On November 26, 2019, a group of Democratic senators introduced the Consumer Online Privacy Rights Act (COPRA).  This comprehensive privacy bill—sponsored by Senators Maria Cantwell (D-WA), Brian Schatz (D-HI), Amy Klobuchar (D-MN), and Ed Markey (D-MA)—would grant individuals broad control over their data, impose new obligations on data processing, and expand the FTC’s enforcement role over digital privacy.

“In the growing online world, consumers deserve two things: privacy rights and a strong law to enforce them,” Senator Cantwell explained. “They should be like your Miranda rights—clear as a bell as to what they are and what constitutes a violation.”

Here are some key elements of the bill:

  • Scope: The bill broadly defines covered data. With certain exceptions, it includes all information “that identifies, or is linked or reasonable linkable to an individual or a consumer device, including derived data.”  With certain exceptions, covered entities include all those that are subject to the FTC Act and that process or transfer covered data.  The bill would preempt directly conflicting state laws; it would not preempt those state laws that afford greater protections.
  • Individual Rights over Covered Data: The bill grants individuals rights of access, deletion, correction, and portability over covered data.  The individual also has the right to object to the transfer of covered data to a third party.
  • Covered Entity Obligations: The bill imposes a general duty not to engage in deceptive or harmful data practices. The entity generally must engage in data minimization—i.e., must not process or transfer covered data “beyond what is reasonably necessary, proportionate, and limited.”  Specifically, an entity must have “prior, affirmative express” consent of the individual to transfer or process “sensitive” covered data—broadly defined to include, among others, intimate images and geolocation information.

COPRA requires an entity to publish a privacy policy and implement “reasonable” data security practices, which at a minimum include vulnerability assessments, secure data retention and disposal, and employee training.  The entity must also designate privacy and data security officers in charge of ensuring compliance with COPRA.  Certain entities that transfer or process data for a significant number of individuals must annually certify to the FTC that adequate internal controls exist to comply with COPRA.

The bill also contains several protections related to civil rights.  It prohibits the entity from using data on the basis of certain classifications, like gender and familial status.  In particular, entities engaged in algorithmic decision-making for certain purposes, such as determining eligibility for credit, must make impact assessments.

  • FTC Authority: The bill directs the FTC to establish a new bureau focused on privacy and data security issues.  The FTC is granted authority to enforce COPRA, along with state attorneys general and individuals.  The FTC and state attorneys general would deposit recovered funds in the Data Privacy and Security Relief Fund, which would be used to compensate affected individuals.  COPRA also directs the FTC to issue implementing regulations, such as further defining sensitive covered data and establishing a process for individuals to object to covered data transfers.
  • Private Right of Action: As mentioned, COPRA provides a private right of action for individuals to assert violations, with recoverable general damages from $100 to $1000 per violation per day.  It also specifies that arbitration agreements and class action waivers are invalid with respect to disputes arising under COPRA.
  • Miscellaneous: The bill requires the director of the National Institute of Standards and Technology to publish a report on digital content forgeries.