In the latest Congressional effort to establish a federal privacy law, on November 18, 2019, a group of Senators released a set of “core principles” for a federal privacy framework, followed by the introduction of an extensive privacy bill, the Consumer Online Privacy Rights Act (COPRA or Act), on November 26, 2019. While the Act encompasses themes similar to those found in the landmark California Consumer Privacy Act (CCPA), COPRA also introduces more expansive data privacy and security concepts, particularly with respect to liability, enforcement and executive accountability.
Privacy and Data Protection Framework
Signed by Sens. Maria Cantwell (D-Wash.), Dianne Feinstein (D-Calif.), Sherrod Brown (D-Ohio) and Patty Murray (D-Wash.), the Privacy and Data Protection Framework sets forth key principles that the authors posit should be included in any comprehensive federal data protection legislation. The principles cover several privacy topics focused on four primary goals: (1) establish data safeguards, (2) invigorate competition, (3) strengthen consumer and civil rights, and (4) impose real accountability. The framework includes common principles found in emerging privacy frameworks, such as consumer rights over their data, but also introduces newer concepts such as consumers’ ability to prevent their data from being “commingled” across businesses within an enterprise and data use limitations and restrictions in connection with corporate transactions. Notably, the framework reinforces the growing view from regulators that corporate executives should be held accountable for their organizations’ data privacy and security practices.
To read the complete Privacy and Data Protection Framework, click here.
COPRA
On the heels of releasing the Privacy and Data Protection Framework, on November 26, 2019, Senator Cantwell introduced COPRA, a new federal privacy bill likely to spur debate and reenergize data protection discussions in Washington. COPRA is designed to “provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement.” Members of Congress continue to work to establish a uniform privacy framework as states across the country are attempting to craft their own, at times disparate, rules on privacy protection.
If enacted, COPRA would have fairly broad applicability; but, similar to the CCPA, it includes threshold criteria that may result in certain smaller businesses falling outside its scope. Entities that can establish all of the following—for the preceding three (3) calendar years—would not be covered: (1) average gross revenues of less than $25 million per year; (2) annual processing of covered data of fewer than 100,000 individuals, households or devices; and (3) less than 50% of revenue derived from transferring covered data. The bill also includes certain exemptions for entities subject to other federal privacy laws, including the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act, Fair Credit Reporting Act, and Family Educational Rights and Privacy Act, among others, though such entities would still be obligated to comply with certain data security requirements.
COPRA outlines a number of data privacy and security requirements and would authorize the Federal Trade Commission (FTC) to promulgate regulations necessary to carry out the Act. Key concepts in the Act include:
- Consent: COPRA would require individual consent for certain data processing activities, including affirmative express consent for material changes to a company’s privacy policy or practices related to previously collected data as well as for processing “sensitive covered data,” subject to certain exceptions. Similar to the CCPA, COPRA would provide individuals the right to opt out of certain transfers of their covered data to a third party, including transfers in exchange for “consideration.”
- Consumer Rights: COPRA would afford consumers other rights over their information, including the right to correct and delete covered data as well as the right to have covered entities provide individuals with their own covered data upon request, in a portable format, as well as the name of any third party to which it has been transferred in exchange for consideration or for a commercial purpose. The bill also includes civil rights protections, including anti-discrimination provisions and requirements related to algorithmic decision making.
- Transparency: Covered entities would also be required to publish a privacy policy that describes the company’s data processing and transfer activities, including the categories of data processed and the categories of third parties and service providers to which information is transferred. Other privacy policy requirements include descriptions of retention timelines, data minimization and data security policies, and notably, the identity of each third party to which covered data is transferred. COPRA would also require that the privacy policy be made available in all languages in which the covered entity does business.
- Data security: Notably, COPRA includes specific data security requirements. In addition to mandating “reasonable” data security practices, the proposed legislation also would require covered entities to undertake affirmative data security practices, including vulnerability assessments, retention and disposal procedures, and employee training. The bill also would expressly require covered entities to take preventive and corrective action to mitigate identified risks and vulnerabilities.
