Federal Data Privacy Bill Takes Aim at Tech Giants

copra cantwell data privacy act

The COPRA legislation would provide GDPR-like data protections, and create a new FTC enforcement bureau.

A new digital privacy bill has been introduced to the the Senate, which would give the Federal Trade Commission (FTC) more teeth when it comes to providing oversight on tech companies’ use of consumer data.

Sen. Maria Cantwell (D-Wash.), ranking member on the Senate Commerce Committee, led the Democratic charge on the bill, dubbed the Consumer Online Privacy Rights Act (COPRA). It would provide U.S. citizens the same kinds of privacy rights that E.U. citizens have under the General Data Protection Regulation (GDPR).

Specifically, the bill would give data subjects the right to request which data companies are housing and ask for that data to be deleted or corrected. It would also require explicit consent for companies to collect and share sensitive data. Lastly, it would stipulate that companies must not collect more information than they reasonably need to carry out the specific services consumers have signed up for.

Further, CEOs of major data-collecting companies would have to annually certify to the FTC that they have “adequate internal controls” and reporting structures to comply with the law.

“In the growing online world, consumers deserve two things: privacy rights and a strong law to enforce them,” Cantwell said in a statement. “They should be like your Miranda rights — clear as a bell as to what they are and what constitutes a violation.”

Also, the bill provides for a new FTC bureau to be established to enforce these digital privacy rights with steeper fines. The commission recently levied privacy settlements on Facebook ($5 billion) and Google’s YouTube ($170 million), which detractors said were too low to promote better behavior. COPRA dictates that the enforcement bureau be fully staffed and operational within two years of the act becoming law.

COPRA also opens the door for private-citizen lawsuits against tech companies over data collection. Republican pushback on the litigation provision is expected to be on the docket at a December hearing.

“The legislation released today reflects where the Democrats want to go,” said Sen. Roger Wicker (R-Miss.), the chairman of the Commerce Committee, in a statement. “But any privacy bill will need bipartisan support to become law. I am committed to continuing to work with the ranking member and my colleagues on both sides of the aisle to get a bill that can get across the finish line. I expect that we will have a bill to discuss at next week’s hearing.”

Cantwell’s bill was also sponsored by Sens. Ed Markey (D-Mass.), Amy Klobuchar (D-Minn.) and Brian Schatz (D-Hawaii).

“Companies continue to profit off of the personal data they collect from Americans, but they leave consumers completely in the dark about how their personal information is being used. Consumers have a right to know if their personal data is being sold and to easily see what data has already been distributed,” said Klobuchar said in a statement.

This is not the only federal privacy bill circulating in the Senate. In October, Sen. Ron Wyden (D-Ore.) introduced the Mind Your Own Business Act, proposed by on Thursday, gives the Federal Trade Commission (FTC) the ability to slap fines of up to 4 percent of a company’s global turnover on companies that violate privacy statutes – the same provision used by the GDPR. In addition, senior executives who “knowingly lie to the FTC” could face up to 10- to 20-year criminal penalties under the act.

The passing of federal legislation – as opposed to state-level bills like the California Consumer Privacy Act (CCPA) set to go into effect in January – is important for U.S. consumers, according to Robert Cruz, senior director of information governance at Smarsh.

“[COPRA] looks like a good step to provide a common privacy floor that could eliminate some of the major differences between states,” he said via email. “In particular, the consent provisions for sharing data, the need to state the specific business purpose that data is collected for, and the annual inspection of data protection controls are all areas where we see firms looking for a common set of rules to reconcile the various state jurisdictions. What is also useful in this proposal is allowing states to enforce their own laws, which will allow individual states to pursue more aggressive measures against companies whose business models are dependent on ad-driven revenue based upon how prevalent those firms are in those specific states.”

Steve Durbin, managing director of the Information Security Forum, concurred.

“In much the same way as GDPR began a far-reaching debate over the rights of the individual, so too is this piece of legislation continuing a similar conversation across America,” he said via email. “What is clear is that privacy is becoming more of an issue in the United States and there is a very real need for a federal law to avoid states introducing their own variations and interpretations on privacy which adds a further compliance burden to already overstretched businesses looking to understand and comply with their obligations across the various regions in which they are transacting business.”

Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand Threatpost webinar, “Trends in Fortune 1000 Breach Exposure” to hear advice from breach expert Chip Witt of SpyCloud. Click here to register.


Suggested articles