November 10, 2018
By Rudy E. Verner and Jacob Scarr
The Consumer Data Protection Act, a draft bill introduced by Senator Wyden from Oregon, proposes sweeping changes to how the U.S. regulates online privacy and cybersecurity. The bill expands the FTC’s enforcement power under Section 5 of the Federal Trade Commission Act (FTC Act), including a broader definition of harm, new penalties, and more than a hundred new staff members to assist with enforcement.
If passed, the law would apply to people or organizations subject to the FTC’s Section 5 jurisdiction, including those with greater than $50 Million in average annual gross receipts, personal information of more than 1 Million consumers or 1 Million consumer devices, data brokers or organizations that collect or maintain personal information of individuals other then their customers or employees, and subsidiaries of companies that would otherwise be covered.
The bill includes a fairly expansive definition of “Personal Information” as any information regardless of how the information is collected, inferred, or obtained that is reasonably linkable to a specific consumer or consumer device.
Other changes to the law include:
1. Steep Fines and Criminal Penalties. The bill increases the potential civil fines to as much as 4% of the total annual gross revenue of the company. Criminal penalties for executives who certify the required annual reports can be as high as $5 Million dollars or 25% of their largest annual compensation and 20 years in prison. The Bill also expands Section 5 of the FTC Act to include noneconomic impacts and those creating a significant risk of unjustified exposure of personal information.
2. Reporting Requirements and Impact Assessments. The bill requires annual data protection reports by entities with $1 Billion in annual revenue that store, share or use more than 1 Million consumers’ information or consumer devices’ information, or entities that store or use personal information of more than 50 Million consumers or consumer devices.
3. National “Do Not Track” registry. The bill also mandates the creation of a national “Do Not Track” opt-out registry where consumers can elect an opt-out status that restricts entities from sharing the information of the consumer with third parties unless specific exceptions apply.
4. Consumer Requests. The bill allows consumers to request and review information about them, where that information has been shared or sold, and challenge inaccuracies about that information.
5. Privacy and Cybersecurity Standards. Finally, the bill also requires that entities establish and implement reasonable cybersecurity and privacy policies, practices, and procedures to protect personal information and requires that entities implement reasonable physical, technical, and organizational measures to ensure that technologies or products used, produced, or offered function consistently with reasonable data protection practices.
If you have any questions regarding Senator Wyden’s new Consumer Data Protection Act or other privacy or data security matters, contact Rudy E. Verner at BHGR Law at 303-402-1600. You can find the text of the proposed federal law here.
This article is intended to provide general information and, therefore, should not be treated as legal advice. If you have questions about a specific legal issue, you should seek the advice of a qualified attorney.