The Consumer Online Privacy Rights Act (COPRA) is designed to regulate how organizations can collect, use, and share personal data.
Many believe that COPRA borrows many of its key concepts directly from the CCPA's text. However, there are a number of differences.
In this article, we'll go over some of COPRA's history, conduct a comparison of the bill and California's CCPA (CPRA), and discuss some essential preparations American organizations can make in the event COPRA becomes law.
At Step 1, select the Website option or App option or both.
Answer some questions about your website or app.
Answer some questions about your business.
- 1. A Little Background on the CCPA (CPRA)
- 2. Isn't COPRA Simply a National CCPA (CPRA)?
- 3. Does COPRA Supersede the CCPA (CPRA)?
- 4. Businesses Under COPRA
- 5. COPRA Goes Beyond the CCPA (CPRA)
- 6. Provisions of COPRA vs. the CCPA (CPRA)
- 6.1. Requirements Exclusive to COPRA
- 6.2. Enforcement of COPRA vs. the CCPA (CPRA)
- 7. The Future of the CCPA (CPRA) vs. COPRA
- 7.1. Preemption
- 7.2. Right of Private Action
A Little Background on the CCPA (CPRA)
The CCPA (CPRA) is designed to address the unrestrained collection, sale, and use of sensitive personal data. Since the Internet was established, businesses were mostly free to do all of those mentioned above as they saw fit, which led to data security failures that exposed user data and abuses of privacy that angered consumers. The CCPA (CPRA) grants groundbreaking rights to access, transfer, delete, and prevent the sale of private data to California residents.
Before the CCPA (CPRA) came into effect, however, there were various attempts at legislation that incorporated PDS elements.
Some of these were:
- TCPA (Telephone Consumer Protection Act)
- RFPA (Right to Financial Privacy Act)
- HIPAA (Health Insurance Portability and Accountability Act
- FCRA (Fair Credit Reporting Act)
- FACTA (Fair and Accurate Credit Transactions Act)
- COPPA (Children's Online Privacy Protection Act)
- CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing)
There were also some foundational rules that slowly came into being, which the bills named above were based upon.
These included rules such as:
- TSR (Telemarketing Sales Rule)
- Red Flags Rule
- Gramm-Leach-Bliley Privacy Rule and Safeguards Rule
- DNC (Do-Not-Call)
One of the first and oldest of all of these statutes was the FTC Act's Section 5. It was the bedrock upon which the legitimacy of all the above laws were built, and the legal foundation for enforcement against bad actors.
One of the problems with all of these laws is the fact that in addition to the above, all 50 state governments have passed laws regarding privacy and data security. Their legal measures do not match one another in many instances and state legislatures are constantly amending them.
As great as all these laws may have been and as innovative (for America) as the CCPA (CPRA) happens to be, COPRA is set to be even more significant and far-reaching. Indeed, the law is being hailed as America's most comprehensive, national attempt at providing consumers with real privacy and data security.
Isn't COPRA Simply a National CCPA (CPRA)?
Some who have compared COPRA to the CCPA (CPRA) feel that it's merely a national version of California's privacy and data protection law.
However, it's not as simple as that.
Many of the rights central to COPRA do mirror those of the CCPA (CPRA). For instance, under COPRA, American consumers are granted rights to such things as transparency, to access their data, to delete information, and to opt out of data transfers, just as Californian residents enjoy under the rules of the CCPA (CPRA).
COPRA also adopts measures taken from an amendment to the CCPA (CPRA), called the California Privacy Rights and Enforcement Act of 2020 (CPREA). For example, language from the CPREA lends itself to Senator Cantwell's bill in granting consumers the right to have inaccuracies in their data fixed by the businesses, which maintain that data.
More importantly, however, Senator Cantwell's legislation appropriates language that specifies a new category of "sensitive data."
American businesses will have to be exceedingly cautious if COPRA passes as the bill requires opt-in consent for transfers of "sensitive data." It's not just the transfers here that are worrisome to business owners, but the fact that the definition of "sensitive data" under COPRA expands quite a bit on what is found in the CPREA.
For example, COPRA's definition of sensitive data goes beyond the CCPA (CPRA) or the CPREA and includes the following:
- E-mail addresses
- Telephone numbers
- Social Security Numbers
- Passport numbers
- Driver's license numbers
- Mental and physical health information
- Financial information
- Geolocation information
- Race, ethnicity, national origin, and sexual orientation information
- Account login credentials
When it comes to the issue of consent, American law has restricted itself to particular uses of personal data. For instance, businesses have to obtain opt-in consent before sending text messages to consumers under the Telephone Consumer Privacy Act (TCPA).
Another example is found in the language of the Children's Online Privacy Protection Act (COPPA), which demands that businesses must acquire parental consent before using any data related to their children.
Outside of specific opt-in requirements, COPRA provides businesses with alternative legal grounds to process personal data, if the need to do so, "reasonably necessary, proportionate, and limited to such purpose."
Does COPRA Supersede the CCPA (CPRA)?
Any state law, which directly conflicts with the measures outlined in COPRA, whether that's a rule, regulation, or standard is overridden. On the other hand, if a state law provides consumers a higher level of protection than COPRA, then the state law takes precedence.
It can therefore be assumed that even if COPRA passes, some CCPA (CPRA) provisions not addressed by Senator Cantwell's law will remain in force.
Businesses Under COPRA
COPRA's language concerning covered businesses is equivalent in many respects to that of the CCPA (CPRA) as well.
