Earlier this month, a federal privacy law bill was introduced in the Senate by Senator Ron Wyden (D-OR), entitled the "Consumer Data Protection Act" ("CDPA"). The proposed law would create new protections for consumers' personal information and provide the Federal Trade Commission ("FTC") with significant authority to police companies that collect and share sizeable amounts of consumer data. In fact, if signed into law, the CDPA will arm the FTC with the ability to issue harsh financial penalties, as well as criminal jail time for senior executives who fail to follow the guidelines for data use. Proposed federal privacy legislation is not surprising given recent data breaches from well-known companies, such as Equifax, Facebook, Uber, and Yahoo!. In fact, a study from the Pew Research Center suggests that half of all Americans believe that their personal information is less secure now than it was five years ago.
What does the proposed data privacy law cover?
There is currently no federal data privacy law in the United States. The federal government has been establishing precedent, in large part, by and through FTC consent decrees. And, while all U.S. States have enacted some form of privacy law and/or data breach notification statute, the state laws vary significantly from one another. The proposed CDPA aims to regulate data privacy law at the federal level and would provide a more consistent regulatory standard.
Importantly, the federal privacy bill will apply to companies that generate $50 million or more in annual revenue and collect personal information on more than one million consumers. In addition, companies that: (1) have annual revenue of one billion dollars or more and that collect personal information on more than one million consumers; and/or (2) collect and store data on more than 50 million consumers or consumer devices, will be required to submit annual data protection reports to the FTC detailing their compliance with the law, and promptly disclose any privacy breaches, should they occur. A company's senior executives (i.e., chief executive office, chief information officer, and chief privacy officer) will also be required to submit written statements accompanying these data protection reports.
Notably, the CDPA includes a "Do Not Track" provision, requiring the FTC to implement and maintain a website where consumers may opt-out from having their data shared with third-party companies. This would allow consumers to prevent companies from sharing or selling their personal information. The proposed privacy law contains an interesting provision that would allow companies to charge consumers who want to use the company's products/services, but do not want their information shared (under the CDPA, companies are permitted to charge no more than they would have made had they been able to share/sell the user's data).
Penalties for Privacy Law Violations
The CDPA would empower the FTC to establish minimum privacy and cybersecurity standards, as well as add 175 new people to the FTC's staff that will be tasked with enforcing the prospective privacy law. Under the terms of the bill, the federal government would be given the power to issue cease and desist orders and impose civil fines of up to 4 percent of a company's gross annual revenue for violations of the law. In addition, senior executives who knowingly provide false information would face civil fines of up to $500,000 and a term of up to 20 years in prison.
Federal Privacy Law Going Forward
Before the proposed CDPA becomes law, the legislation will face challenges on many fronts, particularly from large businesses that may suffer crippling effects to their respective bottom lines. Notwithstanding the bill's chances at successful passage, as we have previously blogged, federal privacy law initiatives are not going away. Given the unsettled—but likely soon to be federally regulated—privacy law environment, companies should review their data collection and privacy policies and be sure to keep detailed records of consumer consent.
Related Blog Posts:
Tips for GDPR Compliant Privacy Policies
Update on California's Email Marketing Bill AB-2546
FTC Updates Guidance on COPPA Compliance
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
