When the Federal Trade Commission fined Facebook $5 billion over its data privacy violations in July, it set a record for the largest fine a US regulator ever imposed on a tech company. And even at that amount, lawmakers saw it mostly as a slap on the wrist.
The FTC set another record in September, fining YouTube $170 million in the largest penalty ever levied for violations of the Children's Online Privacy Protection Act. Again, critics saw this fine as a paltry price to pay for violating children's privacy online.
On Thursday, Sen. Ron Wyden, a Democrat from Oregon, proposed legislation he said would bring meaningful punishments for companies that violate people's data privacy, including larger fines and potential jail time for CEOs.
"Mark Zuckerberg won't take Americans' privacy seriously unless he feels personal consequences," Wyden said in a statement. "A slap on the wrist from the FTC won't do the job, so under my bill he'd face jail time for lying to the government."
The Mind Your Business Act is an update to Wyden's Consumer Data Protection Act, which he proposed last November. The lawmaker said he spent the past year listening to privacy experts on what to add to the original proposal.
The new bill allows for state attorneys general to enforce the data privacy regulations and allows for privacy watchdogs to sue companies on behalf of people affected by data violations. It also imposes tax penalties on companies when their CEOs lie about privacy practices, which would be based on the executive's salary.
The spirit of the bill introduced on Thursday remains intact: to bring serious consequences for violating data privacy.
The push for a federal data privacy bill from Congress has been a drawn-out affair, as lawmakers, tech companies and privacy advocates all disagree on what the bill should look like.
Several lawmakers have proposed their own data privacy bills, though there haven't been any clear front-runners. Tech giants like Apple, Google, Microsoft and Facebook have also called for a data privacy law, though critics argue that these pushes are specifically to weaken strong state legislation already in place.
In February, a government watchdog found that the FTC hasn't been able to levy meaningful penalties against tech companies and recommended a federal privacy law that would have real consequences.
Many of the frameworks and legislation proposed don't have any penalties listed. The Internet Association, a lobbying group that represents tech giants like Facebook, Google, Amazon and Microsoft, provided its framework for data privacy legislation last November and listed nothing on punishments for companies that break the law.
Wyden's legislation have the harshest penalties among the flood of data privacy laws proposed in the last year. These punishments include 10 to 20 years in prison for senior executives that lie about their privacy standards.
The fines would also be heftier, going up to 4% of the company's annual revenue for a first-time offense. If that had been in effect during the FTC's fine against YouTube, it would have been a $4.64 billion fine, rather than $170 million.
The proposed legislation also requires companies to review their algorithms for bias and discrimination, as well as incorporate basic security and privacy standards nationwide.
Wyden is also looking to create a national Do Not Track system in which people can opt-out of targeted advertising and having their data sold and shared by tech companies. People would also be able to review what data a tech company has collected on them and who it's shared with.
"It is based on three basic ideas: Consumers must be able to control their own private information, companies must provide vastly more transparency about how they use and share our data; and corporate executives need to be held personally responsible when they lie about protecting our personal information," Wyden said.