
Prison time, hefty fines for data privacy violations: draft U.S. Senate bill - octosphere
https://www.reuters.com/article/us-usa-internet-privacy/prison-time-hefty-fines-for-data-privacy-violations-draft-u-s-senate-bill-idUSKCN1N65U2?
======
codegeek
I read this and immediately thought "oh shit, yet another regulation for a
small bootstrapped software business where we try to be honest while the big
guys will still find a way to circumvent it". Thankfully, I looked into the
fine print and was wrong. This bill is only for Corporations that do over
$50,000,000 in revenues or higher OR (EDITED from AND) have info on at least
1,000,000 or more customers. Of course, I don't mean to imply that smaller
tech. companies are all saints but this bill clearly seems to be drafted for
the bigger fishes who are powerful enough to blatantly ignore privacy laws.

EDIT: I clarified one thing user downandout pointed that it could apply to App
developers who may have a million users as well but overall, it should not
affect bootstrappers or smaller tech. businesses that don't have that high
amount of consumer data so my overall point still remains.

Below is the link to the details on this bill:

[https://www.wyden.senate.gov/news/press-releases/wyden-
relea...](https://www.wyden.senate.gov/news/press-releases/wyden-releases-
discussion-draft-of-legislation-to-provide-real-protections-for-americans-
privacy)

~~~
downandout
You read that wrong. In order to NOT be a "covered entity," you must meet ALL
of the following criteria:

1) Revenue of less than $50 million; AND 2) Must not have info on 1 million or
more people; AND 3) cannot be a data broker

That means an independent app developer who gets more than 1 million installs,
or a website with more than 1 million users, IS a covered entity, _regardless
of revenue_. Also, ANY "data broker," _regardless of size_ , is covered.

This info is on page 4 and 5.

Edit: How is a _factual_ comment getting downvotes? OP read it wrong, and I
told him so. There's nothing in this comment to disagree with. There are only
facts.

~~~
goldfeld
Phew! That would be a net positive for the world, long term, to bear less of a
greasy footprint from american startup antics.

~~~
downandout
No, it would kill all American software/web startups by limiting them to
999,999 users, unless they have millions of dollars in VC funding that they
can use to comply with this law. It would strangle the startup community, as
most startups (even those with 1M+ users) can never hope to have the resources
to comply. You have to remember that the reason that startups get _any_
funding is because investors hope that they will be highly successful. If
there is a guarantee of a huge compliance bill once the company reaches 1M
users, far fewer companies will be funded. Getting 999K users, while a
milestone, isn't necessarily enough to raise the money necessary to comply
with this law.

~~~
tptacek
What requirements of this law do you believe would be impracticable to comply
with without millions of VC funding?

~~~
throwawayou812
I'm not GP, but it looks like the more burdensome things are on pages 26-33,
and they are too lengthy to post here. I can see compliance costing
significant sums that would be out of reach to a typical startup.

~~~
tptacek
Could you be specific about _any_ of the "burdensome" requirements? You don't
need to post all of them; I've read the same draft you have.

~~~
kevinpet
The question is not "is there anything that would clearly be burdensome?", but
"am I confident enough that I am complying with these items, as retroactively
interpreted by regulators?"

You need to pay a lawyer to evaluate that for you, that's the cost, not
whoever the bills sponsor says this is intended to target.

~~~
tptacek
Can you cite an example of one of these requirements that you wouldn't be
confident in being able to comply with? Also: how much do you think a legal
consult costs? For any one item, I think we're talking a couple hundred bucks.

Almost all of the language in the section we're referring to applies to just
one requirement, which is to make data tech companies retain about consumers
available upon request to those consumers. That's something responsible
companies already do, many because they're already by regulation required to
do so.

~~~
throwawayou812
Most competent lawyers cost $400+/hr. For them to review your internal
compliance policies and procedures (including your opt-in/out procedures.
etc), privacy policy, etc. you could easily be looking at a few hundred hours.
That doesn't include the external auditors that the bill wants you to have.

As you said in one of your comments, fortunately this bill as written will
never come into law, both due to its implications, and the fact that its
author is a single member of a minority party. This is one instance in which I
am happy with our system of government.

