Democratic lawmakers took another step on the long march toward federal privacy legislation on Tuesday with a new Senate bill that aims to serve as a framework for a national law.
The Consumer Online Privacy Rights Act (COPRA) would limit how consumer data is collected, establish a set of consumer data rights and beef up the Federal Trade Commission’s (FTC) enforcement powers.
The full text of the bill is available here.
The bill’s main sponsor is Sen. Maria Cantwell, D-Wash. – also the top Democrat on the Senate Commerce – with support from Sens. Ed Markey, D-Mass., Amy Klobuchar, D-Minn. and Brian Schatz, D-Hawaii.
The proposal will likely be a main talking point on Dec. 4 at a scheduled Senate Commerce Committee hearing examining the numerous legislative proposals to protect consumer data privacy.
Beyond the California Consumer Privacy Act (CCPA), which is already on the books and set to take effect in 2020, there’s the Online Privacy Act, which was recently floated in the House by California Democratic Reps. Anna Eshoo and Zoe Lofgren.
On top of that, each of the sponsors on COPRA – Markey, Klobuchar and Schatz – have bills of their own.
All of this activity underscores the crescendo toward a federal privacy law, despite some frustration that Congress isn’t getting its act together.
For the TL;DR crowd, here are the main tenets of the new bill, which Cantwell referred to in a statement as providing the equivalent of “Miranda rights” for data privacy and protection.
Covered data is defined fairly broadly as anything that is “linked or reasonably linkable to an individual or a consumer device, including derived data.” Sensitive data includes everything from biometric information and precise geolocation data to any information “revealing online activities over time and across third-party websites or online services” – aka, cross-site tracking.
Companies would be required to get affirmative express consent for sharing and processing any sensitive information, which sounds a heck of a lot like the opt-in requirement under the General Data Protection Regulation in Europe.
For non-sensitive covered data, consumers must have the opportunity to opt out of sharing, similar to CCPA.
Consumers would also have protected rights, including the right to access, the right to transparency, the right to control their data and the right to delete it. Under COPRA, they’d also have the right to data minimization and something the bill calls a “duty of loyalty,” which would prohibit companies from engaging in harmful data practices that result in financial, physical or reputational injury to an individual.
A new bureau under the Federal Trade Commission would be created to enforce COPRA.
Although it’s unlikely that a national privacy law will pass this year – or successfully wend its way through Congress before the 2020 presidential election is done and dusted – the bill “reflects the emerging outline of US federal privacy legislation,” said Omer Tene, VP and chief knowledge officer at the International Association of Privacy Professionals.
“While Senate Republicans will surely take issue with some of the provisions, including a broad definition of sensitive data, limited federal preemption and a private [right] of action,” he said, “much of the language in this bill will likely reflect broad consensus across the aisle, as well as in the business community.”