- Corporate Executive Accountability: COPRA also introduces specific obligations for CEOs and other executives of covered entities that are large data holders (i.e., companies that process or transfer covered data of more than 5 million individuals, devices or households, or that process or transfer sensitive covered data of more than 100,000 individuals, devices or households). The bill would require such executives to certify to the FTC that the organization maintains adequate internal controls to comply with the act as well as reporting structures to ensure that certifying officers are involved in and responsible for decisions impacting compliance. The bill would also require designation of privacy and security officers who are responsible for implementing data privacy and security programs, conducting annual assessments, and facilitating compliance with the Act.
- Regulatory Enforcement and Preemption: The FTC and state attorneys general would have the authority to enforce COPRA. The Act also would establish a new division within the FTC to assist the Commission in exercising its authority under COPRA and other federal laws addressing privacy and data security. The Act would permit states to create their own privacy laws, and federal preemption would be limited to only those state laws that directly conflict with the Act. Importantly, the Act makes clear that state laws which afford greater protections than COPRA shall not be considered to be in direct conflict with federal requirements.
- Private Right of Action: The bill also would afford individuals the right to sue for violations of the Act, with damages ranging from the greater of actual damages or $100 to $1,000 per violation per day, and could include attorney’s fees, equitable relief and punitive damages. Unlike the CCPA, the private right of action is not limited to data breaches and would extend to any violation of the Act. Critically, the Act expressly states that a violation of the Act constitutes a “concrete and particularized injury in fact”—addressing a threshold standing issue currently being confronted by courts across the country in data security- and privacy-related litigation.
COPRA approaches consumer privacy rights in a manner similar to the CCPA. That said, COPRA also includes more expansive data privacy and security requirements and introduces more novel elements designed to address emerging digital economy challenges. For instance, the bill introduces a “duty of loyalty,” prohibiting covered entities from engaging in deceptive or harmful practices. State and federal regulators historically have exercised their general authority to protect against unfair and deceptive trade practices as a means to enforce data privacy and security requirements; however, COPRA’s duty of loyalty would expressly incorporate such standards in the privacy and security context. The bill also tackles algorithmic decision making (akin to the European Union General Data Protection Regulation’s concept of automated decision making). The Act would require companies that engage in algorithmic decision making to facilitate advertising or eligibility determinations for housing, education, employment or credit to conduct annual impact assessments to evaluate accuracy, fairness, bias and discriminatory impact.
To read the full text of COPRA, click here.
Why it matters: Attempts to enact privacy legislation at the federal level have continued over several years, from “Do Not Track” measures to strengthening the Children’s Online Privacy Protection Act. Multiple bills were introduced again in 2019, but passage appears unlikely this year or even in 2020. States—particularly California, with the CCPA’s effective date imminent—have and will continue in 2020 to have better success.
While there has been an uptick in privacy-related activity on Capitol Hill in recent months, at present, there is little expectation of a bill making its way to the President’s desk before the 2020 presidential election. On November 29, 2019, shortly after the introduction of COPRA, Sen. Roger Wicker (R-Miss.) circulated a discussion draft privacy bill, the United States Consumer Data Privacy Act of 2019 (USCDPA). The proposed legislation carries many similarities with COPRA, but it notably does not provide for a private right of action and would expressly preempt state laws related to the data privacy or security and associated activities of covered entities, highlighting two of many key issues on which Congressional members will need to find resolution in any comprehensive final package. Relatedly, once CCPA sets privacy expectations in California and potentially across the nation, privacy advocates believe it will be harder for members of Congress to enact a unified federal privacy framework, especially if the federal standard is viewed to water down consumer privacy protections that exist under state law. Nonetheless, whether at the state or federal level, a new privacy framework is emerging in the U.S.