This morning, Senator Maria Cantwell released her long-awaited draft privacy bill in advance of a Senate Commerce Committee hearing on privacy on December 4. Senator Cantwell is the ranking minority member on the Commerce Committee; her bill is cosponsored by Senators Schatz, Klobuchar, and Markey (each of whom has their own privacy bill as well). The Commerce hearing will also consider Senator Blackburn’s BROWSER bill, and other privacy bills could well be released by Committee members before the hearing.
Senator Cantwell’s Consumer Online Privacy Rights Act (COPRA) is one of the most expansive and protective bills that we’ve seen, but at 59 pages it’s a lot to take in. Here is my summary of the major provisions:
- Despite “online” in the title, the bill is designed to be a baseline to cover all commercial data processing, at least to the extent it’s not covered by a law like HIPAA or GDPR. (Small businesses are exempt, though the threshold is pretty low.)
- The bill has a very broad definition of personal information, mirroring recent laws like Europe’s GDPR and California’s CCPA. Anything that is reasonably linkable to a person, device, or household is covered, including cookies, IP addresses, and other unique identifiers.
- Sensitive information is also defined very broadly, to include a lot of stuff you might expect (financial account numbers, health information, biometrics), but also a lot of other information with is aggressively traded today (cross-site and -app behavior, geolocation, and identifiers like email addresses and phone numbers).
- The bill requires affirmative consent for all processing and sharing of sensitive information. Because sensitive information is defined so broadly, that by and large makes this an opt-in bill for the sharing of personal data. Most online data sharing and ad tracking for example would likely be covered. That could lead to constant pop-up consent screens on websites like we’ve seen in Europe in response to GDPR (or really, the e-Privacy Directive). However, the bill sets conditions for affirmative consent that many of today’s cookie consent screens would not meet. (Deterring companies from bombarding consumers with requests to engage in additional data sharing (often using dark patterns) is one of the trickier parts of privacy legislation.)
- The bill does not explicitly stop companies from discriminating or charging higher prices to consumers who don’t agree to additional data sharing. (CCPA has a famously confusing rule around non-discrimination; we’ve argued that differential treatment for exercising privacy rights should be broadly prohibited). The bill does say that companies cannot “condition the provision of service” entirely on users who exercise certain privacy rights (including deleting data and limiting data sharing) unless the data is “strictly necessary” to provide service. It makes sense that a company doesn’t need to provide a service if it needs certain data to work, though a company could interpret this provision aggressively to say that sharing data to monetize it might be “strictly necessary.”
- The bill does have some other potential workarounds for data sharing. (The ad industry is apparently taking advantage of ambiguities in CCPA to argue that online data sharing isn’t subject to opt-out requests, so it’s worth looking for loopholes here too). The bill includes various exceptions to allow for data sharing for security and fraud prevention, and potentially expansive rationales such as “performing accounting functions.” The bill also allows for sharing with service providers which makes sense in some contexts, but companies aren’t clearly prohibited from keeping data from separate clients siloed, and the law could be interpreted to allow for cross-site ad targeting without permission (or even an opportunity to opt out). But when multiple companies share online data with one service provider, suddenly that data becomes “sensitive” under the terms of the bill (as it’s now data about multiple sites or apps), so perhaps opt-in obligations still attach in this scenario. (Update: There’s also confusing language in § 203(b)(3) that could be interpreted very broadly to allow for a ton of data tracking without any permission; however, this is an early draft, so I don’t want to get too preoccupied with line-by-line analysis.)
- For non-sensitive personal information, the bill lets consumers opt out of sharing their data. It also directs the Federal Trade Commission to set up a global opt-out system, though because so much sharing is going to be covered by the opt-in rule, I’m not sure what sharing will be subject to this system (it won’t be “Do Not Track” for example, since cross-site data collection is deemed to be sensitive). Perhaps offline marketing based on non-sensitive identifiers like name and address?
- The bill also includes the other types of protections you’d expect: reasonable security, more detailed disclosures in privacy policies, the right to access and correct personal data, and the right to port some (though not all) personal data to another competing service.
- The bill also creates a new duty of loyalty consistent with increased calls for fiduciary-like obligations on companies that hold consumer data. It would prohibit companies from engaging in “harmful” data practices, meaning behaviors likely to cause “substantial injury” or “offensive intrusion” on seclusion. This duty is similar to existing tort law, but has the potential to be interpreted quite expansively by regulators and the courts.
- There are also a number of provisions designed to improve corporate decisionmaking around data, including: executive certification of internal controls (though no prison time for violations), mandatory assessments of algorithmic fairness, whistleblower protections, and a reasonable responsibility to vet and supervise third parties and service providers with whom data is shared.
- The bill has very strong enforcement provisions: it instructs the FTC to create a new Bureau of Privacy with substantially increased staff and the ability to exact penalties for violations and issue (some) clarifying regulations — powers they don’t have today. It also allows state attorney general enforcement subject to intervention from the rejuvenated FTC. Interestingly (and most controversially for companies), the bill also contains a private right of action, with liquidated damages of up to $1000 per violation per day.
- The bill also only has very weak preemption provisions, only preempting state laws to the extent they are inconsistent with COPRA, and explicitly stating that greater protections are allowed.
By and large, this is a quite aggressive bill which is encouraging to see. It goes well beyond what CCPA requires today (and even what CCPA would require if the new ballot initiative is passed by California voters next November).
Let me know if I missed or misinterpreted something — I will try to update this summary to repair glaring omissions.
More broadly, I’m hoping to use the Consumer Reports Digital Lab site to do more short-form policy writing; this is the first effort, but hopefully there’s more to come.