~~~
tptacek
This proposal doesn't require companies to do formal internal compliance
reviews. It's not SOX or GLBA. For most startups, the legal overhead here
would probably amount to a few phone calls with a lawyer.

My read is that it's less onerous than the California privacy statute that
already covers a huge fraction of tech startups.

We do both security and privacy engineering work for our clients, most of whom
are encumbered in one way or another by regs, and it is _not_ the norm for
legal to do line-item review of policies and procedures. SOC2 Type 1 audits
are much closer to a mainstream practice, would almost certainly satisfy the
"data protection" requirements in any rule the FTC would come up with, and
certainly do not involve "a few hundred hours" of legal.

~~~
throwawayou812
That's just not accurate. You should read pages 26-33 in detail. It wants
external auditors to come in, and while consultation with a lawyer isn't
_required_ , companies would offensively have to use them to review everything
they do, lest they be found non-compliant. That could easily range into
hundreds of hours of legal work.

~~~
tptacek
I believe I'm one of the "auditors or independent technical experts" this bill
refers to (trust me, we don't need Wyden's help getting work), and for the
most part the only time we talk to client legal is when we're negotiating our
contract. Note also the "if reasonably possible" attached to getting external
assessment.

~~~
throwawayou812
You're referring to that specific provision, but again you aren't considering
the fact that any business interested in complying will have to have an
attorney review the law, and then review all aspects of their business,
software implementation, and policies/procedures in order to ensure they are
compliant. That's not a requirement of the law, but how else can they ensure
that they are compliant?

~~~
tptacek
At this point, we've scaled back the argument from "this bill would kill
startups" to " _any_ bill would kill startups".

That's a coherent position, but not one we can reasonably hope to debate about
between each other.

~~~
throwawayou812
Not _any_ bill, just bills with breathtaking fines and possible imprisonment.

~~~
tptacek
This is a frustrating thread.

It starts with the claim that this law could put Flappy Bird on the hook for
decades of prison time. I rebut, and you say (paraphrased) "no, read the law,
anyone with 1MM users could be sent to prison for failure to comply". This is
obviously not true.

Then the claim becomes that pp26-33 of the statute has so many burdensome
requirements that it would be impracticable for many startups to comply. I ask
for specifics; none emerge. Instead, a new claim appears: every startup would
be on the hook for "a couple hundred hours" of legal to verify their
compliance.

But the proposal as stated doesn't require formal compliance reviews, making
it hard to support an argument that this proposal would somehow cost more than
many other regulations that _do_ have that requirement, and for which my firm
has done significant engineering and compliance work without spending a
hundred hours talking to legal.

But, no, it turns out that's not the argument. The real argument is that the
proposal requires auditors, for which legal will have to be deployed
prophylactically. Now, the proposal does not in fact have an auditor
requirement, but also, the clause that discusses auditors goes out of its way
to make it clear that the types of third parties they're referring to are
technical experts, which startups already use.

So the argument changes again. Now the argument is that regardless of the
specific construction in the proposal (again, these specifics were all brought
to the discussion by you!), it would be prohibitively expensive for startups
because a lawyer would have to take time to verify the meaning of the law for
the startup.

I point out that this is an argument that applies equally to pretty much any
privacy or security law, and you respond that this is one is a special case
because of the prison time and fines (the "breathtaking" fines are part of the
same clauses as the prison liability) --- thus resurrecting the original false
claim.

This doesn't read to me like a good-faith argument.

It's of course fine to make the argument that _any_ new regulation would
impede startups and would therefore not be worth the trouble (there are other
arguments against this proposal you could just as easily make; for instance,
that the field isn't mature enough for us to have the FTC use rulemaking
authority to establish cybersecurity requirements for startups).

