Security news that informs and inspires

Congress Proposes a Promising New Privacy Bill


Congress has struggled to figure out what elements to include in federal privacy legislation. A new online privacy bill seems to get the basics right.

The new Senate bill, dubbed the Consumer Online Privacy Rights Act (COPRA), is a very common-sense bill. Companies would be responsible for getting permission to collect and share sensitive data, including biometric information and locations. Companies must not collect more information than they really need. And, under the proposed bill, consumers would be able to ask companies for all the information that had been collected about them, and for the data to be deleted or corrected.

COPRA covers the basics of what consumers are looking for, such as stronger consent, the ability to inquire about the data being collected, and an audit process that shows how organizations treat data privacy, said Robert Cruz, senior director of information governance at Smarsh. It also provides "a common privacy floor" that eliminates some of the differences between different state laws, such as the various definitions on what consent looks like, or how businesses have to describe how the data is being used. Technology companies have been pushing Congress for federal privacy legislation that would reconcile the state laws into a set of common rules.

COPRA's provisions are "good common denominators that can apply across states into one consistent privacy fabric,” Cruz said.

However, technology companies may not find the consistency they are looking for because of COPRA's most intriguing element: the proposed bill would allow states to continue passing their own privacy laws to address gaps that they may feel need to be addressed. State attorneys-general would enforce federal law as well as their own state law.

This would "allow individual states to pursue more aggressive measures against companies whose business models are dependent on ad-driven revenue based upon how prevalent those firms are in those specific states,” Cruz said.

Following the example from California's CCPA and the European Union's GDPR, COPRA would also give citizens a private right of action to bring their own lawsuits. Relief under the federal law would go into a consumer relief fund. Cruz acknowledged this provision would be "subject to intense lobbying pressures" from companies concerned that this would expose them to more lawsuits.

Sen. Maria Cantwell (D-Wash), the ranking member of the Senate Committee on Commerce, Science, and Transportation, introduced the bill along with Sens. Ed Markey (D-Mass), Amy Klobuchar (D-Minn), and Brian Schatz (D-Hawaii). Cantwell said the protections would act as the "Miranda rights" for digital consumers.

The bill would provide protections for digital consumers and establish a new bureau within the Federal Trade Commission to enforce digital privacy rights.The new bureau would allow the FTC to pursue stronger settlements with companies for violations. The bureau would need to be fully staffed and operational within two years of the bill becoming law. The creation of the new bureau within the existing regulatory enforcement infrastructure of the FTC would likely have more support than creating a new agency from scratch that could potentially conflict with the FTC, as has been suggested before.

COPRA also puts the responsibility of protecting consumer privacy squarely onto company executives. Beginning one year after the bill becoming law, CEOs of companies holding large amounts of data would have to certify to the FTC annually that they have “adequate internal controls” and reporting structures in place.

There have been a number of bills proposed in recent months, but there hasn't been a lot of traction in Congress. COPRA has one thing going for it those other bills didn't: Cantwell's position on the Senate Commerce Committee. The committee has oversight of the Federal Communications Commission, held hearings on cybersecurity and social media in the wake of Facebook's Cambridge Analytica scandal, and is otherwise heavily involved in technology-related issues.

A hearing for privacy legislation proposals is scheduled for December.