How the CCPA is Similar to COPRA

Last updated on 09 May 2022 by William Blesch (Legal and data protection research writer at TermsFeed)

How the CCPA is Similar to COPRA

In November of 2019, Senator Maria Cantwell (D-WA) pulled back the curtain on a brand new federal, online privacy bill. The legislation, known as the Consumer Online Privacy Rights Act or (COPRA), is designed to regulate how organizations can collect, use, and share personal data.

COPRA would bring many of the same sorts of data protection to consumers across the United States that Californians are already becoming familiar with through the California Consumer Privacy Act (CCPA), and that Europeans are accustomed to through the EU's General Data Protection Regulation (GDPR).

Many believe that COPRA borrows many of its key concepts directly from the CCPA's text.

However, there are a number of differences.

In this article, we'll go over some of COPRA's history, conduct a comparison of the bill and California's CCPA, and discuss some essential preparations American organizations can make in the event COPRA becomes law.

For much of 2020 and without federal legislation in place, most media have focused their attention on the CCPA as the most serious privacy and data security (PDS) set of regulations in the United States.

The CCPA is designed to rein in the unrestrained collection, sale, and use of sensitive personal data. Since the Internet was established, businesses were mostly free to do all of those mentioned above as they saw fit, which led to data security failures that exposed user data and abuses of privacy that angered consumers.

The CCPA grants groundbreaking rights to access, transfer, delete, and prevent the sale of private data to California residents.

Before the CCPA came into effect, however, there were various attempts at legislation that incorporated PDS elements.

Some of these were:

  • TCPA (Telephone Consumer Protection Act)
  • RFPA (Right to Financial Privacy Act)
  • HIPAA (Health Insurance Portability and Accountability Act
  • FCRA (Fair Credit Reporting Act)
  • FACTA (Fair and Accurate Credit Transactions Act)
  • COPPA (Children's Online Privacy Protection Act)
  • CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing)

There were also some foundational rules that slowly came into being, which the bills named above were based upon.

These included rules such as:

  • TSR (Telemarketing Sales Rule)
  • Red Flags Rule
  • Gramm-Leach-Bliley Privacy Rule and Safeguards Rule
  • DNC (Do-Not-Call)

One of the first and oldest of all of these statutes was the FTC Act's Section 5. It was the bedrock upon which the legitimacy of all the above laws were built, and the legal foundation for enforcement against bad actors.

One of the problems with all of these laws is the fact that in addition to the above, all 50 state governments have passed laws regarding privacy and data security. Their legal measures do not match one another in many instances and state legislatures are constantly amending them.

As great as all these laws may have been and as innovative (for America) as the CCPA happens to be, COPRA is set to be even more significant and far-reaching. Indeed, the law is being hailed as America's most comprehensive, national attempt at providing consumers with real privacy and data security.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.
  2. TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  3. Answer some questions about your website or app.
  4. TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  5. Answer some questions about your business.
  6. TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  7. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



Isn't COPRA Simply a National CCPA?

Isn't COPRA Simply a National CCPA?

Some who have compared COPRA to the CCPA feel that it's merely a national version of California's privacy and data protection law.

However, it's not as simple as that.

Many of the rights central to COPRA do mirror those of the CCPA. For instance, under COPRA, American consumers are granted rights to such things as transparency, to access their data, to delete information, and to opt out of data transfers, just as Californian residents enjoy under the rules of the CCPA.

COPRA also adopts measures taken from an amendment to the CCPA, called the California Privacy Rights and Enforcement Act of 2020 (CPREA). For example, language from the CPREA lends itself to Senator Cantwell's bill in granting consumers the right to have inaccuracies in their data fixed by the businesses, which maintain that data.

More importantly, however, Senator Cantwell's legislation appropriates language that specifies a new category of "sensitive data."

American businesses will have to be exceedingly cautious if COPRA passes as the bill requires opt-in consent for transfers of "sensitive data." It's not just the transfers here that are worrisome to business owners, but the fact that the definition of "sensitive data" under COPRA expands quite a bit on what is found in the CPREA.