But if those are the kinds of arguments, you're making, make them. Don't move
the goalposts.

~~~
throwawayou812
_It starts with the claim that this law could put Flappy Bird on the hook for
decades of prison time. I rebut, and you say (paraphrased) "no, read the law,
anyone with 1MM users could be sent to prison for failure to comply". This is
obviously not true._

Actually, with specific regard to Flappy Bird, it is true because it had more
than 100 million installs, far surpassing the 50 million requirement to expose
him to _criminal_ as well as civil penalties. So, in contrast to your
statement, it actually is true.

 _Now, the proposal does not in fact have an auditor requirement, but also,
the clause that discusses auditors goes out of its way to make it clear that
the types of third parties they 're referring to are technical experts, which
startups already use._

I'm not sure what you mean here. There is an auditor requirement "where
reasonable," and presumably "reasonable" would be entirely up to a court's
discretion. Also, "technical experts" in the context of this law, wouldn't
necessarily be the developer of the site, but rather technical experts who are
trained in complying with this law. Likely, that means someone brought in by a
law firm or professional auditing outfit, at enormous expense.

~~~
tptacek
No, you're _still not correct_ , because the problem with your claim isn't
simply that you have to be a larger company to face prison time, but that
there's only one offense in the bill that includes that thread: knowingly
certifying fraudulent data protection reports. I'm like the 4th person on this
(broader) thread to point that out, and this is at least the 3rd time I've
pointed it out to you.

By the way, did Flappy Bird even collect NPI? Or is this an even sillier
example?

~~~
throwawayou812
_there 's only one offense in the bill that includes that thread: knowingly
certifying fraudulent data protection reports._

That's what it says, but one would have to believe that failing to file such
reports would also be a criminal violation in any final draft of the bill.
Otherwise what would be the point of the bill? Does it make sense to you that
they would have a bill like this, and provide a simple way to avoid it: just
don't file? That appears to be an oversight by the author, but one would
undoubtedly be fixed.

 _By the way, did Flappy Bird even collect NPI?_

Since this bill uses a vague and legally untested definition of "personal
information," simply maintaining weblogs containing IP addresses could trigger
this.

~~~
tptacek
You've now moved the goalposts past the present text of the proposal and into
_hypothetical future versions of it_.

~~~
throwawayou812
That's not "moving goalposts" as you put it. Are you saying that you believe
that they would allow such an enormous loophole in such a bill?

~~~
djur
It is often the case under US law that failing to file paperwork is treated as
a much less serious act than filing fraudulent paperwork. If you fail to file
a tax return, you're nearly always assessed a penalty (it's a misdemeanor). If
you file a fraudulent tax return, you can easily go to prison for a long time
(it's a felony).

------
tptacek
This is an extremely frustrating headline. The draft bill we're discussing
does not appear to establish "prison time" for "data privacy violations".

The bill "covers" any entity with over 1MM users (Flappy Bird) or $50MM in
revenue over 3 years (most mid-sized startups). It creates a compliance
regime, violations of which can be pursued by the FTC under its "Unfair Trade
Practices" authority.

A subset of Covered Entities (those with over 50MM users [very few startups]
or $1B in revenue [virtually no startups]) are further obligated by this
proposal to file annual Data Protection Reports. If the CEO, CISO, or Chief
Privacy Officer of one of those entities deliberately certifies such a report
knowing it to be false, _those specific people_ are liable for imprisonment.

Actual failure to comply with data protection and privacy requirements are not
enough to get you charged criminally in this proposal. The violation that can
actually get you imprisoned in this proposal would constitute a deliberate
attempt to defraud the government. You have to be a relatively big company,
fail to comply with the requirements of this draft, _and then lie about it to
the FTC_ to end up in prison.

 _(For what it 's worth: I don't think this bill is going anywhere; it's a
discussion draft by a single member of the minority party.)_

~~~
conradev
> (For what it's worth: I don't think this bill is going anywhere; it's a
> discussion draft by a single member of the minority party.)

Ron Wyden is indeed a single member of the minority party, but he is
establishing himself as one of the leading voices on these issues. Christopher
Soghoian probably played a big role in drafting this bill as his Senior
Advisor for Privacy and Cybersecurity.

