CEOs and other executives at large technology organizations could face jail time if a recently introduced bill referred to as the Consumer Data Protection Act of 2018 (CDPA) gains traction. The draft has been put forward by Oregon Senator Ron Wyden for public discussion and contains an outline of new transparency rules, oversight, and associated penalties seeking to regulate corporations that handle large amounts of consumer data. Specifically, that would apply to companies with more than $50,000,000 in ‘average annual gross receipts’ for a three year period and that manage personal information on more than 1 million users or devices. In summary, the current draft of the bill seeks to define and enforce a minimum standard for privacy and cybersecurity, starting with giving users an easy way to review the personal information a given company holds and who that has been shared with.

Oversight on the part of the Federal Trade Commission would require a further 175 jobs created at the agency and for companies to submit annual reports regarding those aspects of user data. It would also require companies to actively ‘assess’ their algorithms for processing user data with regard to accuracy, fairness, bias, discrimination, privacy, and security. Additionally, a Do Not Track system would be created at the national level that enables consumers to effectively halt tracking and the monetization of personal information by third-party companies online. Finally, penalties for failing to meet the standards would be set at up to four percent of a company’s annual revenue and up to between 10 and 20 years of jail time for senior executives in criminal proceedings. The latter of those could also include fines for a given executive of up to $5 million or 25-percent of the ‘largest amount of annual compensation’ that the employee received during the proceeding three-year period.

Background: The language in the bill is notably similar to that found in the EU’s GDPR but also appears to build on another US bill, put forward in April, that sought to strengthen consumer privacy protections. That earlier bill was referred to as the Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act and was intended to mandate the creation of security policies. It looked to require corporations to generate robust protections for consumer data that was collected and provide guidelines to ensure that consumers were provided information about what was collected in a more straightforward manner. CDPA goes substantially further than that, seeking to provide consumers with a level of control over what is collected and how it is used, following more than a year of privacy and security controversies.

Facebook’s Cambridge Analytica scandal has overshadowed much of the conversation about protections for internet users and the role of internet-based technology companies in society. However, that’s just one of several incidents to have spurred discussion and new regulation proposals to address the issues in the US. Among more recent examples of that is the security breach at Google’s ‘Plus’ social network, which occurred in March but went unreported for several months due to fears that a major backlash would occur. Ultimately, that failure has resulted in the social media site being put on the chopping block over the next year.

Impact: Under the newly proposed rules, Google would have been required to report the issue to the FTC and, failing that, could have faced severe fines. Moreover, its executives could face stiff penalties of their own, including jail time, for knowingly withholding information from its users. Bearing that in mind, CDPA is only up for public discussion for the time being and there’s no indication as to when or if it might make its way forward or put up for a vote. So there’s no guarantee any such rules will be put in place.