The Consumer Data Protection Act (as outlined in the CDPA draft circulated in early November by Sen. Ron Wyden) might not send CEOs to jail, but it will certainly help protect Americans’ data.
The original version of this post was published in Forbes.
Most of the headlines last week, after Sen. Ron Wyden, D-Ore., issued a “discussion draft” of his proposed Consumer Data Protection Act (CDPA) of 2018, focused on the prospect of CEOs going to prison for 10 to 20 years if they fail to follow mandates for the use and protection of Americans’ data.
Don’t hold your breath.
Yes, that prospect is included in the CDPA draft. Wyden is serious about curbing, or at least controlling, the “giant vacuum” of corporations sucking up personal data and then “sharing” it with an unknown number of “partners”—all without any affirmative consent from their customers or demonstrated rigorous security measures.
He is obviously serious about wanting to hold executives accountable for poor security if they get breached and the result is theft or exposure of the personal information of their customers.
And he’s not alone. “Both Republicans and Democrats have been pushing for some kind of privacy law, and Wyden’s proposal would make big fines and prison sentences part of the discussion,” Ars Technica noted.
Discussion draft just a first step
But “discussion” doesn’t mean the draft survives intact. It usually means it gets modified. So don’t expect to see CEOs getting frog-marched to jail, or some of the other more punitive elements of Wyden’s draft—up to $500,000 in fines for executives and up to 4% of the annual revenue of a company—becoming law. There are at least two reasons.
First, the lobbying clout of big business is bipartisan. Which party controls Congress is not a major factor. As Engadget put it, “Turning it into law will likely present a major challenge. While consumer advocates and privacy-minded companies … have lent their support, companies with massive amounts of user data and equally big lobbying budgets are likely to push back against it.”
Second, a discussion draft is just that—an opening gambit, much like proposals that labor and management bring to the table to start contract negotiations. They want what they’re proposing, but they don’t expect to get it all. They want to give themselves some negotiating room.
Wyden’s office isn’t saying how much of the discussion draft the senator hopes will make it into the final draft. Wyden press spokesman Keith Chu said he, “won’t have anything to add before we get back comments on the current draft.” The office is accepting comments at [email protected].
CDPA draft “a great effort”
Adam Schwartz, senior staff attorney at the Electronic Frontier Foundation, said a discussion draft is a typical way to get a sense of what is feasible. “He’s inviting comments from all stakeholders. He may respond to the discussion by filing a different bill,” he said.
But Schwartz doesn’t expect the proposal to be gutted. “I think there is a very realistic opportunity in 2019 to enact strong federal legislation that protects consumers from companies whose data harvesting practices have been harming people,” he said.
What consumers expect is that they should be able to use this marvelous new technology without being preyed upon by companies.
—Adam Schwartz, senior staff attorney, Electronic Frontier Foundation
And Sammy Migues, principal scientist at Synopsys, called the CDPA draft “a great effort for the most part.”
“It goes far, but it leaves room to do things in steps,” he said, noting that it would “completely eradicate some business models” of companies that have long been providing “free” services because they make their money collecting and sharing data.
“We have to realize that this will be a 5- to 10-year journey for most companies,” he said.
What’s in the CDPA draft?
The press release from Wyden said the CDPA would “create radical transparency for consumers, give them new tools to control their information and back it up with tough rules with real teeth to punish companies that abuse Americans’ most private information.”
It would add 175 people to the staff of the Federal Trade Commission (FTC) and give the agency the authority to “be an effective cop on the beat.”
It would require companies with revenue of $1 billion per year, or that collect and store data on more than 50 million consumers or consumer devices, to submit “annual data protection reports” to the government detailing how they are complying with the CDPA.
It would also empower the FTC to:
- Establish minimum privacy and cyber security standards.
- Impose fines (up to 4% of annual revenue), on the first offense for companies that violate the law, and 10- to 20-year prison sentences for senior executives who submit false statements to the FTC in their annual data protection reports.
- Create a national “Do Not Track” system that lets consumers stop third-party companies from tracking them on the web by sharing data, selling data, or targeting advertisements based on their personal information. To help companies make up that lost revenue, it would permit them to charge consumers who want to use their products and services but don’t want their information monetized.
- Give consumers a way to review what personal information a company has about them, learn with whom it has been shared or sold, and challenge inaccuracies in it.
- Require companies to assess the algorithms that process consumer data to examine their impact on accuracy, fairness, bias, discrimination, privacy, and security.
Most cyber experts applaud better privacy and security standards. Dan Lyon, principal consultant at Synopsys, notes that multiple private-sector standards already exist, for multiple industries.
“One example is for consumer technology,” he said. “CEB33 was published by the Consumer Technology Association. Others include IEC 62443 (for industrial control systems) and UL2900 (for medical devices). Pulling from an appropriate industry standard is a great way to start.”
But he acknowledges that the downside to mandatory standards is that “many organizations will then only do the bare minimum for compliance.”
Do consumers even care about privacy?
Once a final version of the bill is filed, what are its chances? Or, put another way, how much do consumers care about their data being “monetized”?
Apparently more than they used to, probably thanks in part to notorious breaches like those of credit bureau Equifax and Facebook’s Cambridge Analytica scandal. But perhaps not enough to give up what they’ve perceived as free.
People don’t understand that they are paying for these services with their data.
—Dan Lyon, principal consultant, Synopsys
“People don’t understand that they are paying for these services with their data,” Lyon said. “They are looking for something free and they wouldn’t choose to pay for it with money, but when the cost is hidden, making an informed choice is difficult.”
Migues said he thinks consumers care more than they used to, “but I don’t think they’re going to stop doing things that get their data captured and stored.”
“Also, there’ll be so many exceptions to the law requiring you to tell people you have their data that its impact will be minimized. Law enforcement will not tell you all the times they saw your license plate, the federal government will not tell you all the times you made a phone call, and so on,” he said.
But Schwartz said polling shows that people are upset enough about it that they will care how their senator or representative votes.
“What consumers expect is that they should be able to use this marvelous new technology—shop on websites, browse, and talk to their Facebook friends—without being preyed upon by companies,” he said.
*** This is a Security Bloggers Network syndicated blog from Software Integrity authored by Taylor Armerding. Read the original post at: https://www.synopsys.com/blogs/software-security/wyden-cdpa-draft-consumer-privacy/