Consumer Online Privacy Rights Act Provides All U.S. Citizens With CCPA-Style Privacy Protections

U.S. Sen. Maria Cantwell (D-Washington) has introduced a federal law providing U.S. citizens with new rights regarding their personal information. The Consumer Online Privacy Rights Act (COPRA) suggests that the California Consumer Privacy Act (CCPA) lays out national-level protections to better defend consumer privacy and give people more control over the way their personal information is utilized.

CCPA is going to be enforced beginning January 1, 2020, but it will only apply to residents in California. Although laws covering privacy and data security exist in the majority of states, there’s no federal law that applies to all states. In case such legislation is presented, it will make all U.S. citizens’ rights really clear. All people in America would have similar rights concerning the use of their personal data, regardless of where they are living.

This legislation, which Sens. Amy Klobuchar (D-Minnesota.), Brian Schatz (D-Hawaii), and Ed Markey (D-Massachusetts) co-sponsored, isn’t the first of its kind introduced. A number of other legislations were introduced however they were unsuccessful in getting the necessary support.

This bill might obtain more support compared to others as it doesn’t put an unnecessary burden on small organizations, who are mostly exempt. COPRA will be applicable to entities covered by the Federal Trade Commission Act including businesses, nonprofits and some financial establishments, however, compliance with COPRA is not mandatory for companies with an annual income that is lower than $25 million. COPRA is likewise not applicable to entities that generate below 50% of their income from transmitting covered consumer information.

The legislation requires the acquisition of consent from U.S. citizens prior to collecting, processing, or using their personal information. Just like the EU’s General Data Protection Regulation (GDPR), it is necessary to get affirmative consent meaning that consent should be given with an affirmative act that verifies the permission to a particular act or practice. A person should be informed, in clear, accurate, and easy-to-comprehend language that permission is needed and what the person is agreeing to.

The law brings out a responsibility of loyalty, which forbids misleading data practices and detrimental data practices, including those that might result in damage to finances, reputation, or the body.

COPRA provides U.S. citizens with access rights to the personal information kept by a covered entity. Upon request, a copy of that personal information should be given, together with information on the entities that had access to the data and the reason for that access.

Covered entities must have an easy-to-understand privacy policy, that makes clear the way a person’s information will be utilized, to whom that information will be disclosed, the length of time the data will be stored, and the covered entity’s policies on data security and minimization. To make sure all consumers fully understand the way data will be utilized, COPRA requires privacy policies to be written in all languages understood by the entities to whom the product or services are offered. Consumers should also be informed about how they could exercise their rights as per COPRA.

COPRA furthermore provides a Right to Delete. Americans can ask for the deletion of all their personal information kept by a covered entity and cessation of all data processing and opt-out of sharing their data.

The Federal Trade Commission (FTC) will enforce COPRA. The recommended penalties for noncompliance vary from $100 to $1,000 per violation each day, including the attorneys’ fees and equitable relief. All financial penalties are going to be put in a fund that is going to be used for awareness efforts and for redress and payment for people impacted by privacy violations.