Senator proposes data privacy bill with serious punishments

If the bill were a law during Facebook’s privacy scandals, Mark Zuckerberg would face jail time, Sen. Ron Wyden says.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read

Sen. Ron Wyden has introduced legislation that would impose harsh penalties for data privacy violations.

Win McNamee/Getty Images

When the Federal Trade Commission fined Facebook $5 billion over its data privacy violations in July, it set a record for the largest fine a US regulator ever imposed on a tech company. And even at that amount, lawmakers saw it mostly as a slap on the wrist

The FTC set another record in September, fining YouTube $170 million in the largest penalty ever levied for violations of the Children's Online Privacy Protection Act. Again, critics saw this fine as a paltry price to pay for violating children's privacy online. 

On Thursday, Sen. Ron Wyden, a Democrat from Oregon, proposed legislation he said would bring meaningful punishments for companies that violate people's data privacy, including larger fines and potential jail time for CEOs. 

Watch this: Android apps by the thousands collect user data you can't erase

"Mark Zuckerberg won't take Americans' privacy seriously unless he feels personal consequences," Wyden said in a statement. "A slap on the wrist from the FTC won't do the job, so under my bill he'd face jail time for lying to the government."

The Mind Your Business Act is an update to Wyden's Consumer Data Protection Act, which he proposed last November. The lawmaker said he spent the past year listening to privacy experts on what to add to the original proposal. 

The new bill allows for state attorneys general to enforce the data privacy regulations and allows for privacy watchdogs to sue companies on behalf of people affected by data violations. It also imposes tax penalties on companies when their CEOs lie about privacy practices, which would be based on the executive's salary. 

The spirit of the bill introduced on Thursday remains intact: to bring serious consequences for violating data privacy. 

The push for a federal data privacy bill from Congress has been a drawn-out affair, as lawmakers, tech companies and privacy advocates all disagree on what the bill should look like. 

Several lawmakers have proposed their own data privacy bills, though there haven't been any clear front-runners. Tech giants like Apple, Google, Microsoft and Facebook have also called for a data privacy law, though critics argue that these pushes are specifically to weaken strong state legislation already in place

Privacy advocates rank the creepiest tech gifts of 2018

See all photos

In February, a government watchdog found that the FTC hasn't been able to levy meaningful penalties against tech companies and recommended a federal privacy law that would have real consequences. 

Many of the frameworks and legislation proposed don't have any penalties listed. The Internet Association, a lobbying group that represents tech giants like Facebook, Google, Amazon and Microsoft, provided its framework for data privacy legislation last November and listed nothing on punishments for companies that break the law. 

Wyden's legislation have the harshest penalties among the flood of data privacy laws proposed in the last year. These punishments include 10 to 20 years in prison for senior executives that lie about their privacy standards. 

The fines would also be heftier, going up to 4% of the company's annual revenue for a first-time offense. If that had been in effect during the FTC's fine against YouTube, it would have been a $4.64 billion fine, rather than $170 million.

The proposed legislation also requires companies to review their algorithms for bias and discrimination, as well as incorporate basic security and privacy standards nationwide. 

Wyden is also looking to create a national Do Not Track system in which people can opt-out of targeted advertising and having their data sold and shared by tech companies. People would also be able to review what data a tech company has collected on them and who it's shared with. 

"It is based on three basic ideas: Consumers must be able to control their own private information, companies must provide vastly more transparency about how they use and share our data; and corporate executives need to be held personally responsible when they lie about protecting our personal information," Wyden said.