Section-by-Section Analysis and Explanation Consumer Data Protection Act of 2018 Sec 1. Short Title: “Consumer Data Protection Act” Section 1 designates the act as the ​Consumer Data Protection Act​. Sec 2. Definitions Section 2 defines the terms “automated decision system,” “automated decision system impact assessment,” “covered entity,” “personal information,” “data protection impact assessment,” “high-risk automated decision system,” “high-risk information system,” “information system,” “share,” “store,” and “use” as they are used in the Consumer Data Protection Act. Sec 3. Noneconomic Injury Section 3 expands the FTC’s authority by defining “harmful” business practices to include those that create a significant risk of unjustified exposure of personal information. Sec 4. Civil Penalty Authority Section 4 authorizes the the FTC to assess civil penalties of up to $50,000 per violation and 4% of the entity’s total annual gross revenue against violators of the Consumer Data Protection Act including for first time violations. Sec 5. Annual Data Protection Reports Section 5 requires the senior executives (Chief Executive Officer, Chief Privacy Officer, Chief Information Security Officer) of companies with more than a billion dollars per year of revenue or data on more than 50 million consumers to file annual reports with the FTC detailing whether or not the company complied with the privacy and data security regulations created by the Consumer Data Protection Act. This section also creates criminal penalties, including imprisonment of up to 20 years, if these executives sign off on false statements in these annual reports. Sec 6. “Do Not Track” Data-Sharing Opt-Out Section 6 authorizes the FTC to establish a national system to provide consumers with a way to opt-out of companies’ sharing their personal information. Companies that wish to continue to share consumer’s personal data after the consumer opted-out will be able to ask consumers for permission to do so, and if those companies want require that as a condition of offering their product or service, they will also need to offer a paid version of their product or service, for which they can charge no more than they would have made by sharing the user’s data. Sec 7. Data Protection Authority Section 7 authorizes the Federal Trade Commission (FTC) to create regulations that (1) establish and implement minimum privacy and cybersecurity standards, (2) give consumers a way to review what personal information a covered entity stores about them, learn with whom it has been shared, and challenge inaccuracies in that information, and (3) require companies conduct impact assessments of their high-risk automated decision systems and high-risk information systems. Sec 8. Bureau of Technology Section 8 establishes a Bureau of Technology within the FTC to be staffed by 50 new technical experts. Sec 9. Additional Personnel in the Bureau of Consumer Protection Section 9 authorizes the FTC to appoint 100 additional personnel in the Division of Privacy and Identity Protection of the Bureau of Consumer Protection, and 25 additional personnel in the Bureau’s Enforcement Division. Sec 10. Complaint Resolution Section 10 authorizes the FTC to establish procedures for the resolution of complaints by consumers regarding violations of the Consumer Data Protection Act, which will require the FTC to forward the complaints to the offending companies, and then forward the company’s response back to the consumer. Sec 11. Application Programming Interfaces Section 11 requires the FTC, in consultation with the National Institute of Standards and Technology, to establish Application Programming Interfaces (APIs) to permit consumers to use apps and other computer programs to request, receive, and process information they are entitled to under this Act, and to manage their opt-out preferences. Sec 12. News Media Protections Section 12 clarifies that the obligations imposed on entities under this Act (such as disclosing what information they have about a consumer) do not apply to journalists.