Skip to content
Naked Security Naked Security

Should company bosses face jail for mishandling your privacy?

A proposed bill calls for executives to be jailed for not protecting consumers' data, or at least for lying about it.

Mark Z, how do you feel about orange? Like, say, in a jumpsuit style?
Kidding! No court has found that you, the Facebook CEO, has purposefully misled the government about how your company did/did not protect consumers’ data during, say, the multifaceted, ever-unfolding, Cambridge Analytica privacy debacle.
Senator Ron Wyden’s on the case, though, and has now put on the table a bill that would throw execs into jail for up to 20 years if they play loosey-goosey with consumer privacy.
Under his proposed bill, introduced on Thursday and called the Consumer Data Protection Act, execs who knowingly mislead the Federal Trade Commission (FTC) about how their companies protect consumer data could face up to 20 years in prison and $5 million fines.
He’s proposing sunshine. He’s proposing “radical transparency.” He’s proposing legislation with “real teeth” when it comes to punishing companies that vacuum up our data without telling us “how it’s collected, how it’s used and how it’s shared,” Wyden said in a statement.
This is a way to arm consumers against the massive data monetization industry that’s flourished over the past decade, dragging privacy scandals along with it, Wyden said:

Today’s economy is a giant vacuum for your personal information – Everything you read, everywhere you go, everything you buy and everyone you talk to is sucked up in a corporation’s database. But individual Americans know far too little about how their data is collected, how it’s used and how it’s shared.

Besides fines and jail time, Wyden’s proposal would also dramatically beef up resources to go after data miscreants. The cops in this case would be the FTC: to give the Commission the muscle it would need, the senator is proposing jacking up its authority, funding and staffing to crack down on privacy violations. The bill would also mandate easy opt-out for consumers to shrug off hidden tracking of their sensitive personal data.
This is what the bill would enable the FTC to do:

  1. Establish minimum privacy and cybersecurity standards.
  2. Issue steep fines (up to 4% of annual revenue), on the first offense for companies and 10-20 year criminal penalties for senior executives.
  3. Create a national Do Not Track system that lets consumers stop third-party companies from tracking them on the web by sharing data, selling data, or targeting advertisements based on their personal information. It permits companies to charge consumers who want to use their products and services, but don’t want their information monetized.
  4. Give consumers a way to review what personal information a company has about them, learn with whom it has been shared or sold, and to challenge inaccuracies in it.
  5. Hire 175 more staff to police the largely unregulated market for private data.
  6. Require companies to assess the algorithms that process consumer data to examine their impact on accuracy, fairness, bias, discrimination, privacy, and security.


Senator Wyden got a thumbs-up from the Consumers Union, search engine DuckDuckGo, and four former FTC chief technologists. This would be awesome for us, said CEO Gabriel Weinberg of DuckDuckGo, the privacy-oriented browser that eschews profiteering off our data:

Senator Wyden’s proposed consumer privacy bill creates needed privacy protections for consumers, mandating easy opt-outs from hidden tracking. By forcing companies that sell and monetize user data to be more transparent about their data practices, the bill will also empower consumers to make better-informed privacy decisions online, enabling companies like ours to compete on a more level playing field.

The bill proposes that companies with annual revenues in excess of $1 billion, or those whose warehouses contain data on more than 50 million consumers or their devices, submit “annual data protection reports” to the government that detail all the steps they’ve taken to protect the security and privacy of consumers’ personal information.

Execs who sign off on reports that are less than truthful could be looking at the stiff fines, the jail time, or both.
The Do Not Track list would bar companies from sharing with third parties the data of those who sign up, or from using their data to target ads to them. The bill addresses the “Well, how do we make money, then?” aspect of the pay-or-get-marketed-at dilemma of paying for websites by giving companies permission to charge customers on the list a fee to use their products and services.
But even those consumers who don’t sign on to the Do Not Track list would be granted the ability to review information collected about them, see who it’s been shared with or sold to, and challenge any inaccuracies.
What are the bill’s chances of passing?
“Activists and consumer groups claim the industry’s more interested in undermining tougher privacy rules with their own, weaker proposals – than actually crafting meaningful ones”, says Motherboard.

For example, Facebook, Google, and Verizon collectively lobbied the GOP to kill modest but meaningful FCC privacy rules last year. They also worked in unison to scuttle scuttle state-level privacy rules in California, falsely claiming that such efforts would only “embolden extremists,” harm children, and somehow increase internet popups, according to an analysis by the Electronic Frontier Foundation.


Why not? If they repeatedly ignore basic security measures… When you see the trouble some people got into after mess-ups such as Equifax …


How would a national Do Not Track list technically work? It can’t set a cookie that everyone could read (not currently allowed). If we enter an email address, then sites would have to ask for our email address before deciding if they could track us or not. IP addresses aren’t unique to individuals and can change. There’s an existing DNT HTTP header, and the law really ought to enforce that rather than create a national list.


The wording is “Create a national Do Not Track system” which I believe would be refering to the standards followed when the header is present, and requirements for how it is treated (since many companies simply ignore it)


Also curious about the “Do Not Track” list–it’s a list that can (and eventually will) be stolen. Its sale on the dark web will be a textbook case of irony; good intentions gone wrong.
However I really appreciate where the bulk of this legislation comes from, and–though I’ve not read the bill–for the most part it sounds significantly better than others we’ve read about here.


Just what we need more criminal laws… yea, that will work. And a more power FTC and a DNT national list to be hacked… I guess when all you have is a hammer….


Just a thought…. What about protecting non-USA citizens from US Corps massive data harvesting (fully disclosed or not). Most countries have severe Anti-Espionage laws. Consumers should consider obtaining a human rights lawyer and test charging company CxO’s in court on espionage. In Canada, this is still on the books as a hangable offence.


Right…let’s add our name, email addresses, and whatever else will be needed to another list that will, at some point, also be hacked. Sorry, my info is out there because FB and its lying leader say they have no Shadow People. I have never had accounts with any social site, including FB, yet they collect my info and sell it without my permission or my knowledge. Do not get me started on the credit reporting agencies and the info they have let out…again, without our permission or knowledge. Too much power in too few hands and we pay by having our privacy invaded.


There are brokers that have people’s information. Such as court documents that have been Expunged by a District Judge. They show this Information all over the Internet, with a fee of course. This is a violation of the person(s) Civil Rights. When we contact them to remove this Information they say that the Courts did not remove all the Information? Yea right! Then are bosses see this, and whisper comments about us. They know our record is clear with the courts, but not with Brokers that purchased our Information. This is like I am on trial. We have too hire a company to take this Information off. Quite expensive.


I agree, they get paid enough & as the saying goes “the buck stops here, at the top”. They would soon sack or prosecute an employee for data breaches so they should face tougher penalties because of their position!


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!