On November 26, 2019, a comprehensive federal privacy bill was introduced that would grant individuals broad rights with respect to their data, impose new obligations on data processors, and expand the Federal Trade Commission’s enforcement authority with respect to privacy, as well as allowing for state attorney general enforcement and individual rights of action. The bill was sponsored by Senators Maria Cantwell (D-WA), Brian Schatz (D-HI), Amy Klobuchar (D-MN), and Ed Markey (D-MA).
Some key elements of the bill include:
- Broad definitions of covered data. Covered data is broadly defined, including all information “that identifies, or is linked or reasonably linkable to an individual or consumer device, including derived data”.
- Broad scope of covered entities. With certain exceptions, covered entities would include all of those that are subject to the FTC Act and those that process or transfer covered data.
- Preemption. The bill would preempt directly conflicting state laws, but not those that provide greater protections.
- Individual Privacy Rights. Much like the GDPR and CCPA, individuals would have rights of access, deletion, correction, and portability over covered data. The individual also has the right to object to the transfer of data to a third party.
- Consent and Data Minimization Obligations. The bill would impose a general duty not to engage in deceptive or harmful data practices. The entity must also engage generally in the privacy principle of data minimization, but not processing or transferring covered data “beyond what is reasonably necessary, proportionate, and limited.” Specifically, an entity must have “prior, affirmative express” consent of the individual to transfer or process “sensitive” covered data (e.g., sensitive images, geolocation information, and others information as defined).
- Reasonable Data Security and Other Obligations. An entity must implement “reasonable” data security practices, including vulnerability assessments, employee training, and secure data retention and disposal. The entity must also designate privacy and data security officers in charge of ensuring compliance. Entities transferring or processing data for a significant number of individuals must annually certify to the FTC that adequate internal controls exist.
- Civil Rights. The bill would prohibit the use of data based on certain classifications (e.g., gender and familial status). Entities engaged in algorithmic decision-making for certain purposes (e.g., credit eligibility) must conduct privacy impact assessments.
- FTC Authority. The bill directs the FTC to establish a new bureaus focused on privacy and data security, and grants the FTC along with state attorneys general (as well as individual rights of action, see below) the authority to enforce COPRA. The FTC and state attorneys general, would deposit recovered funds in the Data Privacy and Security Relief Fund, which would be used to compensate individuals. COPRA also directs the FTC to issue implementing regulations to refine definitions and establish a process for objecting to transfers of covered data.
- Private Rights of Action. COPRA provides a private right of action for individuals, with damages ranging from $100 – $1000 per violation per day. Arbitration agreements and class action waivers are invalid with respect to disputes arising under COPRA.
We will be tracking the progress of this bill as it evolves.