Mind Your Own Business Act of 2019, S.2637, 116th Cong. (2019).
Two weeks ago, Senator Ron Wyden (D-OR) released a draft of a new federal data privacy bill, known as the “Mind Your Own Business Act”, that would, if enacted, empower the Federal Trade Commision (“FTC”) to regulate companies' use of consumer data, and create criminal penalties, including prison sentences, for non-complying executives. The bill targets large technology companies like Facebook and is a response to the data breaches and privacy violations that have occurred over the past two years. The draft bill is similar to GDPR in many aspects, such as the 4% penalty on annual revenue, but differs in that its enforcement provisions are much stronger.
The FTC has been criticized for insufficiently punishing the privacy law violations of companies like Facebook, Equifax, and YouTube. While many of the FTC’s fines have set records, they are often small in comparison to the fined companies’ annual profits and so fail to deter future violations. In fact, Facebook’s valuation actually increased by $10 billion after the FTC fined that company $5 billion this year. Since civil penalties are frequently viewed as simply “a slap on the wrist,” Wyden’s bill introduces jail time for executives who knowingly violate the new rules to incentivize companies to take privacy and data security seriously.
The Mind Your Own Business Act is targeted at large businesses. Specifically, any entity with less than $50 million in annual revenue and personal information on fewer than 1 million consumers or consumer devices is excluded. The bill amends section 5(n) of the Federal Trade Commission Act to expressly include “noneconomic impacts” in the definition of a substantial injury. In addition, the FTC is empowered to levy fines up to 4 percent of annual revenues for first-time violations, depending on the nature and severity of the violation.
The bill also introduces new reporting requirements on businesses with either (1) personal data on more than 50 million consumers or consumer devices or (2) more than $1 billion in revenues and personal data on more than 1 million consumers or consumer devices. Covered entities would submit reports describing in detail the entity’s compliance with the new requirements and regulations promulgated under FTC. The CEO and Chief Privacy Officer will be required to certify the accuracy of these annual reports and risk facing significant civil and criminal penalties with consequences of up to 20 years prison time for any intentionally false certifications.
In addition to the new reporting requirements, the bill would give the FTC rule-making authority to establish new regulations to require companies to implement best practices for data storage and protection. Companies will be required to conduct risk assessments of automated decision systems that use artificial intelligence or machine learning. Entities must designate one employee who is responsible for overseeing compliance with these regulations. Enforcement of these new regulations will be carried out by a new Bureau of Technology within the FTC and 175 new hires that are authorized by the bill.
The FTC would also be required to set up a centralized “Do Not Track” website where consumers can choose to opt-out of data sharing with one click. This would be similar to the “Do Not Call” list, which was also set up by the FTC to provide a convenient forum for consumers to opt out of unwanted telemarketing and sales calls. Covered entities would be required to check this list and comply with consumer preferences. They would also have to explain clearly how consumers’ personal data will be used and shared. If consent to data sharing is required to access the product or service, the entity must offer a substantially similar alternative version of the product or service that does not require consent in exchange for a monetary fee that is limited to the typical profit that the entity would make if data sharing was consented to. The entity must also provide this “privacy-lite” version at no cost to low-income consumers.
In order to not discourage states from drafting their own laws in this area, the bill does not preempt any state laws, such as California’s tougher Consumer Privacy Act. The bill also encourages states’ attorney generals and advocacy organizations (1 designated per state) to bring actions under the new bill. Republicans are strongly opposed to this newly created private right of action and instead want a federal bill to override any state laws. It is unlikely the bill will be passed in its current form.