In the absence of a comprehensive federal data privacy and data security law, states continue to fill the gap. The California Consumer Privacy Act took effect on January 1, 2020, and several other states have similar laws under consideration. Nevertheless, in search of a federal solution, two data privacy laws, one from each side of the aisle, are spurring debate in the Senate. Senator Maria Cantwell (D-WA) and several of her Democratic colleagues have introduced the Consumer Online Privacy Rights Act (COPRA), while Senator Roger Wicker (R-MA) has unveiled the United States Consumer Data Privacy Act (CDPA). Both bills share many similarities, but the differences between them are significant as well.
What Entities Are Covered?
COPRA would apply to any entity that is subject to the Federal Trade Commission Act and processes or transfers covered data. CDPA would cover those entities as well, along with common carriers and non-profit organizations. Both bills have exceptions for small businesses, and both bills define a small business as one that over the preceding 3 years, on average, had annual gross revenues of $25,000,000 or less, processed the covered data of less than 100,000 individuals or devices, or derived less than 50 percent of its revenue from transferring covered data. While COPRA excludes these small businesses completely, CDPA excludes them only from the right to access, correction, deletion, and portability provisions along with data minimization requirements.
What Data Is Covered?
Both bills make a distinction between “covered data” and “sensitive covered data.” Both bills similarly define covered data generally as information that identifies or is linked or reasonably linkable to an individual or consumer device. The COPRA definition, however, also specifically includes “derived data,” which it defines as data that is derived from other information sources about an individual, household, or device. Both bills exclude deidentified data, employee data, and publicly available information from the definition of “covered data.” CDPA also excludes aggregated data from its definition of covered data.
Both bills define sensitive covered data to include health data, financial account data, access credentials, biometric information, information revealing race, ethnicity, national origin, religion, union membership, or sexual orientation, and the like. COPRA also includes photos or videos that show “the naked or undergarment-clad private area of an individual.” Moreover, while both bills include geolocation data in the definition of sensitive covered data, CDPA requires geolocation data to include a time element to be sensitive, where COPRA does not. In other words, under COPRA any covered data that shows an individual’s past or present location is sensitive data, where under CDPA that data is sensitive only if it shows an individual’s past or present location at a particular point in time.
Both bills prohibit covered entities from processing or transferring sensitive covered data without “prior, affirmative, express consent” and require covered entities to provide a clear means for an individual to withdraw that consent.
Transparency Requirements
Both bills provide a right to transparency and require covered entities to conspicuously disclose their information collection and processing practices. Both bills also require covered entities to get affirmative express consent from affected individuals before processing or transferring previously collected covered data if the entity makes a material change to its privacy practices. Both bills also include specific information that covered entities must include in their privacy policies.
Individual Rights
The two bills provide similar access, correction, transfer, and deletion rights to individuals with some noticeable differences.
COPRA provides individuals with a right to opt-out of transfers of their covered data. CDPA, on the other hand, provides individuals with a right to object to processing or transfer of their covered data, with certain exceptions.
COPRA provides individuals with a right to access information regarding processing and transfer of their covered data in a human-readable format that a reasonable individual can understand. CDPA gives individuals the right to access the covered data of that individual or an accurate representation of the covered data of that individual.
COPRA requires covered entities to “correct, or allow the affected individual to correct, inaccurate or incomplete information in the covered data of the individual that is processed by the covered entity” and to inform any service provider or third party to which the covered entity transferred the data of the correction. CDPA requires covered entities to provide individuals “with the right to request that the covered entity correct inaccuracies or incomplete information” and inform service providers or third parties of the correction.
As far as deletion rights go, COPRA affords individuals the right to request deletion of their covered data. CDPA allows individuals to request that a covered entity delete or deidentify their covered data.
Both COPRA and CDPA require covered entities to provide individuals’ covered data to them, upon request, in a structured, interoperable, and machine-readable format, without licensing restrictions, to the extent it is technically feasible.
Verifiable Requests
Both bills afford the above-mentioned individual rights only upon verifiable request from the individual. COPRA, however, requires a covered entity to request additional information from the individual if it cannot reasonably verify the request from the information provided by the individual. It also specifically requires covered entitles to “minimize the inconvenience to consumers relating to the verification or authentication of requests.”
CDPA, on the other hand, permits covered entities not to comply with a request to exercise individual rights if it “cannot verify that the individual making the request is the individual to whom the covered data that is subject to the request relates.” It does not obligate the covered entity to make any further inquiry or collect any further information in such a situation.
Prohibition On Denial Of Goods And Services
Both bills prohibit covered entities from denying goods or services to individuals who exercise their privacy rights.
Data Minimization
Both bills prohibit covered entities from collecting, processing, or transferring covered data beyond what is reasonably necessary, proportionate, and limited to carrying out the purpose for which the covered data was collected.
Data Security Requirements
Both bills require covered entities to establish, implement, and maintain appropriate data security measures. However, while COPRA requires covered entities to take these steps with respect to all covered data, CDPA requires them only for sensitive covered data. The specifics of what appropriate security measures must include also differ slightly between the two bills.
Both bills also state that entities subject to and in compliance with the data security provisions of the Gramm-Leach-Bliley Act (GLBA) or the Health Information Technology for Economic and Clinical Health (HITECH) Act will be deemed to be in compliance with the data security provisions of the bill. COPRA also extends this provision to entities subject to and in compliance with the applicable provisions of the Social Security Act and the Health Insurance Portability and Accountability Act (HIPAA).
Designation Of A Privacy Officer
Both bills require covered entities to designate privacy officers and data security officers who are responsible for implementing the organization’s data privacy program. Under COPRA, these officers must be employees of the organization, while under CDPA they can be either employees or contractors. Under both bills, these officers are responsible for approving annual privacy impact assessments/data security risk assessments for the organization.
Enforcement
CDPA leaves enforcement to the FTC and to State Attorneys General. COPRA entrusts enforcement to these agencies as well, and would create a new bureau within the FTC dedicated to COPRA enforcement. COPRA also includes a private right of action, providing for statutory damages of $100 to $1000 per violation per day or actual damages, whichever is greater, punitive damages, and attorneys’ fees. COPRA also specifies that any violation with regard to the covered data of an individual constitutes a concrete and particularized injury in fact to the individual for purposes of federal standing.
Victim Relief Fund
Both bills establish a victim relief fund that would be funded by any civil penalties collected in enforcement actions brought by the FTC or the Attorney General on the FTC’s behalf. These funds would then be used to compensate victims of the conduct for which the civil penalties were imposed. If those victims cannot be identified, funds could be used for educational or research purposes with respect to data privacy and data security issues and technologies.
Preemption Of State Law
Preemption of state law is perhaps the most notable difference between the two bills. COPRA would not preempt state law unless there was a direct conflict between state law and federal law. And importantly, the bill specifies that a state law should not be considered to be in direct conflict with the federal law where the state law provides a greater level of protection to individuals. COPRA would therefore set the floor for data privacy and data security while allowing states to provide additional rights and greater protections.
CDPA, on the other hand, would preempt state law “related to the data privacy or security and associated activities of covered entities.” CDPA would therefore set the ceiling for data privacy and data security. CDPA, however, would not preempt state laws that “directly establish requirements for the notification of consumers in the event of a data breach.”
There are several other similarities and difference between the two bills, some nuanced and some readily apparent. Nonetheless, these two proposed laws show that Democrats and Republicans are closer to agreement on data security issues than they are on many other issues. Yet the two biggest points of contention between COPRA and CDPA, namely the private right of action and the preemption of state law, are likely to be difficult differences to resolve.