~~~
tptacek
When the bill gets a Republican co-sponsor, it'll be time to take it seriously
as "news".

~~~
fjsolwmv
Or when the Senate gets a Democrat majority

------
badrabbit
I've said it before, when it comes to mass surveillance,intentionally
malicious backdoors and general societal loss of ptivacy, the solution should
be primarly legislative not technical.

Good example: every store with a camera uses ML to identify customers and
passerby's and shares this info with 3rd parties. Should we talk about how to
best facial and gait ML analysis or is the answer simply criminally outlawing
this practice?

Why can't I file a restraining order against big tech that states "if you
identify activity and you correlate it with my identity,immediately erase it
and take steps to avert similar activity data collection": because I feel
bigtech's abuse of this data pauses a danger to my liberties and free
excercise of my civil rights.

Modern privacy laws are overdue as it is and they need to be criminal,not
civil.

Another one: ISPs would think twice about selling your celltower correlated
location data and web/dns activity to 3rd parties if this meant jail time to
the CEO. If this practice is outlawed with only fines and regulations as the
penalty,the only person that can sue them is a well resourced attorney general
or a very very wealthy person that can afford a multi year legal battle.
Unfortunately,even when bigcorps break CFAA the FBI won't even listen to
civilian complaints.

~~~
fjsolwmv
It can't be criminal because corporations can't go to jail. The only
punishment you can apply to corporation is to take a little bit of its money,
but not so much that it declares bankruptcy and gives all its assets to a new
corporation formed by the same owners, who are protected from the Limited
Liability structure from having to pay their debts.

~~~
badrabbit
That's what CEOs are for. All corporations have a structure where one person
or a group of persons are accountable for decisions. For example,look at
financial crimes(think Enron),executives are sent to jail all the time.

------
paulsutter
Would these rules also apply to NSA/CIA misuse of surveillance?

~~~
gingerbread-man
There have been a handful of prosecutions (and many hundreds of firings) for
misuse of the FBI's NCIC database by law enforcement officials. For instance,
ex-NYPD Sergeant Joseph Dwyer was convicted of conspiracy in federal court in
2016 for selling information from NCIC to private defense investigators.

Personally, I believe this kind of breach-of-trust should be prosecuted much
more vigorously. But besides the fear of embarrassment, I suspect federal
agencies are unwilling to compromise intelligence methods to prosecute
misbehavior.

~~~
jjoonathan
Of course, but it shouldn't be up to them.

------
paulcnichols
The biggest unintended consequence I see is that more tech businesses will
have to charge for their service rather than make money in opaque ways.

~~~
oliwarner
That's not a bad thing.

The big tech companies are edging towards complete monopolies in their spaces
and a significant part of this is that they know everything and they're
allowed to leverage that data. Why would you go to anybody else to advertise?
Unbundling this, making advertising harder again will spread out the budget,
probably push more towards publishers rather than networks. Again, not a bad
thing.

It also means that new players get to compete. It's been very tough to compete
with similar services on price when the incumbents can operate at zero "cost".

Not having your data traded under the table is just gravy.

~~~
jimmaswell
I think it would be a pretty horrible thing if all these once free internet
services suddenly cost money. Nobody seems to be thinking about the
significant amount of people who wouldn't be able to afford monthly
subscriptions to Facebook, Twitter, Reddit, etc. even if it did all add up to
"only" $15/month. Poor people should not be priced out of the online spaces
where modern discourse happens. Single mothers should not be priced out of
getting to post baby pictures on Facebook. I think it's indicative of living
in bubbles that nobody else seems to be giving this consideration any weight.

~~~
zoul
Currently the price we all collectively pay for these “free” services is a
decrease in the sanity of public discourse. Is that really a better option?

~~~
twblalock
How would subscription fees improve the discourse on social media sites?

~~~
zoul
Currently, social media users are the goods being sold, so the companies
running the networks don’t have much interest in offering tools and algorithms
for high quality discussion. With paying customers the situation would be very
different. (Not that it’s going to happen – I’m just saying that we already
pay a hefty price for the “free” services.)

~~~
scarejunba
If I had to test that hypothesis I would consider the comments section on the
NYT (a website that requires a subscription to access more than 10 articles a
month). Just checking the comments section there shows that people are just as
vitriolic there _even_ if they've posted on more than 10 articles that month.

I'm comfortable saying that paid networks won't in-and-of-themselves improve
conversation.

