A National Federal Privacy Law? Check Out COPRA, The Most Comprehensive Privacy Bill Introduced Yet
On November 26, 2019, Senator Maria Cantwell (D-WA) along with other Democratic senators across four key Senate committees introduced the Consumer Online Privacy Right Act (“COPRA”). Per Senator Klobuchar’s description, COPRA “establishes digital rules of the road for companies, ensures that consumers have the right to access and control how their personal data is being used, and gives the Federal Trade Commission and state attorneys general the tools they need to hold big tech companies accountable.”
The bill would empower consumers with control over their personal information, including access, deletion, correction, and portability rights. The bill also would provide the FTC with broader powers to combat privacy harms. Notably, the bill would establish a private right of action for consumers and would not preempt more stringent state privacy laws. The following chart highlights key aspects of the Scope, Rules, Exceptions, and Enforcement of the COPRA bill.
Scope & Jurisdiction | COPRA covers all businesses with an average annual revenue over $25 MM (among other requirements), who are subject to the FTC Act and process or transfer information that identifies, or is “reasonably linkable” to an individual or consumer device. COPRA excludes small businesses, non-profit organizations, political campaigns, banks, or other entities not already subject to the FTC’s jurisdiction. |
Privacy & Data Security Rights | Duty of Loyalty & Right to Data Security: Codifies the FTC’s interpretation of reasonable privacy and data security standards. Requires businesses to designate privacy and data security officers in charge of ensuring compliance with COPRA. Right to Access & Transparency: Incorporates provisions similar to the CCPA right to access data and privacy policy disclosure requirements. Right to Delete: Broader than the CCPA in that there are no business purpose exceptions to retain consumer data. If a consumer requests that a business delete covered data, the business must delete the data and inform service providers and third parties of the deletion request. Right to Correct Inaccuracies: Businesses must provide a consumer a mechanism to correct inaccurate or incomplete data and must notify service providers and third parties of the correction. Right to Controls: Incorporates provisions similar to the CCPA right to opt-out of the sale or transfer of consumer information. The FTC would be responsible for promulgating rules for compliance with this right. Right to Data Minimization: Businesses can not process or transfer data unless it is “reasonably necessary, proportionate, and limited” to carry out the specific processing and transfer purposes described in the privacy policy; carry out a specific processing purpose or transfer after a covered entity has obtained affirmative express consent; or for a purpose specifically permitted by the Act. |
Civil Rights | Businesses cannot discriminate based on data that differentiates people based on their perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, biometric information, lawful employment, or disability. Businesses must offer people the same housing, employment, credit, educational opportunity, and public accommodation to every person. Businesses are also required to conduct impact assessments to ensure algorithmic decision-making is not discriminating based on data that may differentiate people using those traits. |
Exceptions | Businesses do not need to comply with the Rights above if:
|
Third Parties & Service Providers | Service providers are exempt from several provisions in the Act. However, they must delete, correct, or de-identify data subject to consumers’ requests under the Act. Service providers must only use data in the way their contract provides and can’t sell data to a third party without affirmative express consent from the business. Third parties cannot process data inconsistent with the expectations of a reasonable consumer. In receiving data, third parties can reasonably rely on the representations of the businesses and service providers. Businesses must conduct reasonable oversight and due diligence on service providers and third party transfers of data. |
Private Right of Action | COPRA provides a private right of action for individuals to assert violations. Any violation of the Act, or of a regulation promulgated under it, will be considered an “injury in fact.” Damages range from $100 to $1000 per violation per day. Arbitration agreements and class action waivers are invalid in disputes arising under COPRA. |
Federal & State Enforcement | Within two years, the FTC must create a new bureau to assist in exercising their authority under the Act and other Federal laws addressing privacy, data security, and related issues. A violation of this Act is treated as a violation of the FTC Act. One year after enactment, a CEO (or equivalent) and data privacy officers must review and certify to the FTC that they maintain adequate internal controls and reporting structures to ensure compliance with this Act. Businesses will be required to have a privacy and data security officer, who ensures the business has a comprehensive written privacy and data security program, annually conducts risk assessments and facilitates ongoing compliance with this Act. This Act does not preempt any state laws that afford “a greater level of protection to individuals protected under this Act.” It only preempts directly conflicting state laws. The Act does not preempt any other private rights of action but the FTC can intervene in individual enforcement actions under COPRA. |