By the time it was clear the fallout from the Equifax breach reached roughly three-fourths of adult Americans, Washington lawmakers were already tripping over themselves to churn out a law that they hoped would, in some future, analogous disaster, hold accountable the negligent hoarders of Americans’ personal, private data. By the time Facebook’s Cambridge Analytica scandal reared its head six months later, however, nearly every effort to pass a comprehensive bill that might punish corporate data malfeasance had stalled. Today, only a handful of 2018 campaign websites even mention the issue at all.
On Thursday, the office of Sen. Ron Wyden, one of Congress’ most vocal privacy advocates, began circulating a discussion draft of a bill aimed at bringing to heel Silicon Valley companies that have amassed billions trading in consumers’ private data. The tentatively named “Consumer Data Protection Act” would force sweeping changes at companies such as Google and Facebook, granting consumers the ability to opt-out entirely from having their data sold off for marketing purposes, while dramatically increasing the Federal Trade Commission’s (FTC) authority to pursue privacy violators.
To start, Wyden’s privacy bill sets forth a requirement that companies whose revenue exceeds $1 billion per year—or those who store data on more than 50 million consumers or consumer devices—submit to the government “annual data protection reports” outlining the measures taken to ensure the security of all collected personal information. Inspired by the Sarbanes-Oxley Act, which requires executive officers to certify and approve company financial reports, Wyden’s bill would require data protection reports to be certified by top executives, including chief executive officers, who would face not only stiff fines but jail time if they were to fail to comply.
The bill’s current language outlines up to 20-year prison sentences and fines not to exceed $5 million for executives who knowingly mislead the FTC, which at present has no authority to punish first-time corporate offenders. Companies that violate the standards established by the FTC under the law’s authority would also face steep fines, up to 4 percent of their annual revenue. For perspective, a company such as Google could face up to a $5 billion fine for a serious infraction.
But more than hanging a dagger over the heads of corporate officers, the purpose of the bill is to provide consumers with options—and in particular, the option to not be tracked with each click online. As Gizmodo reported earlier this month, the “Do Not Track” privacy tool that comes standard in all browsers currently does nothing to actually dissuade companies from tracking users; a chief aim of the Wyden bill is to resurrect the power of consumers to control who monitors their online activities through an enforceable, “one-stop shop” feature.
Ideally, consumers would be given the power to “opt-out” of being tracked by visiting an FTC website, and, as “Do Not Track” intended, their browsers would notify websites that their information is not to be shared with third parties. Relatedly, websites encountering do-not-track users would not be allowed to facilitate third-party collection either, meaning that ad network code added to websites for the purpose of vacuuming up information about users for third-party companies would essentially no longer be allowed
“Today’s economy is a giant vacuum for your personal information. Everything you read, everywhere you go, everything you buy and everyone you talk to is sucked up in a corporation’s database,” Wyden said. “But individual Americans know far too little about how their data is collected, how it’s used and how it’s shared.”
Keenly aware that such a move would drastically impact (read: crush) companies such as Facebook, whose business model revolves around its ability to track users for marketing purposes, the bill offers a simple, if not elegant, solution: Companies would be allowed to notify users that the only way to continue using a service or website for free is to allow tracking. But companies that choose to do this cannot simply deny service to anyone who desires not to have their data collected. Instead, they must offer a paid version of the service.
In practice, this would mean Facebook users would be faced with two options: allow Facebook to continue tracking them online so the company can continue to profit by targeting them with ads, or pay a monthly fee to offset the company’s loss in revenue. The fee, as described in the bill’s language, “shall not be greater than the amount of monetary gain the covered entity would have earned had the average consumer not opted-out.” In Facebook’s case, such a fee would be relatively small; in December 2017, the company said it made on average $26.76 per U.S.-based user. (A third option, floating by one Wyden aide, might include allowing users to agree to continue using a service even if they opt-out for free if they agree to, say, watch a three-minute advertisement beforehand.) What’s more, when a user does agree to be tracked in exchange for using a “free” service, the bill requires that they be notified of which third-parties will be granted access to what specific information.
The bill also includes two important carveouts: Nonprofit organizations and news companies are exempt from the law, the latter having been excluded intentionally to protect reporters from being forced to surrender data they’ve collected on individuals in journalistic pursuits.
The technology to accomplish what the bill requires may not yet exist. For example, even if companies did pay attention to the “Do Not Track” feature, the feature has no impact on applications running outside of browsers. The law would require such a mechanism. (Wyden aides acknowledged the complexities involved in devising a system that would cover the full range of Internet-of-Things devices; TVs and vehicles that are now tracking users online habits, for example.) The hope is that the bill will spur innovation in the privacy arena, but it meanwhile places the onus on the FTC to devise the technological means to create this new opt-out system. The commission would be outfitted to accomplish this feat, however, with an influx of cash and staff, as well as the creation of a Bureau of Technology overseen by a new “chief technologist.”
The draft suggests the appointment of up to 175 additional FTC personnel with technological expertise, such as software engineers, including 100 additional personnel to the commission’s privacy division and 25 personnel to its consumer protection bureau. It also tasks these employees with establishing the minimum privacy and cybersecurity standards to be met by the companies. Lastly, the bill compels companies, for the first time in U.S. history under the law, to assess the algorithms with which they process consumer data to study whether they are inherently prejudicial toward certain people, a well-observed technological issue intertwined with Americans’ civil rights.
Of the bill’s purpose, Wyden said his ultimate goal is to bring about “radical transparency” while arming consumers with “new tools to control their information.” The bill supports those efforts, he added, “with tough rules with real teeth to punish companies that abuse Americans’ most private information.”
“It’s time for some sunshine on this shadowy network of information sharing,” he said.
Read the full discussion draft below: