Proposed privacy bill mirrors GDPR, adds jail time for lying CEOs

Introduced by Sen. Ron Wyden, the Consumer Data Protection Act overhauls internet privacy protections and gives FTC the authority to create standards and penalize law-breakers.
By Jessica Davis
03:27 PM

A proposed Senate bill takes aim at consumer privacy rights with harsh penalties for companies that violate privacy laws. Introduced by Sen. Ron Wyden, D-Oregon, the bill would apply to companies that generate more than $50 in revenue and with personal data on more than 1 million people.

If passed, the Consumer Data Protection Act would overhaul internet privacy protections on par with EU General Data Protection Regulation and give the Federal Trade Commission the ability to enforce those consumer privacy rights.


Currently, the FTC does not have the authority to take on privacy violations. It’s only mandated to fine technology companies, if they agree to a consent to decree.

In its current draft state, CDPA would set minimum privacy and cybersecurity policies that companies would be mandated to follow. Those companies that fail to comply would risk fines similar to GDPR -- up to 4 percent of annual gross revenue.

Further, large companies would need to submit annual privacy reports to the FTC base on those standards, which would be verified by the company’s senior executives. Included in the reports, would be details on how the company complied with the new privacy rules.

The harshest penalty for lying on these reports or failing to disclose a breach? Ten to 20 years in prison for the executive responsible for the report.

The bill would also create a national “Do Not Track” system, which would let consumers stop third-party tracking on the web by sharing or selling data, or targeting advertisements based on personal data. It would also allow companies charge consumers who don’t want their data monetized.

At the moment, if consumers don’t want to be tracked, they must opt out on their own.

Wyden said the bill is a direct response to the abundance of privacy scandals in recent years, including Yahoo, Target, Equifax and Uber -- which recently settled for attempting to hide a hack on its system.


Much like GDPR, Wyden’s bill would give users a way to review the data companies have collected on them -- and view the companies with which their data has been shared. For healthcare, with large healthcare organizations operating with a long list of vendors -- and vendors with their own business associates -- this bill could have a serious impact.

As threats increase and hackers continue to target all sectors -- including healthcare, states have begun proposing stricter breach laws. California recently passed one of the toughest privacy laws, but this is the first proposed Federal law meant to protect a consumer’s right to privacy.

While there’s still a long road ahead for the bill, its proposal could signal a shift in how the government considers consumer data protection.


“Today’s economy is a giant vacuum for your personal information,” Wyden said in a statement. “Everything you read, everywhere you go, everything you buy and everyone you talk to is sucked up in a corporation’s database.”

“But individual Americans know far too little about how their data is collected, how it’s used and how it’s shared,”  he continued. “It’s time for some sunshine on this shadowy network of information sharing.”

Twitter: @JF_Davis_
Email the writer:

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.