New Consumer Online Privacy Rights Act (COPRA) would empower American users

New Consumer Online Privacy Rights Act (COPRA) would empower American users

Despite the already dizzying number of comprehensive data privacy proposals before the US Senate—nearly 10 have been introduced since mid-2018—yet another bill has entered the conversation: the Consumer Online Privacy Rights Act.

This time, the bill, called COPRA for short, is sponsored by a Democratic Senator from Washington whose name has rarely been cited in the country’s ongoing debate as to how to best protect Americans’ data.

The biggest differentiator about this 2019 latecomer bill? It ticks almost every box on the data privacy wishlist.

Granting Americans the right to access data about them? This bill’s got it. The right to grab that data and move it to another company? Also included. What about the right to opt out of data sharing and selling? Yep. And the requirement that companies get explicit approval for the processing and sharing of sensitive data, including biometrics, precise geolocation, and emails? You bet.

But, perhaps most importantly, the bill would give everyday Americans the right to sue a company that violated their data privacy rights, extending enforcement capabilities directly to the public.

Introduced by Senator Maria Cantwell, the Consumer Online Privacy Rights Act has already been welcomed by data privacy advocates across the country.

“This is the most sophisticated federal proposal to emerge to date and demonstrates that Senate Democrats are committed to setting a high bar for consumer privacy,” said Jules Polonetsky, the CEO of the nonprofit Future of Privacy Forum. “The bill provides a strong starting point that will move bipartisan debate forward, with private rights of action, limits on preemption, and the definition of sensitive data, among other issues, likely to be points of ongoing negotiation.”  

Consumer Online Privacy Rights Act: in a nutshell

The Consumer Online Privacy Rights Act (COPRA) would improve the relationship that Americans currently have with the multitude of companies that collect, store, share, and sell their data across the Internet.

COPRA would accomplish this by extending new rights to consumers—like the right to access data collected about them and the right to delete that data—while also placing new restrictions on companies.

Under COPRA, companies would no longer be able collect “sensitive covered data” without first getting explicit approval from a user. Nor would companies be able to ignore the data privacy and security of their users’ data, as each company subject to COPRA would need to appoint a privacy officer and a data security officer, both of whom would be tasked with performing annual data risk assessments.

COPRA would also create a new bureau within the Federal Trade Commission to aid enforcement. Further, state Attorneys General could file civil claims on behalf of their states’ residents when they believe there has been a violation of the law.

Though some of these ideas have propped up in federal data privacy bills introduced this year, COPRA differs in two major ways.

First, it would not impact any state data privacy laws that improve the data privacy of that state’s residents.

In 2018 and 2019, dozens of individual state legislatures took it upon themselves to try to solve data privacy, with California passing the California Consumer Privacy Act last year and Maine passing a data privacy bill focused on Internet Service Providers this year, to name just two. Similar efforts have produced laws that will either bolster or study data privacy in Nevada, Vermont, Illinois, Louisiana, and North Dakota.

Under COPRA, these laws—and new, similar ones—would go untouched.

This preservation and respect of state laws goes directly against the wishes of many of the companies that COPRA would regulate. Earlier this year, the CEOs of 50 of the largest global companies informed Congress about what a federal data privacy bill should include. High on the list was the demand that any federal bill negate, or preempt current and future state data privacy bills.

This corporate demand is not the only one that COPRA contradicts.

COPRA would extend what is called a “private right of action” to consumers, granting them the ability to personally file a civil claim against a company to allege that the company violated their data privacy rights. The group of 50 CEOs also oppose this idea, asking that no private right of action be included in a federal data privacy law.

Until now, everyday US consumers have suffered limited options in enacting their own data privacy rights, instead having to rely on state Attorneys General to act on their behalf, or having to try and prove the near-unprovable when making claims about alleged data breaches.

This private right of action is, as Purism CEO Todd Weaver told Malwarebytes earlier this year, a key component in any meaningful data privacy bill.

“If you can’t sue or do anything to go after these companies that are committing these atrocities, where does that leave us?” Weaver said. 

Below is a more detailed look at COPRA’s rights and restrictions.

COPRA’s consumer rights

The Consumer Online Privacy Rights Act would create new definitions of the types of data that receive protection in the United States. “Covered data,” the bill describes, is any information that “identifies, or is linked or reasonably linkable to an individual or a consumer device, including derived data.” Not included in this definition, though, is de-identified data, employee data, and public records.

Further, COPRA would create new restrictions on what it calls “sensitive covered data.” The defined list is long, but not exhaustive, including passport numbers, Social Security numbers, information about physical and mental health, financial account usernames and passwords, biometrics, precise geolocation, communications content and metadata (which means not just the words that consumers send to one another, but the time they sent it, and to what user or phone number they sent it to), emails, phone numbers, and any information that reveals race, religion, sexual orientation and behavior, and union membership.

That’s not all. Also included in “sensitive covered data” are calendars and address books, photos and videos—plus any nude pictures—and online activity over time and across different third-party services.

Unfortunately, the list leaves much to be desired, said Adam Schwartz, senior staff attorney at Electronic Frontier Foundation, as it still fails to include “extraordinarily sensitive” information like immigration status, marital status, employment history, and political history.

