Mind your own business! CEOs who misuse data could end up in jail

CEOs who lie about misusing consumers’ data could face up to 20 years in jail under a new piece of US legislation proposed last week.

The Mind Your Own Business Act, authored by Senator Ron Wyden, would jail top executives for 20 years if their companies were found lying about misusing citizens’ information.

The legislation follows a draft version known as the Consumer Data Protection Act, released for consultation on 1 November 2018.

The bill requires companies to submit annual data protection reports confirming that they’ve complied with the regulations, and explaining any shortcomings. This applies to any companies holding data on more than 50m people, or over a million people if they make more than $1bn in revenue.

The CEO or chief privacy officer must personally certify that annual report. If they deliberately certify something that isn’t true, then the courts can fine them up to $5m, or a quarter of the largest payment they received from the company across the last three years. They can also face up to 20 years in prison.

Companies would have to describe to consumers what information they were collecting and what they were going to do with it. They would also have to provide a site that enables consumers to opt out of any personal data collection, either through a web form or an application programming interface (API) which would let them do this via a piece of software, like a mobile app.

These APIs would have to be standardised under the Act, presumably making it easier for developers to use them. That’s a measure that could make it easier in theory for developers to set up mass opt-out services targeting different platforms.

A company can make it a condition of their service that users don’t opt out of personal data collection, but it can only do this if it offers an alternative paid version that doesn’t monetise peoples’ data. That paid version can’t cost more than the company would have earned from the user’s personal data. Moreover, companies must offer privacy-friendly free versions of the service for low-income Americans under the proposed law.

Consumers would have the right to demand details of any data held about them, where the company got it, and what it is being used for.

Many measures in this bill correlate closely with the EU’s General Data Protection Regulation (GDPR), especially the requirement for companies to conduct regular data privacy assessments on high-risk information systems (containing sensitive information such as politics or sexual orientation). It singles out automatic decision-making systems which use AI to make decisions affecting consumers.

The bill, introduced on Thursday, would have to be referred to a committee as its next step. You can track its progress here.