A privacy bill floated Thursday by Senator Ron Wyden (D-Oregon) would create a national “do not track” regime that gives consumers the right to prevent information about them from being shared or sold by ad tech companies.
A draft version of the Consumer Data Protection Act also aims to establish cybersecurity standards. The measure provides for hefty fines for companies that fail to comply, and criminal sanctions -- including up to 20 years in prison -- for senior executives who file false security certifications.
“Consumer data collection & new technology have posed an unprecedented threat to Americans’ privacy,” Wyden said Thursday on Twitter. “Congress must take action to increase transparency about how corporations sell, share & use data.”
Wyden's draft bill comes several weeks after the Senate Commerce Committee held two hearings about online privacy. Federal lawmakers previously examined the topic without passing legislation. But recent high-profile data breaches, as well as the revelation that political consultancy Cambridge Analytica harvested data from up to 87 million Facebook users, are now sparking a new push for regulations.
Among other provisions, Wyden's proposal would allow consumers to learn what personal information is stored about them by third parties, and to challenge inaccuracies. The draft defines personal information as “any information, regardless of how the information is collected, inferred, or obtained that is reasonably linkable to a specific consumer or consumer device.” That definition appears broad enough to cover much of the information relied on by the ad industry, including supposedly “anonymous” device identifiers and cookies.
The draft bill tasks the Federal Trade Commission with creating a national opt-out website, and establishing an opt-out system -- such as one that allows people to opt out via a browser setting. The FTC first endorsed the do-not-track concept in 2010, following which the major browser developers began offering “do-not-track” settings. But most web publishers and ad tech companies appear to ignore that setting.
Wyden's draft bill provides that companies can't refuse service to consumers who don't want to be tracked. Instead, the companies must offer paid versions of their products or services, but fees would be capped at what the companies would have gleaned by sharing the data.
The bill also explicitly gives the FTC authority over practices that create a “significant risk of justified exposure of personal information.”
Wyden's proposed law, if passed, would mark a significant shift in the legislative landscape, according to Dan Jaffe, executive vice president for government relations at the Association of National Advertisers.
“It's an extremely broad bill that impacts the privacy sector in a very substantial way,” Jaffe says.
He adds that the proposal's do-not-track provision “seems to ignore the fact that the industry already has a broad and successful self-regulatory system.” That program involves using icons to inform people about online tracking and ad targeting, and allowing them to opt out of receiving targeted ads.