If you ask Sen. Ron Wyden, there’s only one thing that will stop executives at Facebook and other tech giants from violating their users’ privacy: the taste of prison chow.
Multi-billion dollar fines, after all, don’t seem much of a deterrent. After Facebook was hit with a $5 billion fine earlier this year, its shareholders’ net worth actually increased. There’s little sense the penalty made any difference at all. As one lawmaker reportedly put it upon hearing the figure, $5 billion, to Facebook, is nothing more than a “mosquito bite.”
A constant privacy hawk, Wyden is one of the few Washington lawmakers willing to go the distance, to put something into law that would instantly and dramatically change the way major companies handle our private data. Over the past year, he’s been quietly revising a bill meant to do just that. Of all the privacy bills we’ve seen in recent years, Wyden’s is the only one that has any real teeth, and today, he’s introducing it in the United States Senate.
First off, the “Mind Your Own Business Act” would finally arm the Federal Trade Commission (FTC) with the power and personnel necessary to adequately punish out-of-control corporations. Companies would no longer simply get off with a warning the first time they break their users’ trust. Instead, they would face immediate fines of up 4 percent of their annual revenue. For companies the size of Google and Facebook, that means billions of dollars.
But here’s the kicker: Under the bill, executives who knowingly lie to the FTC about privacy violations could face up to 20 years behind bars, and their companies could then be forced to pay a tax based on the salary of the convicted executive.
Violating consumers’ privacy has been exceedingly profitable for corporations like Facebook, and according to Wyden, there’s really no other recourse. “Mark Zuckerberg won’t take Americans’ privacy seriously unless he feels personal consequences,” Wyden told Gizmodo in an email. “A slap on the wrist from the FTC won’t do the job, so under my bill he’d face jail time for lying to the government.”
What’s more, the legislation would also empower consumers to halt the sale or exchange of their personal information with a single click through the introduction of a national “Do Not Track” system. Sites like Facebook—free to use because they mine their users’ personal information—would be forced to offer a “privacy-friendly” versions of their product. To offset any harm this might cause to their business, companies could charge a “privacy fee.” To prevent companies from taking advantage of consumers, the fee cannot exceed the amount of money a company would forfeit by not selling a user’s data. Facebook, for example, would only be able to charge users in North America around $26 a year—what it has typically made on average per user in that region, according to the company’s own financial data.
And to prevent privacy from becoming a luxury, low-income consumers who meet the same eligibility requirements for the U.S. government’s Lifeline program cannot be charged under Wyden’s bill.
“I spent the past year listening to experts and strengthening the protections in my bill,” Wyden said. “It is based on three basic ideas: Consumers must be able to control their own private information, companies must provide vastly more transparency about how they use and share our data; and corporate executives need to be held personally responsible when they lie about protecting our personal information.”
The bill, which, importantly, does not preempt states from passing their own privacy laws (such as the California Consumer Privacy Act or Nevada’s Senate Bill 220), would also beef up the FTC with 175 new employees dedicated solely to policing the private-data market. Moreover, it would require companies to audit algorithms that process user data “to examine their impact on accuracy, fairness, bias, discrimination, privacy, and security.”
The “Mind Your Own Business Act” has evolved in response to feedback since a draft of the bill was first circulated last year: It would now permit state attorneys general to also enforce the regulations, as opposed to placing that responsibility solely on the FTC. Further, states would be allowed to each create a watchdog organization whose purpose would be to file civil suits against corporations that violate the law. These organizations would be funded in part by fines collected by the FTC.
Lastly, the “Mind Your Own Business Act” would give consumers the right to examine what data about them companies have collected, challenge inaccurate information companies are propagating about them, and to request information about with whom that data has been shared and sold.
Over two years have passed now since the catastrophic Equifax breach. In that time, Congress has done next to nothing to protect Americans from the immensely profitable corporate malfeasance that, rampant over the last decade, has left hundreds of millions of people exposed to potential fraud, identity theft, and cyber-stalking, to name only a few threats. Many would argue (with some justice) that corporate data abuse even threatens to undermine American democracy by placing the integrity of elections in question.
Companies like Facebook have turned the phrase “privacy policy” into an oxymoron. Privacy violators are almost never punished, but regulators do dole out the rare consequence, it’s invariably a joke. What’s worse, everyone knows it.
The decade is nearly over and with it, the time for half-measures has passed. Consumers need a law at least as rigorous as the “Mind Your Own Business Act” now. In fact, they needed it yesterday.