Perhaps the third time’s the charm: a group of Senate Democrats, following in the recent footsteps of their colleagues in both chambers, has introduced a bill that would impose sweeping reforms to the current disaster patchwork of US privacy law.
The bill (PDF), dubbed the Consumer Online Privacy Rights Act (COPRA), seeks to provide US consumers with a blanket set of privacy rights.
The scope and goal of COPRA are in the same vein as Europe’s General Data Protection Regulation (GDPR), which went into effect in May 2018.
Privacy rights “should be like your Miranda rights—clear as a bell as to what they are and what constitutes a violation,” Sen. Maria Cantwell (D-Wash.), who introduced the bill, said in a statement. Senators Amy Klobuchar (D-Minn.), Ed Markey (D-Mass.), and Brian Schatz (D-Hawaii) also co-sponsored the bill.
The press release announcing the bill also includes statements of support from several consumer and privacy advocacy groups, such as Consumer Reports, the Electronic Privacy Information Center (EPIC), the Georgetown Law Center on Privacy & Technology, and the NAACP.
What’s in the bill?
The proposals within COPRA fall basically into three main buckets: enumerated rights for consumers, data-handling requirements for businesses, and enforcement mechanisms.
As explained in a one-page summary of the bill (PDF), the rights consumers would gain from COPRA include:
On the company side, businesses would be required to demonstrate that they take “preventive and corrective actions” to protect consumer data from leaks, breaches, hacks, or other kinds of misappropriation. Highly sensitive data, such as biometric data and geolocation data, would also be subject to stronger standards for protection and use.
The bill would put responsibility for enforcement in the hands of the Federal Trade Commission, which would also be tasked with creating specific new rules detailing the processes covered entities would be required to follow.
COPRA also seems to take the challenges the EU and consumers have faced since the GDPR went into effect into account, as it specifically tasks the FTC with making sure those rules not only require “clear and conspicuous” notices to opt in or opt out of data collection and transfers but also “to minimize the number of opt-out designations of a similar type that a consumer must make” (such as an “accept cookies” warning on every single website one visits).