Perhaps the third time's the charm: a group of Senate Democrats, following in the recent footsteps of their colleagues in both chambers, has introduced a bill that would impose sweeping reforms to the current disaster patchwork of US privacy law.
The bill (PDF), dubbed the Consumer Online Privacy Rights Act (COPRA), seeks to provide US consumers with a blanket set of privacy rights. The scope and goal of COPRA are in the same vein as Europe's General Data Protection Regulation (GDPR), which went into effect in May 2018.
Privacy rights "should be like your Miranda rights—clear as a bell as to what they are and what constitutes a violation," Sen. Maria Cantwell (D-Wash.), who introduced the bill, said in a statement. Senators Amy Klobuchar (D-Minn.), Ed Markey (D-Mass.), and Brian Schatz (D-Hawaii) also co-sponsored the bill.
The press release announcing the bill also includes statements of support from several consumer and privacy advocacy groups, such as Consumer Reports, the Electronic Privacy Information Center (EPIC), the Georgetown Law Center on Privacy & Technology, and the NAACP.
Whats in the bill?
The proposals within COPRA fall basically into three main buckets: enumerated rights for consumers, data-handling requirements for businesses, and enforcement mechanisms.
As explained in a one-page summary of the bill (PDF), the rights consumers would gain from COPRA include:
- The right to be free from deceptive and harmful data practices; financial, physical, and reputational injury, and acts that a reasonable person would find intrusive, among others
- The right to access their data and greater transparency, which means consumers have detailed and clear information on how their data is used and shared
- The right to control the movement of their data, which gives consumers the ability to prevent data from being distributed to unknown third parties
- The right to delete or correct their data
- The right to take their data to a competing product or service
On the company side, businesses would be required to demonstrate that they take "preventive and corrective actions" to protect consumer data from leaks, breaches, hacks, or other kinds of misappropriation. Highly sensitive data, such as biometric data and geolocation data, would also be subject to stronger standards for protection and use.
The bill would put responsibility for enforcement in the hands of the Federal Trade Commission, which would also be tasked with creating specific new rules detailing the processes covered entities would be required to follow.
COPRA also seems to take the challenges the EU and consumers have faced since the GDPR went into effect into account, as it specifically tasks the FTC with making sure those rules not only require "clear and conspicuous" notices to opt in or opt out of data collection and transfers but also "to minimize the number of opt-out designations of a similar type that a consumer must make" (such as an "accept cookies" warning on every single website one visits).
Good luck with that
Currently, privacy law at the federal level is a messy patchwork of laws that apply narrowly to certain kinds of data when held or collected by certain kinds of entities. On top of that, a small handful of states have or will soon have their own privacy statutes in place as well. The most likely of those to have a widespread impact is California's new privacy law, which goes into effect on January 1.
Meaningful enforcement is also a challenge to come by. The head of the FTC, which currently handles data privacy, has Read More – Source