~~~
soundwave106
What this bill might help (or at least give law enforcement additional tools
to prosecute with) is preventing situations like the Cambridge Analytica
situation, where corporations with nefarious motives gather user profile
information from social media in questionable ways, and use these tools to try
to manipulate in areas outside of mere marketing.

In other words, while I'm not sure if this will improve discourse, at least it
mitigates a little bit of the questionable social media meddling that we've
seen of late.

I kind of see jimmaswell's point that there is a risk of creating a "tiered
Internet". But I'm not sure it's completely an either/or situation. It sounds
like that the bill _also_ emphasizes more transparency on what is being done
with the data and who it is sold to. As long as personal data is not shared
haphazardly and in a leaky fashion, consumers might be just fine with the
bargain they get.

Things like shopper loyalty programs already offer this sort of bargain: in
exchange for allowing companies access to more granular shopper information,
the shopper gets access to greater discounts. Loyalty programs currently _are_
subject to various consumer protection rules. In contrast, the bargain social
media has struck with users (free service in exchange for marketing data) is
not well protected.

Personally, I'm fine with a little more transparency and disclosure in this
fashion. I don't think this necessarily means the end of free social media per
se. (I will say though that this is a sign, one of many, that the days of
social media "moving fast and breaking things" is over.)

------
mevile
I'm fine with fines, but I hope prison time is restricted to intentional and
malicious illicit behavior and not anything due to neglect or oversight. I'm
not a fan of people being put in cages unless they're violent or have ruined
people's lives intentionally.

~~~
thrmsforbfast
It is. Read Sec 5.(d).

It's not like people will be thrown in prison because their DB wasn't patched
quickly enough. They have to knowingly and intentionally lie to the federal
government in an annual report.

~~~
rhizome
_They have to knowingly and intentionally lie to the federal government in an
annual report_

So it's a nonstarter, since the people being prosecuted for these things will
have lawyers adept at whittling down intent to only the most brazen and
malicious behavior. Not only that, but Sarbanes-Oxley showed us how effective
"annual report" red lines are.

~~~
thrmsforbfast
Perhaps. But that's not a compelling argument against this bill. Perfect enemy
of better and all that.

~~~
rhizome
I agree that the nirvana fallacy is implicated, but there were zero
convictions under SarbOx, zero prosecutions even.

------
afpx
"Wyden would also create a national “Do Not Track” system to stop companies
from tracking internet users by sharing or selling data and targeting
advertisements based on their personal information."

Why not just reform EULAs so that people have more power over what they're
often blindly agreeing to? If people could easily see the details and to what
they're agreeing to and have more power over certain clauses, I think market
forces would take the industry into a different direction, and there'd be more
transparency. I don't always believe a market-solution is optimal, but in this
case, it seems right.

------
tehlike
This would probably mean more compensation at executive level for the
increased risks!

~~~
thrmsforbfast
Companies will have a Chief Privacy Officer whose job is basically to provide
oversight and, of course, absorb the risk. That person will probably be paid
well.

I'm actually OK with that. We're always complaining that companies don't take
security/privacy seriously because there's no incentive to do so. See e.g. the
Equifax HN threads. Having a person in the C suite who'll end up in jail if
the company seriously fucks up is, IMO, a net positive for the world.

~~~
weberc2
I just hope it’s crafted such that it won’t inhibit small businesses or
hobbyists.

~~~
tehlike
That's exactly my hope. Only large companies benefit from such laws
(including, potentially GDPR), other smaller ones get slowed down. With gdpr,
many newspaper outlets stopped access from outside of the US.

------
JacobJans
PDF Full Text : [https://www.wyden.senate.gov/download/11012018-wyden-
privacy...](https://www.wyden.senate.gov/download/11012018-wyden-privacy-bill-
discussion-draft&download=1)

------
phkahler
I find the notion of a do-not-track registry disturbing. It would actually
become an identifier for you that could be used to link all the disjointed
information collected under that identity. Kind of the opposite of what it's
intended to do.

------
kevinpet
The problematic aspect of regulation is that you don't just need to comply,
you need to _convince the regulators_ that you've complied. A better approach
is to create liability for certain specific failures if the company didn't
follow reasonable best practices, which means you might get sued, but in that
case it would be on the plaintiff to show that you didn't follow best
practices, rather than the regulatory approach which makes it a burden on the
company to prove to regulators (who have no incentive to keep costs of
compliance down, or even limit themselves to cases where customers are in some
sense harmed).

------
sbhn
So Facebook, google, Microsoft, et al, will continue to sell my attention, and
now pass the insurance bill onto me. Lol. I know, it’s for my security.