For example, COPRA's definition of sensitive data goes beyond the CCPA or the CPREA and includes the following:

  • E-mail addresses
  • Telephone numbers
  • Social Security Numbers
  • Passport numbers
  • Driver's license numbers
  • Mental and physical health information
  • Financial information
  • Geolocation information
  • Race, ethnicity, national origin, and sexual orientation information
  • Account login credentials

When it comes to the issue of consent, American law has restricted itself to particular uses of personal data. For instance, businesses have to obtain opt-in consent before sending text messages to consumers under the Telephone Consumer Privacy Act (TCPA).

Another example is found in the language of the Children's Online Privacy Protection Act (COPPA), which demands that businesses must acquire parental consent before using any data related to their children.

Outside of specific opt-in requirements, COPRA provides businesses with alternative legal grounds to process personal data, if the need to do so, "reasonably necessary, proportionate, and limited to such purpose."

Does COPRA Supersede the CCPA?

Does COPRA Supersede the CCPA?

Any state law, which directly conflicts with the measures outlined in COPRA, whether that's a rule, regulation, or standard is overridden. On the other hand, if a state law provides consumers a higher level of protection than COPRA, then the state law takes precedence.

It can therefore be assumed that even if COPRA passes, some CCPA provisions not addressed by Senator Cantwell's law will remain in force.

Businesses Under COPRA

COPRA's language concerning covered businesses is equivalent in many respects to that of the CCPA as well.

The bill will apply to organizations making in excess of $25 million in revenue, that obtain 50% or more of their income from selling consumer data, or that process 100,000 or more consumer records every year.

The first two requirements mentioned above match those of the CCPA and CPREA while the third does not. (The CCPA applies to businesses processing 50,000 or more consumer records, thus potentially impacting far more businesses than COPRA overall.)

COPRA Goes Beyond the CCPA

COPRA exceeds the requirements of California's CCPA and its proposed amendment, the CPREA, in many respects. For instance, COPRA prohibits "harmful" and "deceptive" information practices under what it calls a "duty of loyalty." It explicitly includes applicable definitions straight from the Federal Trade Commission Act.

Moreover, COPRA forbids practices deemed discriminatory regarding data transfers and processing. The legislation demands algorithmic decision-making impact assessments, establishes distinct protections for whistleblowers, and bestows the right to data minimization.

Furthermore, COPRA will enforce new requirements when it comes to data security. These will include data retention and disposal regulations, a minimum-security training level that companies will be required to adopt, and vulnerability assessments.

Provisions of COPRA vs. the CCPA

There are two main reasons why you need a Privacy Policy:

✓ Privacy Policies are legally required. A Privacy Policy is required by global privacy laws if you collect or use personal information.

✓ Consumers expect to see them: Place your Privacy Policy link in your website footer, and anywhere else where you request personal information.

Generate an up-to-date 2022 Privacy Policy for your business website and mobile app with our Privacy Policy Generator.

One of our many testimonials:

"I needed an updated Privacy Policy for my website with GDPR coming up. I didn't want to try and write one myself, so TermsFeed was really helpful. I figured it was worth the cost for me, even though I'm a small fry and don't have a big business. Thanks for making it easy."

Stephanie P. generated a Privacy Policy

Provisions of COPRA vs. the CCPA

There are 11 rights provided to individuals in COPRA that are similar to rights already found within the CCPA (or Europe's GDPR). These are:

