On November 26, 2019, Senate Democrats, led by Sen. Maria Cantwell, have introduced a federal US privacy law. The bill dubbed COPRA – the Consumer Online Privacy Rights Act introduces new concepts and obligations, some take after GDPR and CCPA provisions, while others are novel.
The purpose of the bill, as stated in its preamble is “To provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement.”
Among the new requirements are consent (including explicit consent for using sensitive data), annual assessments, 11 individuals’ rights (some of them are novel), reports to the Federal Trade Commission, obligations related to ‘algorithmic decision making’ and a duty of loyalty.
The bill will likely steer substantial debate and the outcome is not clear yet. If the US legislator will succeed where past attempts to enact a federal privacy law failed, it would create an immense impact on doing business in the US.
Who is Not Covered Under COPRA?
Much like the CCPA, COPRA has a broad reach. It will cover individuals and commercial businesses of all types, who use personal information related to a US resident. However, the bill excludes entities how are not governed by the Federal Trade Commission Act. These include non-profit organizations, telecom carriers and some financial services.
Additionally, small business are exempt from COPRA’s provisions if their annual income does not exceed $25 million (same as under the CCPA), they use personal information about less than 100,000 individuals, households and devices (compared to 50,000 under the CCPA) and derive less than 50% of their annual revenue from transferring individuals’ covered data (similar to the CCPA 50% data sale threshold).
The bill would also not apply to entities which are covered by other privacy-related federal legislation. These include (not an exhaustive list) – HIPAA (health information), Fair Credit Reporting Act (credit data), Gramm-Lead-Bliley Act (financial information) and the FERPA (education data).
Finally, employees’ data, de-identified data and public records are out of the COPRA’s scope of the ‘covered data’.
Consent and Other Lawful Grounds for Processing
In contrast with general perceptions of US laws, the need for individuals’ consent to process data related to them lawfully, is not a new concept. However, it is restricted to certain specific uses of personal information.
For example, under the Telephone Consumer Privacy Act (TCPA), businesses must obtain opt-in consent before sending consumers text messages; Under the Children Online Privacy Protection Act (COPPA), businesses must obtain parental consent for using personal information related to their children; and, under the California Consumer Privacy Act (CCPA), A business may enter a consumer into a financial incentive program only if the consumer gives the business prior opt-in consent.
COPRA introduces a general ‘affirmative express consent’ requirement. Other lawful grounds to process personal information are available as an alternative to consent, if the processing of the data is “reasonably necessary, proportionate, and limited to such purpose”:
|COPRA||Similarity to GDPR and CCPA Provisions|
|To complete a transaction or fulfill an order or service specifically requested by an individual, such as billing, shipping, or accounting||Similar to the GDPR ‘performance of contract’ lawful ground;|
|To perform system maintenance, debug systems, or repair errors to ensure the functionality of a product or service provided by the covered entity.||Similar to a CCPA ‘business purpose’ for using personal information.|
|To detect or respond to a security incident, provide a secure environment, or maintain the safety of a product or service.||Similar to a CCPA ‘business purpose’ for using personal information.|
|To protect against malicious, deceptive, fraudulent or illegal activity.||Similar to a CCPA ‘business purpose’ for using personal information.|
|To comply with a legal obligation or the establishment, exercise, or defense of legal claims.||Similar to the GDPR ‘compliance with a legal obligation’ lawful ground.|
|To prevent an individual from suffering harm where the covered entity believes in good faith that the individual is in danger of suffering death or serious physical injury (Similar to the GDPR ‘protection of data subjects’ vital interests’ lawful ground).||Similar to the GDPR ‘protection of data subjects’ vital interests’ lawful ground.|
|To effectuate a product recall pursuant to Federal or State law.||No similar provisions.|
|To conduct scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board or a similar oversight entity that meets standards promulgated the Federal Trade Commission pursuant to the US Code.||Similar to a GDPR exception to the prohibition on processing ‘special categories’ of data.|
COPRA introduces 11 individuals’ rights. Some of them take after known rights under the GDPR or the CCPA, while others are novels. These rights include:
- A duty of loyalty by the covered entities, and specifically a duty to avoid deceptive practices (a new right, based on the Federal Trade Commission power to enforce against unfair and deceptive trade practices);
- A right of access (exists both under the GDPR and CCPA);
- A right to transparency (exists as a requirement to disclose the identity of the controllers/business to individuals/data subjects under the GDPR and CCPA);
- A right to delete (similar to the CCPA right to delete and the GDPR right of erasure);
- A right to correct inaccuracies (similar to the GDPR ‘right to rectify’).
- A right to data portability (similar rights under the GDPR and CCPA).
- A right to opt out of transfers (similar to the CCPA right to opt out of data sale and the GDPR right to object).
- A right to data minimization (This is not a right under the GDPR and CCPA. It is similar to a GDPR ‘data minimisation’ principle of processing and a data protection by design implementation.).
- A right to data security (This is not a right under the GDPR and CCPA. It is similar to the GDPR general requirement for data security).
- A civil right not to be subject to discriminatory processing or transferring of personal data ((This is not a right under the GDPR and CCPA, though the GDPR advises in its recitals to use proper measures to avoid discriminatory outcomes of data processing).
COPRA includes new requirements, which if enacted, would raise the risks for businesses and their management. These include for example;
- Covered entities will need to appoint privacy officers data security officers.
- CEOs, privacy officers and CISOs of ‘large data holders’, who process data on more than 5 million individuals, or sensitive data about more than 100,000 individuals, will submit annual attestation of compliance to the Federal Trade Commission.
- Annual assessment of algorithmic decision-making test accuracy, fairness, bias and discrimination.
COPRA Preempts State Laws in Part Only
COPRA supersedes any State law to the extent such law directly conflicts with its provisions or a standard, rule, or regulation promulgated under COPRA, and only to the extent of such direct conflict.
State laws which afford a greater level of protection to individuals will not be preempted by COPRA. Presumably, some CCPA provisions which are not addressed under the COPRA will remain in effect even after the COPRA will be enacted.
The Federal Trade Commission will create a new bureau to enforce COPRA and will have the power, alongside state attorney generals and US residents, to enforce COPRA.
Damages imposed for violations will amount to $100 to $1000 per violation per day
On December 4, the US Senate’s Committee on Commerce, Science and Transportation will hold a hearing titled: Examining Legislative Proposals to Protect Consumer Data Privacy.
The committee will discuss legislative privacy-related proposals, including presumably Sen. Maria Cantwell’s proposed bill.
We will continue monitoring developments around COPRA.