~~~
Jaepa
As you mentioned Facebook, Google, & in large part Microsoft sell your
attention. How do you propose that they are going to pass the insurance tab
onto you?

~~~
sbhn
Internet tax

~~~
Jaepa
Sooo to be clear... Your theory is:

1\. Large companies by insurance for data privacy violations

2\. They then lobby to repeal H.R. 3086 (Permanent Internet Tax Freedom Act

3\. They then lobby for another bill for taxation on internet use.

4\. Then they lobby for what would be equivalent to a hand out in order to
recoup losses.

~~~
sbhn
I don’t think it would be that hard. Lots of pieces of pie for all involved.
It may just happen wait and see

------
afpx
On one hand, I think this is a good thing. That is, I certainly would like to
have more control over who uses my own data.

But, on the other hand, the scope of this bill has some risk of bringing about
a technology winter. Most people outside of tech don't realize how much of the
software they use has been indirectly subsidized by the ad and data brokering
industries.

~~~
ianmcgowan
Isn't that kind of the point? I'm not anti-google/facebook in the least, and
like to think that I'm knowingly trading some privacy in return for ad-
supported services that have value to me. But it's tough to think of any
compelling arguments for why companies making billions shouldn't be required
to a) provide some minimal level of care over the data they collect, and b)
disclose what they're doing with all that data. How will that bring about a
tech winter?

~~~
afpx
What I mean is that it's become a major part of the US's economy. Globally,
this industry probably generates 100s of billions of dollars, and those
companies mostly spend their revenue on more software, more hardware, more
research, more computer scientists, more computer engineers, etc. Indirectly,
probably almost all of us here are partially paid from the ad-network-value-
chain. And, what about all of the open source products that have been funded
by these companies.

~~~
schiffern
Sounds like a labor mis-allocation bubble.

Bubbles burst. Furthermore bubbles _should_ burst, for the health of the
economy.

~~~
afpx
How is this a bubble? Unlike previous bubbles, the current technology surge is
actually funded by real value, real demand, real revenues, and gigantic
profits.

~~~
schiffern
"Bubble" may be wishful thinking, but can you really argue that it's not
"labor mis-allocation?"

"The best minds of my generation are thinking about how to make people click
ads. That sucks."

By intentionally sewing economic irrationality (ie _beyond_ how irrational
humans are already), advertising destroys societal value. Here I use
"irrational" in the sense of "making self-harming economic decisions."

------
danalloway
full bill text can be found here:

[https://www.wyden.senate.gov/imo/media/doc/Wyden%20Privacy%2...](https://www.wyden.senate.gov/imo/media/doc/Wyden%20Privacy%20Bill%20Discussion%20Draft%20Nov%201.pdf)

------
runeks
It would be nice if the government imposed the same requirements on its own
departments for violations of privacy as it does on private companies.

Seems to me that government is eager to punish private companies for
violations, while increasing its own storage of personal information on
innocent people.

In this comments section, someone else said:

> [..] when it comes to mass surveillance,intentionally malicious backdoors
> and general societal loss of ptivacy, the solution should be primarly
> legislative not technical.

I'd object to this, given that a legislative solution is unable to restrict
government collection of private data, while a technical one isn't (case in
point: cryptography).

------
downandout
Fortunately, this is just a "discussion draft" and I don't believe it would
ever be passed as it is written. This clause would expose mom-and-pop app
developers who have apps that happen to go viral and get more than 1 million
installs to the same expensive, onerous requirements as an entity with $1
billion or more in revenue:

 _Each covered entity that has not less than $1,000,000,000 per year in
revenue and stores, shares, or uses personal information on more than
1,000,000 consumers or consumer devices or any covered entity that stores,
shares, or uses personal information.._ "

Putting those two vastly different classes of entities under the same umbrella
and exposing them to decades in prison seems like it would have a chilling
effect on the startup community. You would just have to _hope_ that your
app/website doesn't get to 1 million users, otherwise you're exposed to
requirements where the implementation will bankrupt a small team or
independent developer.

