Companies’ executives could face up to 20 years in prison
According to reports information security and digital forensics experts, the senator of the Democratic Party by the state of Oregon, Ron Wyden, is working on a bill that will reinforce the right to privacy of American consumers, reaching a protection level similar to that provided by the General Data Protection Regulation of the European Union (GDPR) and even taking the measures one step further, as it proposes to imprison executives of large companies for lying or not reporting data privacy violations in time and form established.
The new bill, called the Consumer Data Protection Act (CDPA), is just a draft for the moment, but Senator Wyden has published a working version, soliciting public an specialized critics and collaboration.
In its current form, this new law would give new powers to the Federal Trade Commission (FTC) to enforce consumer privacy rights, as reported by experts in digital forensics and cybersecurity.
To begin with, the bill would establish minimum standards of cybersecurity and privacy that companies would be obliged to meet or, if not, deal with FTC measures. If companies fail, they risk fines similar to those set by the GDPR, which could reach up to 4% of a company’s annual revenue.
In addition, CDPA would also require large companies to submit annual privacy reports to the FTC. According to the bill, any company that manages the private data of more than 50 million users or has annual revenues of more than $1 billion USD will have to do so.
The senior executives of these large companies, such as the executive directors, the privacy directors or the directors of information security, will have to respond personally for these reports.
The reports should detail how the company complied with the new CDPA privacy rules. If executives lie or fail to disclose security violations in these reports, they could face up to 20 years in prison.
Among the new privacy protections mentioned in the bill, Senator Wyden proposes that the FTC establish and implement a system whereby consumers have the option of not sharing their personal information with companies.
According to experts in digital forensics from the International Institute of Cyber Security, the CDPA would also prohibit companies from not allowing users to access their services if they choose not to share their personal data. Instead, the law would allow companies to charge a user to access their sites or services with the equivalent of user data as an entry fee.
In addition, in what appears to be an exact copy of a page in the European Community data regulation, the CDPA would also provide users with a way to review the personal information that a company has collected about them and know who it has been shared with.
Last but not least, the bill will also generate more than 175 new jobs in the FTC for employees who monitor the privacy of U.S. consumers, although the bill will also require the FTC to create an API that Developers can use to create applications, which in turn would help consumers “solicit, receive, and process the information they are entitled to under this law, and manage their opt-out preferences”.