Senator Wyden Releases Draft Of Privacy Rules That Silicon Valley Probably Won't Like Very Much

from the but-will-it-help? dept

As I've pointed out repeatedly, we're really really bad at regulating "privacy" in large part because most people don't understand privacy -- and it means different things to different people. And, so far, most attempts at regulating privacy have created massive negative consequences, while doing very little to actually protect privacy. The ones most making the news are the GDPR in the EU (though reaching well outside of the EU), which is a total mess and California's unmitigated disaster of a privacy bill that was passed in an insane rush to stop an even worse privacy law from being on the ballot. And, of course, all of this comes against the backdrop of various companies doing a horrifically bad job of protecting the public's private information.

Given all of that, it is inevitable that Congress will, at some point, attempt to pass some sort of privacy bill. And, it seems likely that it will be a disaster. In the last year or so, Senator Ron Wyden, who historically has been seen (unfairly and inaccurately) as an "ally" of Silicon Valley companies is now the first to throw his hat into the ring, releasing a discussion draft of the bill (you can also see a one pager about the bill and a section by section breakdown -- all also embedded below).

Above, I mentioned that it's been unfair to argue that Wyden was a booster of Silicon Valley companies. If you look at his history, he has always been focused mainly on being an ally of the users of the internet. Many times, those two things align, but when they do not, Wyden has repeatedly taken the side of the users, not the companies. And that is the case here, for the most part. Over the last year, Wyden has been on a bit of a rampage in basically telling the companies that they've had decades to do the right thing in regards to protecting their own users, and they have failed to do so.

Reading the new bill in that context puts things into perspective. The key parts of the bill, as described in the one-pager are as follows:

1. Establish minimum privacy and cybersecurity standards.
2. Issue steep fines (up to 4% of annual revenue), on the first offense for companies and 10-20 year criminal penalties for senior executives.
3. Create a national Do Not Track system that lets consumers stop third-party companies from tracking them on the web by sharing data, selling data, or targeting advertisements based on their personal information. It permits companies to charge consumers who want to use their products and services, but don’t want their information monetized.
4. Give consumers a way to review what personal information a company has about them, learn with whom it has been shared or sold, and to challenge inaccuracies in it.
5. Hire 175 more staff to police the largely unregulated market for private data.
6. Require companies to assess the algorithms that process consumer data to examine their impact on accuracy, fairness, bias, discrimination, privacy, and security.

A lot of the bill is really in giving the FTC more resources and power to go after companies for failing to protect the privacy of users. And, I think putting some level of pressure on companies to take these issues more seriously could really help.

I think there's a lot in the bill that is carefully thought out and worthwhile, but I still have a number of significant concerns. The headlines around this bill have focused on the fact that it includes potential jail time of 10 to 20 years for senior execs who sign off on annual "data protection reports" to the FTC, in which those reports "knowingly" misrepresent information (it also includes GDPR-esque fines of 4% of gross revenue, even for first time offenders). I do think there's value in creating real punishment for company execs that knowingly misrepresent information concerning the privacy of their users, but I do worry how much this might impact the willingness of good people -- especially potential chief privacy and chief information security officers -- to agree to take these jobs with large companies. While the "knowingly" part of the requirement is important, I can envision quite intense legal battles over the level of knowledge such execs had in signing off on these documents. Yes, this would get them to take those issues seriously and go over such documents carefully. But, I do worry that this could scare off many good people from taking these jobs.

Similarly, the fact that these massive fines apply to the very first offense could be seen as problematic as well. It's great to say that even one mistake is one too many, but is that realistic? It is not easy to seal off every possible vector of attack. There are always new attacks. And, as it stands right now, there are only a few companies who have the resources and ability to really harden their systems to this level -- and this bill could lock in those providers and leave out the ability of smaller companies to challenge them in the market (there is a limited safe harbor for smaller companies, but as soon as a company reaches a reasonable size, the rules apply to them).

I also do wonder about the "minimum privacy and cybersecurity standards" that the FTC will be authorized to detail. Again, on its face, this sounds like an okay idea, but there are a lot of devils in those details. Too often "standards" like this, if not properly constructed, could limit potential innovations or business models that wouldn't actually negatively impact people's privacy, but won't be allowed out of a fear for violating these standards.

While I am supportive of bringing back the concept of a Do Not Track system, I find the requirement for companies to "offer a paid version of their product or service, for which they can charge no more than they would have made by sharing the user's data" potentially a complete mess (the bill has a lot of conditions on this that might limit the problems, but it's not clear why this is necessary in the bill). Again, that's something that sounds nice in theory, but would require a pretty big shift for many companies -- which would mean a lot of new costs that it's unclear they can even attempt to recoup. It also has the potential of cutting off a number of new business models, as there are potential businesses where such a setup wouldn't even make any sense. Again, conceptually, this idea could make sense for companies, but requiring it could have significant consequences.

A final major concern: it does not appear that this bill would pre-empt state efforts, like California's giant mess of a privacy bill (and any other attempts by other states). That also seems like something any federal bill should include to avoid a patchwork of impossible to follow laws in every single state.

That's not to say there aren't parts of the bill that are worthwhile -- and the intent behind it is well meaning. Companies do need to clean up their act and recognize what a mess they've caused. I do like the idea of standardizing APIs to allow users to use other apps to access and process the information and data that companies hold on them. That could be tremendously useful in moving to a world where individuals can take back more control over their data. I also appreciate the specific point that the rules do not apply to media organizations, as we've already been dealing with the fallout from the GDPR where people are claiming the data protection rules there can prevent media organizations from even reporting on certain people.

But, in the end, I'd prefer that be done more by the companies themselves in recognizing that they're better off pushing control of the data out to the end users, rather than feeling the need to hoard it all themselves. I recognize that Wyden's view on this is basically "they had their chance, and they failed" and perhaps that's true. But I still worry about the unintended consequences from locking in some of these ideas.

At this point, the bill is still a "discussion draft" and it's not at all clear if it has any chance of moving forward. Hopefully, if it does, there can be significant changes made to the bill so that it is still designed to punish truly bad behavior (and incentive good behavior), but without making it difficult to impossible for good people to hold key positions, and without cutting off potentially useful innovations for end users. At this point, I'm not sure this bill does so, even if it's well-intentioned.

Filed Under: apis, cdpa, consumer data protection act, cybersecurity, data protection, ftc, privacy, ron wyden, transparency