million consumers.
The bill substantially increases the power of the FTC to establish and enforce minimum privacy and cybersecurity standards. It authorizes the creation of a new Bureau of Technology and the addition of 125 new employees to the FTC’s Bureau of Consumer Protection. It also proposes the compilation of a national “Do Not Track” data sharing opt-out list through an FTC-run website, which companies would be bound by unless they offer consumers an option to use a substantially similar service for a fee (e.g. subscription model pricing). It also enables consumers to review all personal information that has been stored and shared by companies, as well as requiring companies to re-assess the algorithms used to process consumer data.
The bill also enhances the punitive capabilities of the FTC. It increases companies’ maximum penalty for violations to up to 4% of total gross revenue—in line with Europe’s General Data Privacy Regulation, but a stark increase from the current cap under the Federal Trade Commission Act. It also includes provisions to hold executives accountable for data security, including the possibility of 10 to 20-year criminal jail sentences and fines of up to $5 million for CEOs and executives. In order to facilitate enforcement, companies with an annual revenue exceeding $1 billion or who collect data on over 50 million consumers are required to submit annual reports describing their compliance with or violations of the regulations.
Advocates for the bill argue that companies have a responsibility to protect personal information and that consumers deserve greater insight and control when it comes to their personal data. As Senator Wyden has stated, “it’s time for some sunshine on this shadowy network of information sharing.” If passed, the bill will provide a more consistent regulatory standard to replace the current patchwork of differing and often contradictory state laws and federal sector-specific laws. Proponents of a single comprehensive federal law argue that a law such as the CDPA will benefit citizens through better protecting their data and aid companies by eliminating the confusion that results from overlapping and often competing laws.
However, the proposed law has already generated debate. The bill’s punitive provisions for executives have generated headlines, and challenges are expected from big businesses whose bottom lines may suffer under the proposed regulations. Critics have also voiced concern about the constraints placed on the comparatively young cybersecurity industry. If the bill becomes law, experts have opined that the bill’s harsher punitive elements are unlikely to remain a part of the final legislation. Regardless of the success of the bill, however, its very existence is a notable step forward in the ongoing debate about federal data privacy regulation and consumer data protection.