A new comprehensive federal privacy bill, the Consumer Online Privacy Rights Act (COPRA), has been introduced by Senate Commerce Committee Ranking Member Maria Cantwell (D-Wash.) and Senators Ed Markey (D-Mass.) Brian Schatz (D-Hawaii) and Amy Klobuchar (D-Minn.).
Key novel provisions per International Association of Privacy Professionals (IAPP) Research Director Caitlin Fennessy:
- individual consent for data processing, including express affirmative consent for processing sensitive data
- “duty of loyalty,” prohibiting covered entities from engaging in deceptive or harmful practices
- right to correct and delete covered data
- include retention timelines, and the identity of each third party to which covered data is transferred in privacy notices
- entities may only process covered data for specific purposes, subject to necessity and proportionality standards
- annual impact assessment for accuracy, fairness, bias and discrimination for some algorithmic decision making
- mandatory appointment of qualified privacy and security officers
- enforcement authority for Federal Trade Commission and state attorneys general, as well as private citizens
- preempt state laws that directly conflict with COPRA but not state laws that create separate and more onerous requirements
Read about competing federal privacy legislation in Bloomberg Law.