On November 26, 2019, Senate Commerce Committee Ranking Member Maria Cantwell (WA), alongside Senators Brian Schatz (HI), Amy Klobuchar (MN) and Ed Markey (MA), unveiled a new comprehensive federal privacy bill entitled the Consumer Online Privacy Rights Act (“COPRA”).
The bill would create a new bureau within the Federal Trade Commission focusing on privacy and data security to enforce the law and promulgate new rules and regulations in the space. It also would provide enforcement authority for state attorneys general as well as a private right of action. It would preempt only state laws that “directly conflict with the provisions of the Act,” and specifically notes that state laws that afford a “greater level of protection to individuals” would not be considered in direct conflict.
Key elements of the COPRA include to:
- provide individuals with several new privacy rights, including the rights to access, delete and correct their data, as well as a right to data portability;
- prohibit deceptive and harmful data practices;
- exempt de-identified data, employee data and public records from the definition of “covered personal data;”
- exclude small businesses with annual revenue of less than $25 million from its requirements, as long as they process the data of fewer than 100,000 individuals, households or devices annually and do not derive at least 50% of their revenue from transferring covered data;
- allow individuals the ability to opt out of transfers of their data to third parties (which specifically excludes service providers);
- require organizations to obtain express, affirmative consent (with a few exceptions) for the collection and use of sensitive data, and the bill contains a broad definition of sensitive data. It would also direct the FTC to promulgate new regulations specifically related to the processing of biometric information;
- prohibit organizations from conditioning the provision of a product or service on an individual’s agreement to waive certain rights. Most notably, organizations could not condition the provision of a service to an individual on an agreement to waive the rights to opt out of transfers to third parties or to provide express affirmative consent for the processing of sensitive data unless the provision of the service requires the processing or transferring of that data and is strictly necessary to provide the service or product;
- require organizations to implement data minimization practices to avoid processing or transferring data beyond what is reasonably necessary;
- require organizations to implement reasonable data security practices;
- prohibit the use of certain types of personal data like race, ethnicity and gender from being used in ways that could result in discrimination for a housing, employment, credit or education opportunity (it contains a section on civil rights). It would also require an algorithmic decision-making impact assessment if an organization uses algorithms to make decisions on such issues;
- require companies to implement comprehensive privacy and security programs and conduct regular risk assessments. It would also ensure executive oversight on privacy and security practices.
- implement rules on transfers of data to third parties and service providers, ensuring privacy protections travel with the data and placing limits on the use of that data; and
- implement whistleblower protections, ensuring that organizations do not punish employees who come forward about possible violations of the law.
The Senate Commerce Committee will hold a hearing on Wednesday, December 4, 2019, to discuss this and other legislative proposals on consumer data privacy.