While there are dozens of proposals in Congress, for the first time we’re seeing a privacy bill that is getting some momentum. In late November 2019, Senator Cantwell (D-WA), Ranking Member of the Senate Commerce Committee introduced the Consumer Online Privacy Rights Act (COPRA). The bill is co-sponsored by Senators Brian Schatz (D-HI), Amy Klobuchar (D-MN), and Ed Markey (D-MA). Three days later Committee Chairman Senator Wicker (R-MS), not to be outdone, released his proposal, the Consumer Data Privacy Act (CDPA). Will the new year bring about a long-overdue US federal privacy law?
The proposals share some similarities. Both bills expand consumer digital rights along the lines of the European General Data Protection Regulation (GDPR) like the right to data access, correct, delete and portability. Both bills reinforce standard Fair Information Practices (FIPs) like data minimization, transparency, and security. Both bills also offer whistleblower protection, victim relief funds, and enforcement through state attorneys general. That is where the similarities end. Where they diverge is that, first, COPRA includes a private right of action so that consumers can sue companies that violate the law. The CDPA does not offer that right. Second, COPRA would not preempt state law and thus fail on standardizing privacy protections across the country. At the same time, it would protect stronger future state laws (think California) especially if COPRA gets watered down in bi-partisan negotiations. The CDPA requires pre-emption. Finally, COPRA offers real improvements in the area of enforcement giving the Federal Trade Commission (FTC) enhanced enforcement and accountability authority for the law, while creating a new digital privacy bureau within the FTC dedicated to privacy. The CDPA on the other hand, unsurprisingly, locates enforcement in its “miscellaneous” section, preferring the mechanism of “corporate accountability” by designating a company privacy and data security officer and allowing the FTC to approve self-regulatory standards of conduct, effectively becoming a rubber stamp for anything goes business practices.
While it is evident Cantwell’s bill provides stronger privacy protections, and is endorsed by many privacy advocates and scholars like the University of Washington’s Ryan Calo, the bill could go further. For example, while the Electronic Privacy Information Center (EPIC) gives it an A-, they say the bill lacks a provision for establishing a true Data Protection Agency (à la European DPAs as set out in the GDPR). At the December 4, 2019 public hearing, the Senate Commerce Committee heard from panelists, including two former FTC commissioners Julie Brill and Maureen Ohlhausen, arguing for more FTC staff and resources respectively. EPIC claims that that would be insufficient as the FTC has repeatedly abrogated its responsibility to protect consumers by not leveraging its existing authorities (e.g. appointing a Chief Technologist) or responding to thousands of consumer complaints against companies like Facebook. (Instead, EPIC endorses H.R. 4978, currently the only bill that provides for a new and independent DPA and has close to no chance of passing.) In addition, COPRA excludes employee data, thus leaving employees unprotected from unfair employment data practices. COPRA also doesn’t address, as EPIC notes, “take it or leave it” privacy terms or government data collection and processing.
COPRA compares favorably with the current global standard, the GDPR. It identifies personal data broadly and sets a high bar for “de-identification” or anonymization in GDPR terms. It also defines data processing broadly as “any collection, analysis, organization, structuring, retaining, using, or otherwise handling covered data”, as does the GDPR, and therefore sets the definition for “covered entity” broadly as well as any entity that processes personal data. COPRA also includes similar responsibilities for “service providers” (GDPR data processors), although without getting into the GDPR quagmire of controllers, processors, and joint/independent controllers. Like the GDPR, it also gives a strong definition of “affirmative express consent”. Finally, more similar to the CCPA than the GDPR, the bill provides exclusions for small business defined as annually making less than $25 million in revenue, processing data of less than 100,000 consumers (CCPA is 50,000) and getting 50% or more of its revenue from selling data. Unlike the GDPR, COPRA has some interesting provisions around civil rights and anti-discrimination, in particular as it relates to algorithmic decision-making.
While COPRA would be a huge step forward for American privacy, the chances of it passing, at least in its current form, are low given that any bill would have to be bi-partisan and historically the Republican Party has tended to favor business friendly solutions while the Democratic Party leans toward stronger consumer protections. But at least we’re starting to have a serious conversation.