I guess you could simply stop allowing new registrations at 999,999 people,
but it seems like a bad idea to discourage businesses from growing beyond
that.

------
fjsolwmv
This is campaign nonsense. It's a partisan bill sponsored by the minority
party, not a serious proposal.

------
SCAQTony
That is a stiffer sentence than a second degree murder charge which is
15-years in California.

[https://en.wikipedia.org/wiki/Murder_(United_States_law)#Cal...](https://en.wikipedia.org/wiki/Murder_\(United_States_law\)#California)

~~~
k_sh
That's not a fair comparison - you're measuring the bill's maximum against a
murder charge's minimum.

The bill allows anything from fines up to 20 years in prison, while a murder
charge has a mandatory minimum of 15 years (up to life).

~~~
SCAQTony
Second degree murder from one jurisdiction to another. In California I stand
mostly corrected: The penalty is: 15-years to Life. At the 15-year mark they
are eligible for parole.

[https://en.wikipedia.org/wiki/Murder_(United_States_law)#Cal...](https://en.wikipedia.org/wiki/Murder_\(United_States_law\)#California)

------
ryan-allen
I'm cynical, if bankers can get away with the mortgage securities fraud and
not go to jail, then how can a data breach in a tech company cause people to
go to jail?

Faulty thinking on my part, probably.

------
wpdev_63
Why are bills like these always drafted after the fact? E.g. Equifax, Google+,
Facebook hack, etc.

It would be common sense to pass laws before it happened and would of
incentivize companies to beef up security.

~~~
nelsonic
Or make the bill _retroactive_ ... ?

~~~
howard941
If it'll retroactively apply criminal penalties you're going to need a
companion amendment to the Constitution.

------
Tsubasachan
Sillicon Valley has spend the last few years investing in their lobbying so
I'm not holding my breath for a US GDPR.Especially not with current
administration.

------
rayiner
Prison time for this is madness.

~~~
tgsovlerkhgsel
Prison time for executives is the only thing that gets taken seriously. Fines
to executives can just be paid by executive insurance, and unless you crank
them up to 4% of global revenue like GDPR, fines to the company will likely
simply become cost of doing business.

But threaten the executives with prison, and they'll suddenly make sure that
the company complies with the law. I bet e.g. SOX would be taken a lot less
seriously without those teeth.

Besides that, I don't see a reason why wilful privacy violations should not be
met with prison terms. Don't want to go to prison? Don't collect/share data
that you're not allowed to collect/share.

Even for negligence, there is precedent to send people to prison, although
that usually requires the negligence to result in death. But the scale at
which software mistakes can cause damage is often higher than the scale at
which mechanical/structural engineering does: A collapsing building kills
hundreds of people. A collapsing Equifax database doesn't kill anyone
directly, but affects over a hundred _million_ people, and has the potential
to ruin their lives (imagine e.g. private Facebook profiles outing people in
intolerant areas - would probably lead to a larger number of deaths than most
modern-day building collapses).

~~~
mchannon
Easily disproven.

The 2008 crash is full of executives who did not comply with the law, and did
not take the threat of prison seriously. I think to this date you can count
the number in prison on two hands, and most of those were more foot soldiers
than masterminds.

~~~
tareqak
Maybe there needs to be consequences for selective law enforcement and/or
selective prosecution?

~~~
ajmurmann
That sounds somewhat naive, but on the other hand it also might help in
getting all these unenforced, legacy laws of the book that result in anyone at
all times being with one foot in prison if someone decided to enforce every
law.

~~~
tareqak
I agree with it sounding naïve. The thing is, we’ve tried a lot more things
that attempt to pragmatic and reasonable with limited success: innocent people
get hurt, while bad actors weasel out. I know the standard is supposed to be
to allow a hundred guilty people go free rather than allow one innocent person
be imprisoned, but given how many people are in prison, there might be more
innocent people in there than we’d like to admit.

------
fredgrott
lets see how do we put a legal corporation in jail? anyone have the answer to
this that our congress people lack?