“So COPRA’s list of sensitive data is under-inclusive,” Schwartz wrote. “In fact, any such list will be under-inclusive, as new technologies make it ever-easier to glean highly personal facts from apparently innocuous bits of data. Thus, all covered information should be free from processing and transfer, absent opt-in consent, and a few other tightly circumscribed exceptions.”

Still, with these definitions of data, COPRA offers new data privacy rights to consumers.

For “covered data,” consumers have the rights to access, delete, and correct inaccuracies, along with the right to data portability and the right to opt-out of having their covered data “transferred” to other companies. That last right means that consumers would have the right to tell companies that they do not want to have their covered data disclosed, released, shared, disseminated, sold, or licensed to other companies.

The right to access under COPRA would allow consumers to not only obtain a copy of what covered data a company has on them, but also a list of the third parties that their data has been shared with to that point. Further, companies would have to explain why they shared a user’s covered data with a third party.

This level of information equips consumers with a better understanding of just how far their data travels in today’s data-driven economy.

Similarly, COPRA’s “right to delete” would extend to third parties. If a user requests that a company delete data collected on them, that company would also be obligated to inform the third parties with which it had shared that user’s data about the deletion request.

For “sensitive covered data,” consumers could relax, knowing that companies would not be allowed to collect any of that type of data without a user’s explicit, opt-in approval.

COPRA’s requirements for companies

As explained above, the Consumer Online Privacy Rights Act has two primary levers for accomplishing change—extending new rights to users while placing new restrictions on companies.

COPRA’s scope—the definition of the businesses it applies to—is broad, hewing exactly in line with the current Federal Trade Commission Act. Any entity subject to that law would also be subject to COPRA, with the exception of what COPRA defines as “small businesses.”

These are, the bill explains, businesses that do not exceed $25 million in revenue; do not process the covered data of an average of 100,000 or more individuals, households, and devices; and do not derive 50 percent or more of their annual revenue from transferring individuals’ data.

What that means is that COPRA would absolutely apply to the most common names in Big Tech—Facebook, Google, Amazon, Apple, Microsoft, Twitter, Oracle, and far more.

Under COPRA, companies would need to, for starters, post an easily-accessible privacy policy, a requirement that already applies to companies doing business in California. The privacy policy would need to include, among other things, the contact information for the company’s privacy and data security officers, the categories of data the company collects and processes and the reasons why, whether the company transfers data to third parties, and if so, what categories of data it transfers with stated purposes for the transfers and the identity of each third party that receives data in those transfers.

Companies would also be subject to new duties—a “duty of loyalty,” a “duty to secure data,” and a “duty to build privacy protective systems.” Combined, the new duties would prohibit companies from engaging in deceptive or harmful data practices, along with requiring companies to name a privacy officer and a data security officer. The officers, the bill explains, would need to oversee the implementation of a comprehensive data privacy program while also performing annual data risk assessments.

Further, companies would need to commit to what is called “data minimization.” Under this rule, companies could not “process or transfer covered data beyond what is reasonably necessary, proportion, and limited.”

Unfortunately, COPRA would allow companies to engage in certain data processing practices that consumers may personally view as invasive, so long as the company clearly lays out these practices in its stated privacy policy. This is a small mis-step in the bill, according to privacy advocates, as even the most thoughtful, well-written privacy policies gain few, if any, full reads from the average consumer.

Companies should not be given the opportunity to engage in potentially invasive data processing practices so long as they bury those practices in concise language on page 100 of their privacy policies.

Separately, a few of COPRA’s rights offered to consumers actually impact companies first.

Take, for example, the consumers’ “right to data security,” which would require companies to “establish, implement, and maintain reasonable data security practices to protect the confidentiality, integrity, and accessibility of covered data.” The specific requirements of those actions include assessing vulnerabilities, disposing of data when required, training employees, and taking preventive actions to correct and mitigate vulnerabilities, which could include installing administrative, technical, and physical safeguards.

The bill’s requirement that companies post privacy policies is another example, as it falls under the consumers’ “right to transparency.”

Finally of interest, COPRA would create a new requirement for companies that have implemented algorithmic decision-making processes into their data processing systems. Such companies would need to perform an annual assessment if their tools are used to determine housing eligibility, education, employment, or credit, along with distributing ads for the same areas, and access to public accommodations. Annual assessments would need to study whether the algorithmic decision-making systems produce discriminatory results.

A contender for comprehensive change

Data privacy has undergone massive change in the past 10 years alone. For much longer than that, the US has lacked comprehensive data privacy protections for everyone, no matter which state they live in.

It’s time for that to change. With the Consumer Online Privacy Rights Act, the US Senate now has one of the firmest options to consider. COPRA would not only extend new data privacy rights to Americans, it would also give them the tools to defend them.

We look forward to the next year in hopes that Congress will finally, actually, enact a meaningful federal data privacy law.


David Ruiz

Pro-privacy, pro-security writer. Former journalist turned advocate turned cybersecurity defender. Still a little bit of each. Failing book club member.