This month, Senate Commerce Chairman Jay Rockefeller (D-W.Va.) introduced the “Do-not-track Online Act of 2011”.
Some interesting highlights from the proposed bill: there would be a fine of up to $16,000 per day that you are in violation with a maximum of $15,000,000 in civil damages available for all civil actions under the bill.The $16,000 maximum is on a per state basis.That means that a vendor could have been exposing your personal information for 19 days before they hit the ceiling.
While that’s a big number, it is relatively low compared to the damages that could be done. Credit monitoring alone for a breach of a million accounts could meet that number. It also removes the incentive to address a breach after the 19th day because there would be no further penalty.A company like Facebook, who has been under enormous pressure to protect the privacy of its users for years, wouldn’t be concerned at all with such a low penalty.(At that point, doesn’t it become a $15 million license to violate privacy?)
This is an improvement, however, over the Privacy Bill of Rights introduced earlier this year by Senators Kerry and McCain. Their bill contained a very similar section, but the limit was $16,500 per day but capped at only $3 million.
I think if there is any privacy benefit to this rule, it would be that at least there was some stigma associated with a particular exposure, which might have a greater sting for companies like Facebook.