New US Federal Privacy Bill ProposedLegislation Designed Along the Same Lines as CCPA
U.S. Sen. Maria Cantwell, D-Wash., has introduced federal privacy bill called the Consumer Online Privacy Rights Act, or COPRA, which would expand the rights of people when it comes to how personal data is collected, shared and used. Senators Amy Klobuchar, D-Minn..; Ed Markey D-Mass.; and Brian Schatz, D-Hawaii, co-sponsored the bill.
“Privacy rights should be like your Miranda rights-clear as a bell as to what they are and what constitutes a violation,” Cantwell said in a statement. The bill received statement of support from privacy advocacy groups, such as Consumer Reports, the Electronic Privacy Information Center (EPIC), and the Georgetown Law Center on Privacy & Technology.
The move comes after a series of efforts to enact national privacy legislation have failed to yield desired results. For instance, earlier this month, two Democratic members of the U.S. House proposed a national privacy law that calls for the formation of a new federal agency to enforce the privacy rights. In October, Sen. Ron Wyden introduced the “Mind Your Own Business Act” that proposed to expand the FTC's authority to regulate data collection.
Meanwhile, California has enacted its own legislation, the California Consumer Privacy Act, that was inspired, in part, by the European Union's General Data Protection Regulation. CCPA goes into effect January 1, 2020.
According to data available with National Conference of State Legislatures there are about 110 privacy bills pending for various states in the U.S.
Who Gets Covered?
As proposed, COPRA has broad applicability to businesses, individuals and personal data across the United States. The proposed bill excludes small businesses with revenue of less than $25 million per year. Companies who are deriving less than 50% of their revenue from transferring covered data for valuable consideration would also be unaffected.
COPRA will cover entities covered by the Federal Trade Commission Act, which generally excludes non-profit firms, certain financial institutions and telecommunications common carrier activities, as per a report by the International Institute of Privacy Professionals.
COPRA has designed rights for citizens much the same way as the CCPA, with a few additions. Below are some of the rights as mentioned in the bill:
Affirmative Consent: The bill stresses “affirmative consent” for processing sensitive data. The term ‘‘affirmative consent’’ means an affirmative act by an individual that clearly communicates the individual’s authorization for an act or practice, in response to a specific request. The bill states that the consent must be in easy-to-understand language and should include a prominent heading that would enable an individual to identify and understand the requirements.
Right to Access and Transparency: The bill states that the covered entity must make available throughout in details how an individual’s data is being used. Details of third party identities will also have to be made available. It also asks companies to spell out the details of data retention period, data security policies and data minimization policies.
Language: Covered entities will have to make available the privacy policies in all languages in which the covered entity provides a product or service or carry out any other activities.
Right to Delete: Entities post verifying request from users shall delete, or allow the individual to delete, any information that is processed by the entity. Also, like under CCPA, individuals have the right to opt out of data sharing.
Duty of Loyalty: The bill introduces a “duty of loyalty,” prohibiting covered entities from engaging in deceptive or harmful practices, a standard that includes financial, physical or reputational injury.
COPRA grants enforcement authority to the FTC, state attorneys general as well as private citizens. Penalty for violations would range from $100 to $1,000 per violation per day and could include attorney’s fees and equitable relief.
The bill proposes to create a new Data Privacy and Security Relief Fund in which the FTC and state attorneys general would deposit funds recovered through enforcement to be used for redress, payments or compensation to individuals affected, as well as privacy education initiatives.
What Experts Say
The U.S. does not have general federal privacy legislation. Rather, it has “a jumble of hundreds of laws enacted on both the federal and state levels to protect the personal data of U.S. residents,” notes the law firm White & Case.
The FTC has taken action against technology companies in privacy cases, including levying a record $5 billion fine on Facebook earlier this year.
Earlier this month, Microsoft said it will apply the core rights of the California Consumer Privacy Act across all its customers in the U.S. However, there has been a chorus demanding a national privacy law in the U.S.
Steve Durbin, managing director of the Information Security Forum, a London-based authority on cyber, information security and risk management, says there is a real need for a federal privacy law in the U.S. “A federal law is needed to avoid states introducing their own variations and interpretations on privacy, which adds a further compliance burden to already overstretched businesses looking to understand and comply with their obligations across the various regions in which they are transacting business,” Durbin says.
The bill will likely be discussed on December 4, when lawmakers come together for a hearing convened by Sen. Roger Wicker (R-Miss), examining legislative proposals to protect consumer data privacy.