The Mind Your Own Business Act of 2019 requires entities that collect and distribute personal information — any information linkable to a consumer or her device — to follow standards for consent about data sharing, data security, reasonable and transparent privacy policies as set by the Federal Trade Commission (FTC). It also requires the FTC to set up and run a one-stop platform, the “Do Not Track” website, for consumer to opt out of companies’ sharing of their personal data with third parties. These regulations would impact entities that gather personal information as part of their business model, with the exception of entities that use that information for journalism exclusively.
Within two years the FTC would set regulation to protect consumers from “unjustified exposure of personal information.” Regulation will require firms adequate cybersecurity and organizational measures to ensure the safety of the collected data, and will be enforced according to the Federal Trade Commission Act (15 U.S.C. 45). The act increases the amount fined by the FTC for violating such regulations from $10,000 to $50,000 per violation. After multiple violations, the FTC can charge a corporate entity either the sum of all of their $50,000 fines or 4% of the company’s annual revenue from the previous year.
Under this act, companies that either make one billion a year in revenues, have personal information from at least one million users (or one million connected devices), or use the personal information of 50 million people must provide a compliance report to the FTC annually. Companies will report on any compliance or violation with FTC regulations. In the latter case they must also include the amount and type of consumer data impacted. Chief executive officers and chief privacy officers would be accountable for ensuring that the report is correct and delivered on time.
Signing off on a report that does not satisfy FTC requirements would be met with criminal penalties: a fine of up to one million dollars or 5% of their income in their most profitable of the preceding three years and up to 10 years of prison. If the FTC found that an incorrect statement in the report was known to be false by the signing executives, those executives could be charged a fine of up to (whichever is larger) five million dollars or 25% of their annual income (the highest income in the preceding three years) and face up to 20 years of prison. Additionally, if an executive is convicted and fined for any act of fraud, the company would pay an additional tax.
The act also requires the FTC to create and run a “Do Not Track” centralized website, where users can opt out of companies’ data sharing with third parties. Companies would not be allowed to use listed users’ data other than for the primary purpose pf data collection as communicated to consumers. For example, a consumer listed on the FTC “Do Not Track” website could disallow companies that collect personal information from sharing that data with third parties. Companies that do not respect the wishes of users listed on the “Do Not Track” site could be punished by the FTC in accordance with penalties for unfair and deceptive trade practices. Companies will be required to provide consumers that opted out a service that is identical to that of consumers who have opted in, for free or for reasonable fee that is disclosed to consumers and that is not greater than the economic value of the data of the average consumer.
The FTC is also required to create an online system to receive and respond to consumer data privacy complaints. The bill establishes a Bureau of Technology, headed by a chief technologist with technical expertise, within the FTC. The FTC would also need to appoint more personnel in the Division of Privacy and Identity Protection and the Division of Enforcement of the Bureau of Consumer Protection.