Following a number of high-profile investigations into global personal data breaches and uses of personal data without proper legal basis, there is a growing realisation in the USA that new legislation is needed to define how to take back control to better protect and empower its citizens and consumers.
To this end, perhaps being galvanised and pressured by the impacts of implementing the EU’s GDPR, changes are being introduced to both State and Federal laws that could have a profound impact on some of the biggest companies in the world and specifically the executives who run them.
Mind Your Own Business Act
On 17th October 2019, a Bill introducing the aptly named “Mind Your Own Business Act 2019”, was brought before the Federal Trade Commission (FTC) by Democratic Senator Rob Wyden. The Bill, which extends the Consumer Data Protection Act, was released for discussion on 1st November 2019 and aligns to the principles of the EU GDPR. Furthermore, it aims to amend the existing FTC Act in order to establish requirements and responsibilities to protect personal data, whilst setting rules to punish both corporations and their executives who fail to achieve or falsify statements about their compliance to it.
Its introduction also appears to have been heavily inﬂuenced by the FTC giving Facebook a $5Bn(i) slap-on-the-wrist for privacy violations which included Cambridge Analytica harvesting the data of some 87 million American users(ii) to facilitate political advertising tools.
The Bill attempts to introduce a single click ‘Do Not Track’ register for consumers to help reduce and prevent the number of companies that are monitoring and tracking online activities and subsequently selling or sharing that data for the purpose of targeted advertising. Whilst on one hand this would enable consumers to exercise greater control over their data, on the other hand, businesses would ﬁnd it diﬃcult to implement and monitor, raising signiﬁcant challenges for the marketing and advertising world.
Whilst the Bill is aimed at being applicable to companies that hold personal data of more than 50 million consumers or over a million individuals if they make revenue of more than $1 billion, its impacts will become far-reaching.
The Bill empowers State Attorney Generals to enforce the regulations on behalf of the FTC and to be able to levy tax penalties, tied to executive salaries, on organisations when their Chief Executive Oﬃcers (CEO) falsify statements or fail to ensure appropriate privacy safeguards.
It is anticipated that the FTC will create minimum privacy and cybersecurity standards, and will have the authority to impose steep ﬁnes – as much as four percent of annual revenue (in line with the GDPR).
Where the Bill goes further than the GDPR, is that CEOs and/or Chief Privacy Oﬃcers (or equivalent thereof) can be faced with personal penalties (consequences) if found guilty of:
- Certifying, giving false statement or testimony that do not comply with the requirements set forth shall be ﬁned not more that the greater of $1M or ﬁve percent of the larger amount of annual compensation the individual received during the previous three-year periods, imprisoned for up to ten years, or both, or
- Wilfully(iii) certifying a statement that does not comport to the requirements set forth shall be ﬁned not more than $5M or twenty-ﬁve percent of the largest amount of annual compensation received during the previous three-year period, imprisoned for up to twenty years, or both.
As we saw in the EU following the introduction of the GDPR, regulated organisations are more likely to embrace the changes and will have a head start in meeting many of the requirements, such as: data mapping, knowledge of the types and volumes of personal data held, data retention periods (mandated under GDPR Article 30).
A challenge for organisations, which many in the EU are still dealing with, is how to put personal data that has surpassed the legal basis for processing beyond reasonable use, or to delete it from systems.
Should the Bill pass in its current form, it will enable the FTC to increase its workforce (an additional 175 people to bolster its current 50 employees) to monitor and police data security and privacy activities. As EU Regulators can testify, the GDPR has had a signiﬁcant increase and impact on their workloads and activities that far outstripped their original estimations.
It will be a while before this Bill completes its journey onto the statute books and will no doubt be subject to various amendments along the way. In the meantime, other legislation such as the California Consumer Privacy Act (CCPA) comes into eﬀect on the 1st January 2020.
California’s Consumer Privacy Act
California has the strongest consumer protection of any state in the USA.
The CCPA has been developed to provide direction and requirements for cybersecurity and incorporates speciﬁc protection for information relating to minors (children).
The CCPA has a broad deﬁnition of personal information and includes making devices associated with individuals subject to its provisions. It contains a very unique ‘Reach Back’ provision, where an organisation’s obligations will reach back for a period of up to 12 months prior to the Act coming into force.
The CCPA closes loopholes in previous legislation regarding notiﬁcation to consumers if certain types of personal data are compromised. This follows Marriott’s announcement of the Starwood reservations data breach where they did not notify some individuals because passport numbers were not included. The legislation expands the list of the types of personal data obliged to be notiﬁed to include passport details, biometric data, tax, medical (healthcare) or military numbers.
The CCPA also follows the GDPR in requiring organisations to maintain a list of the categories of personal data held. It goes on to require that, prior to using a category of personal data for additional purposes or making commercial gains, the business must provide notice and obtain explicit consent from consumers.
There are tighter rules governing the collection and sale of children’s private information. They have set the age limit at 16 – within EU the age ﬂuctuates between 13 and 16, but the principles are the same.
California’s State Attorney General cannot take enforcement action until six months after its publication; i.e. 1st July 2020.
NIST – Privacy Framework
It is anticipated that the National Institute of Standards and Technology (NIST) will publish the ﬁrst version of their Privacy Framework(iv) by the end of 2019. It is designed to help organisations identify, assess, manage and communicate their privacy risks.
This Privacy Framework, which is a guide and not a check-box exercise, is built on a very similar model to the NIST Cyber Security Framework(v), which has been quite widely adopted and accepted over the last ﬁve years.
It emphasises the need for a collaborative approach, recognising that privacy is more than just cybersecurity, and that whilst good cybersecurity controls can help protect privacy, the risks extend beyond the traditional cybersecurity risk areas.
Data protection legislation around the world is changing rapidly, inﬂuenced by the EU’s GDPR. The USA is playing catch-up, and whilst the California State has been the leading the way, there is a realisation of a need for Federal laws to toughen their stance and to assist in bringing big corporates and their executives to order.
Most people will agree that we have experienced a technological revolution in recent years. However ineﬀective or non- existent, corporate governance and cybersecurity protections weaken – if not erode – our democracies and values and put citizens’ personal data at risk of misuse.
The ﬁnalisation and introduction of these legislations will go some way to addressing the shortfalls. Businesses will face a signiﬁcant cost to implement the requirements and, given the growing power and inﬂuences of consumers, they may ﬁnd there is little time to start to seriously implement the changes.
The corporate and personal costs of not doing so as highlighted above could be substantial.
ii. eandt.theiet.org/content/articles/2018/04/zuckerberg- apologises-for-cambridge-analytica-scandal-in-written- testimony/
iii. Acts which are intentional, conscious, even malicious, and directed towards achieving a purpose.