Will The New Year and COPRA Bring Privacy Rights to All Consumers?

By Antonia Dumas, Consultant at XPAN Law Group LLC  

As we look ahead to 2020, many are preparing for changes in the privacy and security legal landscape here in the United States. As cybersecurity breaches and unauthorized disclosures of data to third-parties has been on the rise, so has the concern for providing a stronger privacy and security framework.  

The federal government and the Federal Trade Commission (“FTC”) has emphasized the importance of protecting consumers and holding companies accountable for their bad practices. In particular, the FTC has made consumer privacy a priority concern. The FTC uses various mechanisms to protect consumer data including law enforcement, policy initiatives and general education (to consumers and businesses). But, the FTC has limited authority while there is a lack of a federal law to turn to identifying consumer rights and the consequences of violating those rights. 

So, the federal government has proposed a law, the Consumer Online Privacy Rights Act (COPRA), to protect all consumers and provide the FTC with stronger enforcement authority. 

What Is the Purpose of COPRA? 

On November 16, 2019, the U.S. Senate Committee on Commerce, Science and Transportation, lead by Senator Maria Cantwell of Washington State, proposed COPRA. In her press release, Senator Cantwell’s stated that they had unveiled a “comprehensive federal online privacy legislation to establish privacy rights, outlaw harmful and deceptive practices, and improve data security safeguards for the record number of American consumers who now shop or conduct business online.”  The press release noted consumers want strong action to protect their online privacy and data security based on new numbers provided in Deloitte’s 2019 Holiday Survey of Consumers. The Deloitte Survey identified that that this is the largest online holiday shopping season ever with people expected to spend about 60% of their budget online and overall online remains the lead shopping destination. Further, the majority of respondents said they feel like they have little control over their data and a large majority said they would be more comfortable if they had the right to view or edit the data collected on them. 

In Senator Cantwell’s interview with NPR, she discussed how in a digital age, consumers should have the right to control their data and the right to sue if companies breach their data or disclose information to third parties without permission. She noted that they wanted to shift from the way the law currently works where there is no bright line. Now, the FTC investigates harmful practices, provides warning and then penalties for not disclosing to consumers. However, the proposed law would provide penalties and a bright line, i.e., a strong federal framework that would provide consumers with rights and the ability to take action against companies for violation of those rights. 

What Does COPRA Provide? 

Senator Cantwell provided a one-page summary of the law that identifies the three major items provided under the law: (1) privacy rights to consumers, (2) data security, and (3) enforcement mechanisms. We delve into each of these areas below. 

Foundational Privacy Rights To Empower Consumers 

Since the law is intended to provide consumers with real protection, it establishes a duty of loyalty to consumers, prohibiting deceptive data practice or harmful data practices and processing or transferring data in violation of the act. Sec. 101. This provides consumers with a right to be free from deceptive and harmful data practice, from injury (financial, physical, and reputational), and acts that a reasonable person would find intrusive. 

Like the General Data Protection Regulation (GDPR) in Europe (see XPAN’s recaps of the GDPR and its impact six months and a year after), and state privacy laws like the California Consumer Privacy Act (CCPA), the proposed federal law would provide some specific data privacy rights including: 

  • Right to Access and Transparency: The right to access their data and provided greater transparency regarding how their data is used and shared. Sec. 102. It also includes a right to consent to material changes to privacy notices or practices. Sec. 102(d). 
  • Right to Delete: The right to delete or allow the individual to delete information that is being processed. Sec. 103. 
  • Right to Correct: The right to request that inaccuracies or incomplete information be corrected. Sec. 104.  
  • Right to Controls: The right to control the movement data to third parties, including a right to opt out of transfers. Sec. 105.

Data Security and Protecting Sensitive Data 

In addition to the privacy rights above, the proposed law provides rights to consumers that imposes specific data security and data protection rights through the right to data minimization and right to data security. The law creates data minimization standards imposing limitations on data processing to what is “reasonably necessary, proportionate, and limited” to specific purpose requirements. Sec.106. 

The law creates a strong data security right that requires companies to regularly assess vulnerabilities (e.g., systems, human vulnerabilities, access rights, and use of service providers), take preventive and corrective actions to mitigate such risks, maintain a process for data retention and disposal, and provide training to employees. Sec. 107(b). It also creates heightened data protection and privacy standards for collecting and sharing sensitive data such as biometric data and geolocation data (past or present). Sec. 2(3) and (20). In particular, there will be regulations that will identify privacy protective requirements for the processing of biometric information including strict data processing limitations, strict data transfer limitations and strict transparency obligations. Sec. 110(d)(2). 

Real Enforcement and Accountability Measures 

The law provides a private right of action, enhances the FTC’s authority, provides states with authority to enforce the law, creates accountability requirements (see below) and protects whistleblowers from binge punished from bringing privacy violation to light. Title II and Title III. Further, the law provides consumers with relief including penalties and punitive damages. Sec. 301(c)(2).

What Does COPRA Require of Businesses? 

Not only does the law require that the above privacy rights be protected and security standards be met, but it also requires that businesses take proactive measures to protect the data privacy and security of consumer data. The law establishes oversight requirements and assigns responsibility to executives, privacy and data security officers, as well as service providers and third parties. Sec. 201 to 203. 

It imposes responsibility on executives to provide annual certification of effectiveness of “internal controls and reporting structures that is conducted by the certifying officers”. Sec. 201(a). (A requirement that mirrors the NY DFS annual certification for cybersecurity practices).  It also requires businesses to designate privacy and data security officers who will ensure that a comprehensive written data privacy and data security program will be implemented to safeguard consumer data and conduct annual privacy and data security assessments and data hygiene and quality control practices. Sec. 202. Further, it prohibits service providers and third-parties from processing data for other purposes than for which it was received and prohibits service providers from transferring it to a third-party without “affirmative express consent.” Sec. 203(a). 

Even third parties have requirements under the law for their processing third-party data. They are prohibited from processing data for a purpose that is “inconsistent with the expectations of a reasonable individual.” Sec. 203(b). 

How Does COPRA Fit In The Current Legal Framework? 

The new federal law will not necessarily make data security and privacy as clear cut as many would hope. The law will not replace certain federal laws, state laws and common law decisions that establish their own requirements. For example, the law will not preempt federal privacy laws such as Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), state consumer and privacy laws that protect employees and students, or state breach notification laws. Sec. 302. Requirements under common law and civil relief will also remain (e.g., cases like Ditman in Pennsylvania that establishes a duty of care to secure employee data).

However, the new federal law would help provide a clearer point of reference for data privacy and security requirements for businesses in the US. Clarity which is drastically needed in a matrix of privacy and security laws that continue to evolve and change.

What does this mean for you? Businesses should keep an eye on the proposed federal law in 2020 and ensure they are establishing privacy and security programs that will incorporate the law’s requirements. It is only a matter of time that a law like this will be enacted or all states will establish their own data privacy laws, so it is better to be prepared for anything the future may hold. Better for your business and better for all!  

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.