The floodgates have opened for consumer privacy bills in Congress, with the latest legislation from four Democratic senators creating a broad set of new privacy rights.
The Consumer Online Privacy Rights Act, or COPRA, introduced in late November, won praise from several privacy advocates. The bill gives U.S. consumers the right to be free from deceptive and harmful data practices, financial and reputational injury, and data handling actions that a reasonable person would find intrusive.
The bill also requires companies handling personal data to give consumers detailed information about how their data is used and shared. It gives consumers the right to control the movement of the data, including the power to prevent companies from sharing it with third parties, and it gives them the right to delete or correct their personal data held by a company.
“In the growing online world, consumers deserve two things: privacy rights and a strong law to enforce them,” Sen. Maria Cantwell, a Washington Democrat and lead sponsor of COPRA, said in a statement. “They should be like your Miranda rights — clear as a bell as to what they are and what constitutes a violation.”
COPRA requires companies collecting personal data to assess security vulnerabilities and take corrective action regularly. It also prohibits companies from sharing sensitive personal information such as Social Security numbers, credit card numbers, or health diagnoses without permission from the consumers involved.
COPRA follows two other consumer privacy bills introduced by Democratic lawmakers in recent weeks. In early November, Democratic Reps. Anna Eshoo and Zoe Lofgren, both of the Silicon Valley area, introduced the Online Privacy Act, which would create a new “Digital Privacy Agency.” And in mid-October, Oregon Democratic Sen. Ron Wyden introduced the Mind Your Own Business Act, which would allow for huge fines, and in some cases, prison terms for privacy violations.
Earlier in the year, lawmakers introduced more than a dozen privacy-related bills. Several privacy advocates applauded the legislation.
COPRA is a “thorough and powerful consumer-focused bill that includes foundational consumer rights to access and control of data, strong data security protections, and effective enforcement and accountability mechanisms,” said Gigi Sohn, a distinguished fellow at the Georgetown Institute for Technology Law and Policy and a Benton senior fellow and public advocate. “The American people have gone without comprehensive privacy protections for far too long, and the economic, social, and personal harms have been many and real.”
Sohn noted that COPRA does not preempt stronger state privacy laws, even though some business groups and congressional Republicans have been pushing for preemption. COPRA “recognizes that states must be empowered to continue the conversation and enact stronger protections as necessary,” she said.
The bill also allows internet users to sue companies for privacy violations, another controversial topic in the privacy debate in Congress. The lawsuits create “the potential of very costly consequences for those wrongly exploiting our data,” said Gaurav Laroia, senior policy counsel at Free Press Action, a digital rights group. “Companies need to know they will face stiff penalties for violating people’s rights.”
Not everyone’s a fan, however. COPRA fails to strike the right balance between consumer privacy and commercial innovation, said Daniel Castro, vice president at the Information Technology and Innovation Foundation, a science and technology policy think tank.
The bill would “severely restrict” legitimate uses of consumer data, resulting in fewer opportunities for companies to collect, use, and share data in innovative ways, he added. The bill, for example, “would require companies to minimize the data they collect, which would reduce opportunities for businesses to extract new value from existing data and develop new products and services,” Castro said.
The bill also exempts small businesses from many of its “unreasonable” requirements in an attempt to shield them from the “excessive regulatory burden” it imposes, he added. “However, excluding small businesses makes little sense if the focus is on consumer privacy, in part because small businesses often have worse security than large companies.”
