Wyden Revises and Introduces Privacy Bill

Senator Ron Wyden (D-OR) formally introduced his bill, renamed as the “Mind Your Own Business Act,” that is based substantially on the discussion draft released last fall, the “Consumer Data Protection Act.” Wyden also released a one-page summary. As noted in our analysis of Wyden’s discussion draft:

This bill would vastly expand the power of the Federal Trade Commission (FTC) to police both the security and privacy practices off many U.S. and international multinational companies. The FTC would receive the authority to levy fines in the first instance, potentially as high as the European Union’s General Data Protection Regulation of 4% of annual gross revenue. Moreover, the operative definition of the “personal information” that must be protected or subject to the privacy wishes of a consumer is very broad. The bill would also sweep into the FTC’s jurisdiction artificial intelligence (AI) and algorithms (i.e. so-called big data). The “Consumer Data Protection Act” would also dramatically expand the types of harms the FTC could use its authority to punish to explicitly include privacy violations and noneconomic injuries.

In his press release, Wyden explained that “[t]he bill incorporates feedback Sen. Wyden received over the past year, and strengthens a number of pro-consumer provisions:

1. Strengthen the impact of the “Do Not Track” opt-out to stop companies from mining user data to target ads on behalf of other companies, which was allowed under the draft bill. A company could continue use data it holds for its own benefit (for example, examine user emails to develop a spell-checker, or improve its own service). 
2. Extend “lifeline” protections for privacy-friendly services to low-income users. The bill ensures that privacy does not become a luxury good by requiring companies to offer privacy-protecting versions of their products for free to consumers who are eligible for the FCC’s Lifeline program. Companies will be able to recoup this lost income by charging higher-income consumers a slightly higher fee for privacy-friendly services.
3. Permits state attorney generals to enforce the regulations created by the bill to get more cops on the privacy beat.
4. Creates a right of action for protection and advocacy organizations. Each state will be able to designate one “protection and advocacy” organization that can file civil suits against companies that violate privacy regulations. This provision would allow dedicated watchdogs to sue companies over privacy violations on behalf of consumers. The bill allows the FTC to distribute some of the money it collects in fines to the designated nonprofits.
5. Levies new tax penalties on companies whose CEOs lie about privacy protections. Companies whose executives are convicted will have to pay a tax based on the salary they paid to the officials who lied.
6. Clarifies that the bill does not preempt any state law.”

As we also noted in terms of outlook for Wyden’s discussion draft, which seems also to be the case for the “Mind Your Business Act:”

This bill is likely the outer bounds desired by the most ardent privacy and civil liberties advocate, and therefore is highly unlikely to get enacted in its current form. Other Democratic bills are far more modest in scope, and few of them address both security and privacy. The chances of enactment are very low, but Congressional interest in privacy legislation will continue because of the GDPR and the California Consumer Privacy Act.