~~~
anticensor
The board replaced by military officers along with suspension of business
license of original owners.

------
JustSomeNobody
My pet theory is this is firing a shell across the bow of BigCorp. Telling
them change is coming. Maybe this won’t pass, but be prepared to be held more
accountable.

~~~
elliekelly
The FTC already has quite a lot of authority over privacy regulations (in the
financial sector at least) and does next to nothing with that authority. They
spend zero time affirmatively looking into regulatory compliance and only take
(very limited) action after receiving numerous reports about egregious
violations. I suspect this far more of a "look at how much we're _helping_
consumers" that will add some teeth to the few enforcement actions they do
pursue but won't do much by way of removing their head-in-the-sand approach to
consumer privacy.

------
excalibur
Unintended consequences: This could make running a public Wifi hotspot a
losing proposition for many businesses that operate one today.

~~~
thrmsforbfast
Nope.

The bill defines covered entities in Sec. 2.(5)(A) and 2.(5)(B). In
particular, companies with less than $50,000,000 in gross receipts and
information on fewer than 1,000,000 customers are not covered by this
legislation.

And _even if_ those apply to your local coffee shop or whatever, Sec.
2(5)(B)(iii) further limits the definition of covered entity so that
businesses that do not provide 3rd party access to information are not
covered.

So Starbucks and other _huge_ coffee chains/retail shops are the only
organizations that would have to re-evaluate data collection from their public
Wifi hotspots, and even then might be exempt depending on what they are
collecting and how they are using that information. And, I should point out,
these companies will need privacy experts on staff anyways, so this provision
is highly unlikely to cause them to shutter their in-store Wifi networks...

Additionally, some of the more onerous requirements only apply to a subset of
covered entities with yet larger gross receipts and yet larger numbers of
tracked consumers.

But, unequivocally, your locally owned mom & pop coffee shop is excluded from
consideration under this provision multiple times over.

~~~
blululu
Unless inflation happens... This only applies to big businesses now, but in 25
years it will start effecting medium sized firms and it will eventually hit
small businesses. This will create a morass of bureaucratic regulations
stifling entrepreneurship...

~~~
ebullientocelot
Granting the assumption of monotonically increasing inflation at a wild rate,
this is still only true ceteris paribus. I can't imagine inflation that would
make a small coffee shop chain into 50m/year revenue (customer floor
requirement notwithstanding) would happen in a vacuum.

~~~
anticensor
What he means is regulatory inflation, not the monetary one. A few years
later, the customer threshold would be amended to a few thousands, ten years
later, the thresholds would be abolished.

------
chewzerita
Page not found :(

~~~
slivanes
That data is too private.

~~~
circleoncircles
555

------
glasz
so they admit, that the war on drugs is not working anymore. a new paper
dragon is needed.

~~~
wool_gather
This is a very strange comparison to me, given the enormous disparity in the
targets. But can you expand on your line of thought?

------
sigfubar
Just about the only threat that execs will take seriously is a posse of well-
armed men. I’m personally not against dispensing some long overdue vigilante
justice, but I wonder whether we’d know when to stop?

------
ledriveby
I could see this seriously effing with software jobs. Even if a company
intends to keep their noses squeaky clean, every developer hired becomes an
additional risk. Companies will try to control more of the process from the
top down (and that works out great LOL) and they'll try to do more with less.
Or GTFO of the country.

------
alexS
This is going to make it impossible to start a startup. We need to organize a
movement against this.

~~~
TazeTSchnitzel
Of course, Europe has had no startups at all since the Data Protection
Directive (95/46/EC) was passed in 1995. /s

~~~
manigandham
Europe does not have anything comparable to Silicon Valley, and heavy
regulations are often cited as making it hard to do business there.

~~~
elliekelly
Yet they still seem to find a way. That tells me the regulations aren't as
onerous as some businesses would have you believe.

~~~
manigandham
Who is "they"? Sure there are some companies, but clearly nothing like SV.

