This month, Senate Commerce Chairman Jay Rockefeller (D-W.Va.) introduced the “Do-not-track Online Act of 2011”.
Some interesting highlights from the proposed bill: there would be a fine of up to $16,000 per day that you are in violation with a maximum of $15,000,000 in civil damages available for all civil actions under the bill. The $16,000 maximum is on a per state basis. That means that a vendor could have been exposing your personal information for 19 days before they hit the ceiling.
While that’s a big number, it is relatively low compared to the damages that could be done. Credit monitoring alone for a breach of a million accounts could meet that number. It also removes the incentive to address a breach after the 19th day because there would be no further penalty. A company like Facebook, who has been under enormous pressure to protect the privacy of its users for years, wouldn’t be concerned at all with such a low penalty. (At that point, doesn’t it become a $15 million license to violate privacy?)
This is an improvement, however, over the Privacy Bill of Rights introduced earlier this year by Senators Kerry and McCain. Their bill contained a very similar section, but the limit was $16,500 per day but capped at only $3 million.
I think if there is any privacy benefit to this rule, it would be that at least there was some stigma associated with a particular exposure, which might have a greater sting for companies like Facebook.