Governance, Risk and Compliance

Consumer Data Protection Act: Your Privacy Rights Explained

Affectionately dubbed the “Mind Your Own Business Act,” Oregon Senator Ron Wyden’s quest to regulate personal data management by tech companies is starting to come into form. Officially called the “Consumer Data Protection Act” (CDPA), this legislation strives to provide greater transparency to US consumers about what data has been collected about them, who their data is being shared with, and how accurate that data is.

In the wake of the Equifax, Target and Home Depot hacks of recent years, Senator Wyden also wants to see executives being held responsible for putting consumers at risk. Harsher penalties, he believes, will motivate senior leaders to take data privacy more seriously.

Current data privacy laws

In the past six years, the aforementioned companies have exposed the personal data of hundreds of millions of customers. This includes, but is not limited to, credit card numbers, Social Security numbers and driver’s license numbers.

As it stands today, the Federal Trade Commission (FTC) does not have the teeth it needs to adequately defend digital consumers and hold those responsible for data mismanagement accountable. Recently, two Fortune 100 companies were not fined by the FTC but instead paid miniscule amounts (relative to their annual revenue) in class-action lawsuits. While the CDPA may seem similar to more well-known legislation such as the California Consumer Privacy Act (CCPA) or the EU’s General Data Protection Regulation (GDPR), Wyden seeks to take regulation a step further by also including criminal penalties for reckless executives and more transparency for consumers.

The policing power of the FTC simply hasn’t caught up to the digital age. They currently aren’t able to set minimum privacy and security standards for companies that share your personal data and are drastically understaffed for the task they have ahead of them.

Proposed laws and goals

Wyden’s draft of the law goes further than GDPR and CCPA and calls for a number of new protections for consumers, stricter penalties for companies who mislead the public, and increased power to pursue criminal prosecution for the FTC. Wyden also wants consumers to be able to see exactly who has their personal data from each site they visit and be able to subsequently correct any inaccuracies they find, which the CCPA lacks. He wants to be involved in almost every step of the advertising process, including being able to police the advertising algorithms themselves.

A national “Do Not Track” system is also included in his plans for regulation. This would prevent third-party companies from displaying targeted ads to consumers based on personal information that has been collected about them, as well as the selling or sharing of that personal data.

Similar to the CCPA, the CDPA seems to use the GDPR as a framework for regulating data collection. However, one of the main differences in the new domestic legislation is that, in contrast to the GDPR, companies do not have to provide a reason for collecting data. CDPA also brings new ideas to the table as the first of these three to introduce the idea of criminal prosecution for offenders - measures that are needed to hold parties responsible and prevent further mismanagement.

As this drive for personal privacy moves forward, companies are currently attempting to monetize this desire by allowing users to purchase a premium add-on that would allow their personal data to remain untouched and stop advertisements. To ensure that privacy “does not become a luxury good,” Wyden plans to extend the FCC’s Lifeline Program to cover this cost for low-income users.

Why should it matter and what’s next

In our economy, if a consumer is unhappy with a product, the idea is that they should be able to switch to a competing version that offers something better. This way, companies are forced to either constantly innovate to meet the public’s demands or lose money. However, current prominent social media sites and applications have somewhat monopolized how we communicate with each other.

As the data from sites and the services we consume become more constant in our lives, it is vital to understand how we can unwittingly be influenced to buy or believe certain things once companies know so much about us. If left unchecked, scandals such as the Cambridge Analytica incident could become all too common, allowing small groups to effectively manipulate citizens on a nationwide scale. Litigation needs to catch up to technological progression – but will the CDPA live up to its potential and accomplish what GDPR couldn’t?

Alex Ritter is an analytics analyst at Avanade. Read more Avanade blogs here.