Perhaps the third time’s the charm: a group of Senate Democrats, following in the recent footsteps of their colleagues in both chambers, has introduced a bill that would impose sweeping reforms to the current disaster patchwork of US privacy law.
The bill (PDF), dubbed the Consumer Online Privacy Rights Act (COPRA), seeks to provide US consumers with a blanket set of privacy rights. The scope and goal of COPRA are in the same vein as Europe’s General Data Protection Regulation (GDPR), which went into effect in May 2018.
Privacy rights “should be like your Miranda rights—clear as a bell as to what they are and what constitutes a violation,” Sen. Maria Cantwell (D-Wash.), who introduced the bill, said in a statement. Senators Amy Klobuchar (D-Minn.), Ed Markey (D-Mass.), and Brian Schatz (D-Hawaii) also co-sponsored the bill.
The press release announcing the bill also includes statements of support from several consumer and privacy advocacy groups, such as Consumer Reports, the Electronic Privacy Information Center (EPIC), the Georgetown Law Center on Privacy & Technology, and the NAACP.
What’s in the bill?
The proposals within COPRA fall basically into three main buckets: enumerated rights for consumers, data-handling requirements for businesses, and enforcement mechanisms.
As explained in a one-page summary of the bill (PDF), the rights consumers would gain from COPRA include:
- The right to be free from deceptive and harmful data practices; financial, physical, and reputational injury, and acts that a reasonable person would find intrusive, among others
- The right to access their data and greater transparency, which means consumers have detailed and clear information on how their data is used and shared
- The right to control the movement of their data, which gives consumers the ability to prevent data from being distributed to unknown third parties
- The right to delete or correct their data
- The right to take their data to a competing product or service
On the company side, businesses would be required to demonstrate that they take “preventive and corrective actions” to protect consumer data from leaks, breaches, hacks, or other kinds of misappropriation. Highly sensitive data, such as biometric data and geolocation data, would also be subject to stronger standards for protection and use.
The bill would put responsibility for enforcement in the hands of the Federal Trade Commission, which would also be tasked with creating specific new rules detailing the processes covered entities would be required to follow.
COPRA also seems to take the challenges the EU and consumers have faced since the GDPR went into effect into account, as it specifically tasks the FTC with making sure those rules not only require “clear and conspicuous” notices to opt in or opt out of data collection and transfers but also “to minimize the number of opt-out designations of a similar type that a consumer must make” (such as an “accept cookies” warning on every single website one visits).