Expert Says Senate Democrats' Sweeping Online Privacy Bill Answers Public Demand for 'Transformative Shift'

Privacy advocates on Tuesday welcomed broad new legislation introduced by leading Senate Democrats that aims to codify digital privacy rights, outlaw harmful data practices, and create new enforcement and accountability measures to protect online consumers.

The Consumer Online Privacy Rights Act (COPRA) was introduced by Sen. Maria Cantwell (D-Wash.), the ranking member on the Senate Commerce, Science, and Transportation Committee. The bill (pdf) is co-sponsored by three Democrats on the committee: Sens. Brian Schatz (Hawaii), Ed Markey (Mass.), and Amy Klobuchar (D-Minn.).

"For years, Americans have been clamoring for privacy--not just for incremental improvement, but for a transformative shift that will finally restore some sense of control to 21st century consumers," Georgetown Law Center on Privacy & Technology executive director Laura Moy said in a statement.

COPRA, Moy added, "answers that call. It gives consumers meaningful rights and establishes robust enforcement mechanisms that will incentivize companies to comply. Just as important, this legislation directly addresses harmful uses of data, including discrimination."

The Lawyers' Committee for Civil Rights Under Law pointed out that "in today's online economy, we have seen how the misuse of personal data can exacerbate discrimination in housing, employment, credit, and education."

Free Press Action senior policy counsel Gaurav Laroia, which celebrated COPRA in a separate statement, said that "in the short history of the internet, we've seen countless examples of tech companies and online advertisers using data to restrict individuals and groups from accessing information or opportunities. Sen. Cantwell's legislation would effectively put a stop to such digital redlining."

Noting that "people across the political spectrum have demanded strong privacy protections," Laroia called on Democrats and Republicans in Congress to work together. He added that "we hope lawmakers will stand with their constituents and support legislation that imposes strong obligations to protect our personal information and give people the tools to fight companies that abuse user data."

According to a summary (pdf) from Cantwell's office, the privacy rights for individuals that would be established under COPRA include:

• The right to be free from deceptive and harmful data practices; financial, physical, and reputational injury; and acts that a reasonable person would find intrusive, among others.
• The right to access their data and greater transparency, which means consumers have detailed and clear information on how their data is used and shared.
• The right to control the movement of their data which gives consumers the ability to prevent data from beingdistributed to unknown third parties.
• The right to delete or correct their data.
• The right to take their data to a competing product or service.

When it comes to personal information that is often collected by technology companies, Cantwell told The Washington Post, "you have to start saying these aspects of your life belong to you, and you have the right to decide how they're used."

As the Post summarized, COPRA would:

• Introduce higher fines for companies that mishandle user data.
• Allow people to request to see what personal information companies are storing about them and block it from being sold.
• Create a new privacy-focused bureau under the Federal Trade Commission, which would have the authority to fine companies for first-time privacy offenses.
• Establish a "duty of loyalty," which would prohibit companies from using data in ways that could harm consumers.
• Demand that companies get special permission to collect certain types of sensitive data, such as biometrics like fingerprints or precise location information.
• Allow state attorneys general to bring privacy cases under federal law.
• Require companies to conduct assessments of whether their algorithms making decisions about sensitive issues like housing or credit produce discriminatory results.
• Establish a new data security fund at the Treasury, which would hold the privacy penalties that enforcers collect.
• Commission a National Institute of Standards and Technology report on forgeries, such as videos manipulated with artificial intelligence known as "deepfakes."

The FTC bureau is one of the ways in which COPRA differs from sweeping legislation introduced in the House earlier this month by a pair of California Democrats. As Common Dreams reported, the Online Privacy Act of 2019 (H.R. 4978) sponsored by Reps. Anna Eshoo and Zoe Lofgren would establish a new federal agency to deal with data protection.

The Electronic Privacy Information Center (EPIC) ranks Eshoo and Lofgren's proposal as #1 among all the privacy bills before Congress. EPIC gives Cantwell's legislation an A-.

"With the addition of a data protection agency, the bill would earn an A and establish a comprehensive approach for privacy protection for the U.S.," explained EPIC policy director Caitriona Fitzgerald, who still called COPRA "outstanding."

"The Consumer Online Privacy Rights Act gives consumers meaningful rights, holds companies accountable, and protects stronger state safeguards," Fitzgerald said.

The introduction of both the Online Privacy Act and COPRA came shortly before California's landmark digital privacy legislation, signed into law this past June, is set to take effect in January 2020.

The Post noted that "Cantwell's bill shares some similarities with California's rules, which her proposal, if passed, would leave intact--while allowing other states to pass privacy laws of their own."