  • Under COPRA, individuals have the right not to be subject to practices that are discriminatory in nature when it comes to transferring or processing of personal information. This is not a right under the CCPA.
  • A right to data security: While the GDPR has a general requirement for data security, neither it nor the CCPA specifically outlines an individual's right to data security.
  • A right to data minimization: This also is not a right under the CCPA or the GDPR. The latter does have a "data minimization" principle of data protection by design implementation and of processing.
  • A right to opt-out of transfers: This is similar to the right to opt out of data sales in the CCPA.
  • A right to data portability: There are similar rights provided by both the CCPA and GDPR.
  • A right to correct inaccuracies: The GDPR has a similar provision in its "right to rectify."
  • A right to delete: The CCPA also has a right to delete.
  • A right to consent to any material changes in privacy practices and the Privacy Policy: Similar to a guideline of the Federal Trade Commission.
  • A right to transparency: Both the CCPA and the GDPR have similar requirements in disclosing the identity of the business/controllers to data subjects/individuals.
  • A right of access: Both the CCPA and GDPR have similar provisions.
  • Called a "duty of loyalty," this measure specifically demands that businesses avoid deceptive practices. This is based on the power of the Federal Trade Commission to enforce against deceptive and unfair trade practices.

Requirements Exclusive to COPRA

Requirements Exclusive to COPRA

If COPRA should pass, there are new requirements not found in the CCPA. These legal demands would raise the overall risk for organizations across America as well as their management.

These new requirements include:

  • A yearly assessment of algorithmic decision-making test discrimination, bias, fairness, and accuracy
  • The need for all covered entities to appoint data security and privacy officers
  • CEOs, privacy officers, and CISOs of "large data holders" must submit evidence to the Federal Trade Commission every year that they are in compliance. Large data holders in this context include those entities that process the "sensitive data" of more than 100,000 individuals or who merely process data on more than 5 million people.

Enforcement of COPRA vs. the CCPA

As noted throughout this article, COPRA is a proposed federal law, while the CCPA is a California state law. Therefore the way these laws are enforced and who does the enforcing are not the same.

For example, the CCPA is enforced by the California Attorney General. COPRA, on the other hand, is enforceable by the Federal Trade Commission and state Attorneys General.

Additionally, COPRA is entirely privately-actionable. Any violation whatsoever, could find a business on the wrong end of a private lawsuit with statutory damages.

The CCPA also offers a "private right of action" in certain instances such as the disclosure or theft of non-encrypted or non-redacted personal data. In other words, unlike COPRA, the CCPA is only privately-actionable if there has been a data breach.

The Future of the CCPA vs. COPRA

While the CCPA went into effect on January 1, 2020 and became enforceable on July 1, 2020, COPRA's future is not so certain. Lawmakers within the United States government are duking it out over two, highly controversial provisions.

The measures in question relate to whether or not federal legislation ought to preempt state laws and if so, how enforcement would work.

Preemption

A late 2020 article by Mila Jasper discussed how Senator Cantwell and her allies in the Democratic Party want states to be able to innovate and expand upon the standard COPRA would set, and they demand that COPRA includes the right of private action across the board.

In contrast, Republicans in the U.S. Senate want legislation that is enforced by the FTC and that supersedes all state laws.

In September 2020 during a senate hearing, Jon Leibowitz, a former FTC Chair and Commissioner suggested that COPRA already goes well beyond the scope of California's CCPA.

During testimony at the hearing, Mr. Leibowitz went on to add that he would not support preemption if he felt a federal privacy law would be weaker than what states already possess.

He stated:

"At the end of the day, you want the person who is driving from Biloxi to Seattle to have the same robust privacy protections wherever she or he goes."

Right of Private Action

According to Senator Cantwell, there won't ever be enough resources in the various states to police the many organizations which gather consumer data. The senator believes that's true even if state attorneys general and the FTC were given the power needed to enforce a national data privacy standard.

She said at the hearing:

"We will never be able to fully police the thousands and thousands of companies collecting consumer data if you are the only cop on the beat."

With Senator Cantwell's two provisions generating a lot of heat for COPRA, it's future remains up in the air. Until or unless it passes, California's CCPA remains the most comprehensive PDS legislation in America.

Create Privacy Policy, Terms & Conditions and other legal agreements in a few minutes. Free to use, free to download.

Get started today ⇢

William Blesch

William Blesch

Legal and data protection research writer at TermsFeed

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.