New Draft Privacy Bill: Consumer Data Protection Act by Senator Wyden

Senator Ron Wyden (D-OR) released a draft of new federal privacy legislation called the Consumer Data Protection Act today. If passed, the law would radically overhaul federal privacy protections for consumers across the United States. The draft does not mention federal preemption, so it would likely leave in place the protections of the California Consumer Privacy Act. Senator Wyden is accepting feedback on the bill and has not yet introduced it into the U.S. Senate for consideration.

According to the press release, the Consumer Data Protection Act would empower the Federal Trade Commission to:

1. Establish minimum privacy and cybersecurity standards.
2. Issue fines of up to 4% of annual revenue on the first offense and 10-20 year criminal penalties for senior executives.
3. Create a national Do Not Track system that lets consumers stop third-party companies from tracking them on the web.
4. Give consumers a way to review the personal information a company possesses about them, and where it has been shared or sold.
5. Require companies to conduct impact assessments on algorithms that process consumer data.
6. Authorize the FTC to hire an additional staff of 175 people.

Here are a few important sections of the potential new legislation:

Do Not Track Website

A National Do Not Track Website that gives Americans a central page to opt out of data sharing across the internet would be created and maintained by the FTC. It would allow consumers to opt out of data sharing, view their opt-out status and change their status. The opt out would prevent sharing information with third parties unless it is necessary for the primary purpose for which the consumer provided the personal information and the information was not retained for secondary purposes.

Annual Data Protection Reports with Executive Certifications & Criminal Penalties

Organizations covered by this requirement would need to submit an annual data protection report to the Federal Trade Commission. The report would need to cover in detail whether the covered entity complied with the privacy regulations created by the FTC as part of the Consumer Data Protection Act. If the organization did not comply, it would need to provide a description of the violation and the number of consumers impacted.

The potential privacy law borrows from one of the key measures from the Sarbanes-Oxley Act and requires top executives at large corporations to certify the annual data protection report. The penalties for knowingly misleading the FTC under the law would be up to $5 million with prison sentences of up to 20 years possible.

Complaint Tracking and Resolution

The FTC would create an online portal to allow consumers to report companies that are improperly using, storing or sharing personal information. The FTC would review and forward those complaints to the appropriate organization, and store the response from the company. The consumer would be able to track the status of their complaint and receive email updates.

Privacy API Development

The FTC would be required to standardize an API to permit consumers and covered entities to programmatically avail themselves of the rights and responsibilities under the new federal privacy law.

Impact Assessments

Covered organizations would need to conduct impact assessments on existing high-risk automated decision systems and information systems at the frequency determined by the FTC, and on new high-risk automated decision systems or information systems prior to implementation. The privacy assessments would be known as an automated decision system impact assessment or a data protection impact assessments, as appropriate.

Data Subject Access Rights

Organizations would be required to provide individuals with the right to access their information, the right to correct inaccurate or misleading information, and the ability to get a list of third-parties where there information was shared or sold.

Federal Trade Commission

The FTC would gain the ability to require reasonable cyber security and privacy practices. It would also have the authority to issue significant fines against companies on their first violation (up to 4% of annual revenue).

– FTC Bureau of Technology

The proposed law would establish a new Technology Bureau at the FTC with a Chief Technologist authorized to appoint a staff of 50.

– FTC Bureau of Consumer Protection

The legislation would authorize the hiring of 125 additional individuals within the Bureau of Consumer Protection at the FTC. The Division of Privacy and Identity Protection could get as many as 100 additional employees and the Division of Enforcement up to 25 additional employees.

Covered Businesses

The draft legislation would exclude businesses with average annual gross receipts of less than $50 million for the prior three year taxable period information and personal information on less than 1 million customers and 1 million devices. For annual data protection reports, it would apply to organizations with over $1 billion in annual revenue.

For covered businesses, maximum fines would be $50,000 per violation or 4% of total annual gross revenue.

Here is the link to the full draft (pdf).

EU GDPR
– GDPR Compliance
– Consent Management Software
– GDPR Data Mapping Software
– DSAR Portal
– GDPR Text

ePrivacy
– Cookie Scanner
– Cookie Banner Generator
– Cookie Consent Manager
– ePrivacy Regulation

California Consumer Privacy Act
– CCPA Summary
– CCPA vs GDPR
– CCPA Privacy Software
– CCPA Webinar

Other Blog Posts on Privacy Bills in the US Senate:

American Data Dissemination Act – Senator Marco Rubio.
Data Care Act – 15 Senate Democrats led by Senator Schatz
Senator Thune Privacy Bill
8 Proposals on Privacy from Draft Senate Policy Paper
Social Media Privacy and Consumer Rights Act introduced into Senate
Senate to Consider CONSENT Act for Enhanced Privacy Protections Online
Do Not Track Kids Act Back in Congress