On Nov. 26, U.S. Sen. Maria Cantwell, D-Wash., ranking member of the Senate Committee on Commerce, Science, and Transportation, introduced the Consumer Online Privacy Rights Act, a new federal privacy bill likely to spur debate and reenergize data protection discussions in Washington.

COPRA is designed to “provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement,” laudable goals and ones on which privacy advocates, consumers and industry are increasingly finding common ground as states around the country craft disparate rules on privacy protection.

What highlights, novelties, points of contention and areas of consensus are worth considering?

What and who is covered?

COPRA has broad applicability to businesses, individuals and personal data across the United States. It applies to information that identifies or is reasonably linkable to an individual residing in the U.S. or a consumer device. It covers all entities subject to the Federal Trade Commission Act and processing covered data. Generally speaking, this includes organizations engaged in commercial practices and excludes most nonprofits, certain financial institutions and telecommunications common carrier activities.

Small businesses are also excluded, meaning entities with revenue of less than $25 million per year, processing covered data of fewer than 100,000 individuals, households or devices, and deriving less than 50% of their revenue from transferring covered data for valuable consideration would be unaffected. There is also a carve-out for entities subject to several other federal sectoral privacy laws, including the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act, Fair Credit Reporting Act, Family Educational Rights and Privacy Act, and others.

What privacy rights does it create?

The act outlines a set of well-recognized privacy rights on which there is fairly broad consensus across partisan lines and within the business community. These include:

• Consent: The bill requires individual consent for data processing, including express affirmative consent for processing sensitive data, which is very broadly defined but excludes “publicly-available information.” Much like the California Consumer Privacy Act, COPRA provides individuals the right to opt out of the transfer of their covered data for “valuable consideration” and would grant the FTC rulemaking in that area.
• Access: The act requires covered entities to provide individuals with their own covered data upon request, in a portable format, as well as the name of any third party to which it has been transferred for valuable consideration.
• Correction and deletion: Individuals are granted the right to correct and delete their own covered data.
• Transparency: Covered entities must publish a privacy policy that includes information commonly seen in such policies today. This includes contact information for the entity, the categories of data processed, and the categories of third parties and service providers to which information is transferred. Somewhat more novel requirements include retention timelines, and perhaps more contentious, the identity of each third party to which covered data is transferred. The policy must be made available in all languages in which the covered entity does business.
• Data minimization: Covered entities may only process covered data for specific purposes, subject to necessity and proportionality standards.
• Data security: Covered entities must provide reasonable security, assess vulnerabilities, implement corrective action when risks are identified and dispose of data that is no longer needed.

What’s novel?

In many instances, COPRA approaches these rights in a manner quite similar to the CCPA. That being said, COPRA also introduces more novel elements designed to address emerging digital economy challenges. While some of these noteworthy provisions have long been debated in academic circles, they have yet to be seen in a federal privacy bill with the potential to gain traction.

For instance, the bill introduces a “duty of loyalty,” prohibiting covered entities from engaging in deceptive or harmful practices, a standard that includes financial, physical or reputational injury. While novel for federal privacy legislation, the duty of loyalty draws on well-defined principles of common law.

The bill tackles algorithmic decision-making, requiring those engaged in the practice to facilitate advertising or eligibility determinations for housing, education, employment or credit to conduct an impact assessment annually for accuracy, fairness, bias and discrimination. Challenges related to "deep fakes" are also addressed.

What would impact privacy on the ground?

Compared to previous privacy bills, COPRA is noteworthy for its efforts to strengthen privacy in practice.

The act would support privacy professionals’ and regulators’ efforts to build privacy into the fabric of companies by mandating the appointment of qualified privacy and security officers and charging them with implementing strong privacy compliance programs, annual privacy and security risk assessments, and organizationwide privacy training for all employees with access to covered data.

The FTC and National Institute of Standards and Technology would be charged with crafting training guidelines.

CEOs and executives of “large data holders” would also be on the hook. Covered entities that annually processes covered data of more than 5 million individuals, devices or households or the sensitive data of more than 100,000 would be required to attest annually to the FTC that they have implemented the controls necessary to comply with the act’s provisions.

This mandated oversight would catapult privacy to the top executives’ agenda and clearly impact privacy on the ground.

Who would enforce the act?

COPRA would grant enforcement authority to the FTC and state attorneys general, as well as private citizens. Damages for violations would range from $100 to $1,000 per violation per day and could include attorney’s fees and equitable relief.

The bill would establish a new bureau within the FTC, comparable in size to the FTC’s existing competition and consumer protection bureaus. It would also create a new Data Privacy and Security Relief Fund in which the FTC and state attorneys general would deposit funds recovered through enforcement to be used for redress, payments or compensation to individuals affected, as well as privacy education initiatives.

What’s politically contentious?

While the majority of the bill’s provisions are now commonly viewed as the backbone of any meaningful federal privacy legislation, several remain lightning rods for partisan debate. The two most obvious are the private right of action envisioned and the very limited preemption of state laws. The bill would preempt state laws that directly conflict with COPRA but not state laws that create separate and more onerous requirements.

Where does this leave us?

COPRA reflects an emerging consensus among policymakers, the business community, academia and privacy advocates on how to tackle the challenges of the modern data economy. It is likely to kick off a lively debate on how to balance the bill’s practical privacy-enhancing elements with the realities of today’s information economy. Its introduction of new governance and accountability structures for privacy should help push those conversations forward. 

The bill will likely be at the forefront of discussions Dec. 4, when lawmakers come together for of a Senate Committee on Commerce, Science, and Transportation hearing convened by Sen. Roger Wicker, R-Miss, examining legislative proposals to protect consumer data privacy.

It will be a conversation well worth following.

Photo by Andy Feliciotti on Unsplash