The bill will apply to organizations making in excess of $25 million in revenue, that obtain 50% or more of their income from selling or sharing consumer data, or that process 100,000 or more consumer records every year.
The first two requirements mentioned above match those of the CCPA and CPREA while the third does not. (The CCPA (CPRA) applies to businesses processing 100,000 or more consumer records, thus potentially impacting far more businesses than COPRA overall.)
COPRA Goes Beyond the CCPA (CPRA)
COPRA exceeds the requirements of California's CCPA (CPRA), the CPREA, in many respects. For instance, COPRA prohibits "harmful" and "deceptive" information practices under what it calls a "duty of loyalty." It explicitly includes applicable definitions straight from the Federal Trade Commission Act.
Moreover, COPRA forbids practices deemed discriminatory regarding data transfers and processing. The legislation demands algorithmic decision-making impact assessments, establishes distinct protections for whistleblowers, and bestows the right to data minimization.
Furthermore, COPRA will enforce new requirements when it comes to data security. These will include data retention and disposal regulations, a minimum-security training level that companies will be required to adopt, and vulnerability assessments.
Provisions of COPRA vs. the CCPA (CPRA)
One of our many testimonials:
There are 11 rights provided to individuals in COPRA that are similar to rights already found within the CCPA (or Europe's GDPR). These are:
- Under COPRA, individuals have the right not to be subject to practices that are discriminatory in nature when it comes to transferring or processing of personal information. This is not a right under the CCPA (CPRA).
- A right to data security: While the GDPR has a general requirement for data security, neither it nor the CCPA (CPRA) specifically outlines an individual's right to data security.
- A right to data minimization: This also is not a right under the CCPA (CPRA) or the GDPR. The latter does have a "data minimization" principle of data protection by design implementation and of processing.
- A right to opt-out of transfers: This is similar to the right to opt out of data sales in the CCPA (CPRA).
- A right to data portability: There are similar rights provided by both the CCPA (CPRA) and GDPR.
- A right to correct inaccuracies: The GDPR has a similar provision in its "right to rectify."
- A right to delete: The CCPA (CPRA) also has a right to delete.
- A right to transparency: Both the CCPA (CPRA) and the GDPR have similar requirements in disclosing the identity of the business/controllers to data subjects/individuals.
- A right of access: Both the CCPA (CPRA) and GDPR have similar provisions.
- Called a "duty of loyalty," this measure specifically demands that businesses avoid deceptive practices. This is based on the power of the Federal Trade Commission to enforce against deceptive and unfair trade practices.
Requirements Exclusive to COPRA
If COPRA should pass, there are new requirements not found in the CCPA (CPRA). These legal demands would raise the overall risk for organizations across America as well as their management.
These new requirements include:
- A yearly assessment of algorithmic decision-making test discrimination, bias, fairness, and accuracy
- The need for all covered entities to appoint data security and privacy officers
- CEOs, privacy officers, and CISOs of "large data holders" must submit evidence to the Federal Trade Commission every year that they are in compliance. Large data holders in this context include those entities that process the "sensitive data" of more than 100,000 individuals or who merely process data on more than 5 million people.
Enforcement of COPRA vs. the CCPA (CPRA)
As noted throughout this article, COPRA is a proposed federal law, while the CCPA (CPRA) is a California state law. Therefore the way these laws are enforced and who does the enforcing are not the same.
For example, the CCPA (CPRA) is enforced by the California Attorney General. COPRA, on the other hand, is enforceable by the Federal Trade Commission and state Attorneys General.
Additionally, COPRA is entirely privately-actionable. Any violation whatsoever, could find a business on the wrong end of a private lawsuit with statutory damages.
The CCPA (CPRA) also offers a "private right of action" in certain instances such as the disclosure or theft of non-encrypted or non-redacted personal data. In other words, unlike COPRA, the CCPA (CPRA) is only privately-actionable if there has been a data breach.
The Future of the CCPA (CPRA) vs. COPRA
While the CCPA went into effect on January 1, 2020 and became enforceable on July 1, 2020, with the CPRA amendments taking effect on January 1, 2023. COPRA's future is not so certain. Lawmakers within the United States government are duking it out over two, highly controversial provisions.
The measures in question relate to whether or not federal legislation ought to preempt state laws and if so, how enforcement would work.
A late 2020 article by Mila Jasper discussed how Senator Cantwell and her allies in the Democratic Party want states to be able to innovate and expand upon the standard COPRA would set, and they demand that COPRA includes the right of private action across the board.
In contrast, Republicans in the U.S. Senate want legislation that is enforced by the FTC and that supersedes all state laws.
In September 2020 during a senate hearing, Jon Leibowitz, a former FTC Chair and Commissioner suggested that COPRA already goes well beyond the scope of California's CCPA.
During testimony at the hearing, Mr. Leibowitz went on to add that he would not support preemption if he felt a federal privacy law would be weaker than what states already possess.
"At the end of the day, you want the person who is driving from Biloxi to Seattle to have the same robust privacy protections wherever she or he goes."
Right of Private Action
According to Senator Cantwell, there won't ever be enough resources in the various states to police the many organizations which gather consumer data. The senator believes that's true even if state attorneys general and the FTC were given the power needed to enforce a national data privacy standard.
She said at the hearing:
"We will never be able to fully police the thousands and thousands of companies collecting consumer data if you are the only cop on the beat."
With Senator Cantwell's two provisions generating a lot of heat for COPRA, it's future remains up in the air. Until or unless it passes, California's CCPA (CPRA) remains the most comprehensive PDS legislation in America.