On October 17, Senator Ron Wyden introduced in the Senate a privacy bill that would expand the FTC’s authority to regulate data collection and use, allow consumers to opt out of data sharing, and create civil and criminal penalties for certain violations of the Act.
The Mind Your Own Business Act of 2019 is the latest iteration of Wyden’s discussion draft that he released last November. (We provided an overview of the draft bill here.) Although the two Wyden measures are largely similar, the new bill provides for additional enforcement mechanisms and levies taxes on companies whose executives violate reporting requirements.
Here are some of the key elements of the bill, including notable differences between the new measure and last year’s discussion draft:
Like the discussion draft, the bill applies only to “covered entities,” defined as a person, partnership, or corporation subject to Section 5 of the FTC Act with gross annual receipts of more than $50 million, and which have personal information on more than 1 million consumers or devices.
Increased FTC Authority to Regulate Data Collection and Storage
The bill authorizes the FTC to promulgate regulations that would require covered entities to, among other requirements:
- establish and implement “reasonable cyber security and privacy policies and procedures to protect personal information”;
- implement “reasonable physical, technical, and organizational measures” that ensure technologies and products that interact with personal information “are built and function consistently with reasonable data protection practices”;
- annually provide, at a customer’s request, a “reasonable means” to review and challenge the accuracy of any stored personal information about that customer, as well as a list of the individuals and companies with whom the entity has shared the customer’s data, subject to certain exceptions such as governmental requests;
- conduct impact assessments of “high-risk automated decision systems,” such as artificial intelligence and machine learning techniques, and “high-risk information systems” that “pose a significant risk to the privacy or security” of consumers’ personal information.
Annual Data Protection Reports—Civil and Criminal Penalties
Like the discussion draft, the bill requires certain covered entities to submit annual data protection reports to the FTC that detail their compliance with the regulations described above. Each report must be accompanied by a written statement from the chief executive officer or chief privacy officer certifying that the report complies with the bill’s requirements.
The bill imposes significant criminal and civil penalties for knowingly or willfully certifying a false statement in an annual data protection report. Penalties include a fine of up to $5 million or 25% of the person’s total annual gross revenue for the prior fiscal year (whichever is larger), a sentence of up to 10 or 20 years’ imprisonment, or both.
In addition, for any covered entity for which a chief executive officer or chief privacy officer is convicted under this provision, the bill levies a tax equal to an “applicable percentage”—the highest tax rate in effect for the taxable year—of the convicted executive’s largest annual compensation in the past three years. The tax penalty provision is a new addition to last year’s draft.
“Do Not Track” List
The bill would establish a “Do Not Track” website, modeled after the “Do Not Call” telemarketer list, that allows consumers to opt out of data sharing. If a consumer chooses to opt out, then a covered entity may not share that individual’s personal information with third parties except under limited enumerated circumstances, such as when the sharing is for the primary purpose for which the personal information was provided and the receiving third party does not retain or use the data for secondary purposes.
State Attorney General Enforcement and Private Right of Action
The bill adds state and private enforcement mechanisms to the discussion draft. State attorneys general may bring a civil action on behalf of residents in their state if they have reason to believe that an interest of their state residents “has been or is being threatened or adversely affected” by a practice that violates the FTC regulations. Before filing the action, State AGs generally must provide written notification to the FTC, which may then intervene and/or petition for an appeal in the suit.
In addition, the bill creates a private right of action for authorized “protection and advocacy organizations” to bring a civil action against a covered entity that violates the FTC regulations. Each state may authorize only one such organization to file suit.
No State Preemption
The bill clarifies that it does not preempt any state law.