In the United States, it’s now looking more and more likely that some form of comprehensive federal privacy legislation will become law sometime in 2020. After two Silicon Valley lawmakers introduced a draft bill in the House of Representatives, a group of top Democrats in the U.S. Senate have now introduced an even more comprehensive piece of legislation known as the Consumer Online Privacy Rights Act (COPRA). This digital privacy act would offer U.S. consumers the same types of data privacy protections as the European General Data Protection Regulation (GDPR), and would also create a full-staffed bureau directly within the Federal Trade Commission (FTC) to enforce those privacy rights.
Key provisions of the COPRA digital privacy act
First and most importantly, the new COPRA digital privacy act would limit data collection activities of companies and toughen enforcement of data privacy violations. Currently, the FTC has been limited in how it pursues and penalizes data privacy violations. While there have been some notable enforcement actions – such as a $5 billion penalty levied against Facebook this summer – critics continue to suggest that the FTC has not been doing enough to protect consumers and punish companies.
With that in mind, the new COPRA digital privacy act would label all violations of the law as “harmful and deceptive practices.” This would enable the FTC to get involved immediately. Moreover, the COPRA digital privacy act provides for a new bureau within the FTC to focus on these cases. According to COPRA, this FTC bureau would need to be fully staffed and operational within two years. And the COPRA also outlines how the FTC could work with state attorneys general in prosecuting these cases involving consumer data and consumer online privacy.
For consumers, the COPRA digital privacy act enshrines privacy as a fundamental human right. Similar to the GDPR, it would limit all data collection activities of companies to those that are reasonably needed to conduct business. This would prevent companies from collecting comprehensive personal profiles of customers in order to trade and sell that personal information with third-party data brokers. Moreover, the COPRA digital privacy act outlines how customers can change, correct or delete personal information that companies collect about them. The COPRA digital privacy act actually goes one step further than the California Consumer Privacy Act (CCPA) in that it requires consumers to opt-in to data sharing. Under the CCPA, consumers have the right to opt out of data sharing, but the “default setting” is for companies to collect information and data about them.
There are also key provisions within the new COPRA digital privacy act that are intended to keep top executives accountable for the data privacy compliance at their companies. For example, CEOs would have to certify to the FTC on an annual basis that their companies are in compliance with the COPRA digital privacy act.
Controversial elements of the COPRA digital privacy act
While much of the COPRA digital privacy act has been modeled on both the European GDPR and the California Consumer Privacy Act (CCPA), there are at least two provisions that are almost certain to be controversial. For one, the new COPRA digital privacy act would still enable individual states to craft their own privacy legislation. For example, states could choose to follow the example of California and craft their own state privacy laws that would differ from the COPRA. This would potentially set up a scenario in which 50 different states have 50 different versions of the same law, and states are able to enforce their own state laws rather than the federal law. This is the “patchwork quilt” scenario that many legal scholars have warned about previously.
Ralph Martino, Vice President Product Strategy, STEALTHbits Technologies, comments on the need for unified federal legislation: “GDPR awakened the U.S. and states are now beginning to develop regulations and laws addressing online privacy and the collection of personal data. However, just as the EU learned that a single regulation would work to greatly simplify compliance for all EU member states, the U.S. would most likely stand to benefit from one national law vs. 50 similar, but nevertheless separate state regulations. A single source of understanding for what businesses need to achieve is much simpler, and thus, more likely to work. If we don’t want businesses to treat compliance as a checkbox exercise, then we need to make it as simple as possible. Why repeat past mistakes when this is precisely the reason GDPR came into existence?”
Moreover, an even more controversial provision of the COPRA digital privacy act gives citizens the private right of action to bring lawsuits against companies. This might open a real Pandora’s box, in the sense that citizens all across the U.S. would be able to sue companies like Facebook or Google. At some point, the legal risk to business models based on data could become so high that these companies simply are not able to continue as going concerns, due to all the legal liabilities that they have built up. An alternative to this private of action would be the ability of state attorneys general to file class action lawsuits on behalf of an aggrieved class of citizens.
Reasons why COPRA might pass in 2020
For the two reasons noted above, some political pundits have suggested that the COPRA digital privacy act might have a hard time passing until 2021. Right now, for example, the digital privacy act still does not have a Republican sponsor, and might have a hard time gathering bipartisan support. Traditionally, Republicans have adopted a “pro-business” approach to legislation, and might be deterred by all of the anti-business, pro-consumer aspects of this digital privacy act. These politicians might want to see safe harbors created for tech companies.
However, there are at least two good reasons why COPRA might actually pass in 2020. One of these is the strong support that the COPRA digital privacy act has from four top Senate Democrats – Sen. Maria Cantwell (D-Washington), Sen. Ed Markey (D-Massachusetts), Sen. Amy Klobuchar (D-Minnesota) and Sen. Brian Schatz (D-Hawaii). Sen. Cantwell is the top Democrat on the powerful Senate Commerce Committee, Sen. Klobuchar is a 2020 presidential candidate, and Sen. Markey is one of the most outspoken supporters of robust, enforceable digital privacy rights.
The good news is that it looks like the formal enactment of the CCPA on January 1, 2020 is going to add momentum to efforts within the United States to formalize a sweeping federal law on privacy. Steve Durbin, managing director of the Information Security Forum, a London-based authority on cyber, information security and risk management notes the following: “In much the same way as GDPR began a far reaching debate over the rights of the individual, so too is this piece of legislation continuing a similar conversation across America. What is clear is that privacy is becoming more of an issue in the United States and there is a very real need for a federal law to avoid states introducing their own variations and interpretations on privacy which adds a further compliance burden to already overstretched businesses looking to understand and comply with their obligations across the various regions in which they are transacting business.”
Similar to the way that the GDPR in Europe galvanized a public debate about privacy, the new CCPA is almost certain to generate debate about why the United States still does not have a federal privacy law. And that might make it much easier to pass COPRA in 2020.