Proposed Federal Consumer Data Protection Act Would Increase FTC Authority to Regulate Consumers’ Personal Information
In November 2018, Senator Ron Wyden (D-OR) released a discussion draft of the Consumer Data Protection Act (the “Act”), which would empower the Federal Trade Commission (the “FTC”) to regulate data privacy practices, sanction companies and their senior executives for improper practices regarding personal information, and provide consumers with better control over the storage, sale, and sharing of their personal information.
The Act was prepared in response to a global push toward greater protection of consumer data and is intended to address what many perceive to be shortcomings of federal law with respect to ever-growing threats to consumer privacy (for more information on recent data privacy developments, please see our articles discussing the European Union’s General Data Privacy Regulation (GDPR) and the California Consumer Privacy Act of 2018).
The crux of the Act is its expansion of the FTC’s authority to include enforcement power over business practices that create a significant risk of unjustified exposure of consumers’ personal information. Violations of the minimum privacy and cybersecurity standards of the Act, and those later promulgated by the FTC pursuant to the Act, could subject companies to steep fines ($50,000 per violation and up to 4 percent of the company’s annual revenue), even for first-time violations.
The Act also requires certain “covered entities” to submit to the FTC an annual data protection report that details whether such covered entity complied with the Act’s standards during the preceding reporting period. A “covered entity” is any entity that either (1) has $1 billion or more in annual revenue and that stores, shares, or uses the personal information of more than 1 million consumers or consumer devices, or (2) has more than $50 million or more of average annual revenue during a three-year period, and stores, shares, or uses the personal information of more than 50 million consumers or consumer devices. Any senior executive who signs off on a false annual data protection report could be subject to a fine of up to 5 percent of the largest amount of annual compensation that such senior executive received during the preceding three-year period, or up to 10 years in prison, or both. Any senior executive who knowingly signs off on a false annual data protection report could be subject to a fine of up to 25 percent of the largest amount of annual compensation that such senior executive received during the preceding three-year period, or up to 20 years in prison, or both.
Another feature of the proposed Act is the creation of a nationwide “Do Not Track” system to provide consumers with a way to request that companies do not share their personal information. If a company requires consumers to provide permission to share their personal information as a condition of receiving products or services from the company, the Act permits such company to charge consumers a fee, but such fee may not exceed the amount of monetary gain that the company would have earned through the sharing of the consumers’ personal information.
Also included in the proposed Act are several provisions that would enable the FTC to implement and enforce the provisions of the Act, including sections establishing a new Bureau of Technology within the FTC and authorizing the FTC to appoint 175 personnel to police the market for personal information.
Though Sen. Wyden intends to introduce the Act in Congress in early 2019, it is unclear whether the Act will ever be enacted as law. Nonetheless, the Act would represent a significant step toward federal regulation of personal information, and would constitute the most sweeping federal legislation regarding personal information to date.