Senator Ron Wyden last week released a discussion draft of a federal privacy bill that would amend Section 5 of the Federal Trade Commission Act to expand the FTC’s authority, create significant civil fines, and enforce certain provisions through criminal penalties.
The draft Consumer Data Protection Act is among a growing number of proposals for federal privacy legislation in the United States. (See our related coverage here and here.) These federal proposals follow on the EU’s enactment of the General Data Privacy Regulation (“GDPR”), which took effect in May, and the June enactment of the California Consumer Privacy Act (“CCPA”). The Wyden measure has not yet been introduced in the Senate.
Below we highlight key aspects of the draft legislation.
The bill applies only to “covered entities,” defined as a person, partnership, or corporation subject to Section 5 of the FTC Act. The definition excludes any such entities with gross annual receipts of less than $50 million and which have personal information on less than 1 million consumers and devices.
New Requirement to Submit Annual Data Protection Reports—Enforced by Civil and Criminal Penalties
The bill would require certain covered entities to submit annual data protection reports to the FTC. This requirement would apply to: (1) covered entities with more than $1 billion annual revenue that store, share, or use personal information on more than 1 million consumers or consumer devices, and (2) covered entities storing, sharing, or using personal information on more than 50 million consumers or consumer devices. This report is to describe in detail the entity’s compliance with technical and security safeguards created by the legislation. Each report must also be accompanied by a written statement from the chief executive officer, chief privacy officer, or chief information security officer, certifying that the report complies with the bill’s requirements. The bill would create significant criminal and civil penalties for knowing or intentionally false certifications, including up to a $5 million fine or 20 years’ imprisonment (or both) for an intentionally false certification.
Increased Civil Penalties by FTC
Currently, the FTC can only impose civil penalties against companies when they violate an existing consent order; entities not already under a consent order are not subject to civil or criminal penalties. The draft bill would change this approach, empowering the FTC to impose fines of up to $50,000 per violation or four percent of the total annual gross revenue of the entity for a first time offense.
FTC to Establish New Data Protection Regulations
Under the draft bill, the FTC is given rulemaking authority to establish new regulations that require covered entities to, among other requirements:
establish and implement “reasonable cyber security and privacy policies, practices and procedures to protect personal information”;
implement “reasonable physical, technical, and organizational measures” that ensure technologies and products that interact with personal information “are built and function consistently with reasonable data protection practices”;
designate an employee responsible for overseeing compliance with the bill;
respond to written data requests from verified consumers within 30 days, including allowing the consumer to review personal information and challenge its accuracy, among other requirements; and
conduct impact assessments of “automated decision systems” such as machine learning and artificial intelligence techniques, and “high-risk information systems,” which involve certain sensitive data.
Expansion of “Substantial Injury” to Include Noneconomic Injuries
The draft bill would also expand the definition of “substantial injury” in Section 5 of the FTC Act to expressly include noneconomic injuries. Currently, an act or practice is only unlawful under Section 5 if it causes or is likely to cause “substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” The draft bill would broaden that language so that substantial injuries include “those involving noneconomic impacts and those creating a significant risk of unjustified exposure of personal information.”
Establishment of “Do Not Track” List, Tailored After the “Do Not Call” List
The draft bill would also require the FTC to issue regulations creating a “Do Not Track” website to permit consumers to opt out of all data sharing, akin to the highly regarded Do Not Call list. The opt-out website would allow “consumers to opt-out of data sharing, view their opt-out status, and change their opt-out status.” Covered entities would be prohibited from sharing the personal information of consumers on that opt-out list with third parties except under limited enumerated circumstances, such as when sharing is necessary for the primary purpose for which the data was provided and the third party does not retain the information for secondary purposes.
No State Preemption
The draft bill would not preempt any state privacy laws. It therefore departs from the approach identified in a number of recent proposals, including by the U.S. Chamber of Commerce and the Internet Association, that call for preemption of inconsistent state laws.
New Bureau of Technology, and 175 New FTC Hires
The measure would establish a Bureau of Technology and call for the hiring of 175 more FTC staff. It would also require the FTC to create rules and guidance for a consumer complaint resolution process.