The Consumer Online Privacy Rights Act (COPRA) is a federal privacy law that ensures data confidentiality rights.

At the time of this writing, COPRA is still a bill. Once the bill is passed, COPRA will go into effect within six months.

This article details everything you need to know about the purpose of COPRA, who it applies to, what it requires, and three steps your business can take in order to ensure COPRA compliance.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.

What is the Purpose of COPRA?

COPRA was created with the goal of protecting consumer privacy through the use of effective oversight processes and powerful enforcement standards.

COPRA was introduced in 2019 as a digital privacy act that would give consumers from the United States data protection similar to that granted to European citizens by the General Data Protection Regulation (GDPR).

Like the GDPR, COPRA would limit a business' data collection from its users to only that information that is truly crucial to contributing to the company's bottom line. Limiting data collection is one way that COPRA intends to keep companies from selling personal information to third-party agencies.

Any violation of COPRA will be labeled as "harmful and deceptive practices," which will necessitate the involvement of the Federal Trade Commission (FTC). COPRA calls for a new bureau to be created within the FTC that will be designed to work specifically on identifying and remedying all violations of this law.

COPRA will also call for a business to require "express consent" as the default for any of its data collection practices. Currently, under the California Consumer Privacy Act (CCPA), consumers can choose to opt out of data collection, but most companies make it easier for users to opt in.

Now that you know why COPRA was created and what it intends to accomplish, let's look at who COPRA will apply to.

Who Does COPRA Apply to?

Who Does COPRA Apply to?

COPRA applies to any individual or entity that is bound by the Federal Trade Commission Act, or anyone who collects or transmits identifying information.

Those subject to the Federal Trade Commission Act include most entities whose business involves commerce.

FTC Overview: Investigative Authority - General clause

However, some small businesses are excluded from the Act. Small businesses who will not be subject to COPRA include any business that in the last three years:

  • Can show that it has made less than $25,000,000 in average annual gross revenue
  • Processes an annual average of data from less than 100,000 individuals, households, or devices, or
  • Gets less than 50% of its revenue from transferring data

What is Required by COPRA?

What is Required by COPRA?

COPRA requires that businesses refrain from engaging in deceptive or harmful data practices. Deceptive data practices are defined in Section (5)(a)1 of the Federal Trade Commission Act.

FTC Act Section 5: Unfair or Deceptive Acts or Practices - Deceptive Practices section

Harmful data practices include data collection or transfer practices that could result in the financial, reputational or physical harm of an individual, or a significant intrusion of one's privacy.

COPRA also requires that a company is transparent about its intended use of the data it collects, and that it ensures individuals the right to access their personal data, as well as information about any third party that the individual's data has been transferred to.

COPRA expands consumers' rights to their data to include the ability to edit inaccuracies and delete information at will. It also requires that a business keeps the data they collect secure.

Once COPRA is passed, it requires that the CEO of any business that is subject to the Act submit an annual certification showing that the business is in COPRA compliance. This section of COPRA is meant to hold the higher-ups of businesses accountable for their companies' data processing practices.

Now that you understand some of the conditions that will be required by COPRA, let's talk about simple steps that your business can take today in order to ensure COPRA compliance.

3 Steps Your Business Can Take to Ensure COPRA Compliance

3 Steps Your Business Can Taketo Ensure COPRA Compliance

1. Assign Privacy and Data Security Officers

Training employees to understand and implement data security processes in your company now is a great way to not only ensure COPRA compliance, but to show your customers that you truly care about providing transparency and protecting their information.

Not only that, but keeping Privacy and Data Security Officers on staff is an important part of COPRA guidelines.

Once you have fully trained staff who know how to keep your company COPRA compliant, you can carry out the next step: making sure your business has an adequate Privacy Policy.

2. Make Sure Your Privacy Policy is up to Date

A good Privacy Policy will let users know what personal information your company collects, how your company collects that information, any third parties your company shares data with, how your company uses the information it collects, what kind of security processes your company uses to keep the data it collects safe, and contact information for your company.

John Hopkins University and Medicine has a clearly written and extensive Privacy Statement that covers all of the above-mentioned clauses:

Johns Hopkins University Medicine Privacy Statement: Collection and Use of Information clause excerpt

The John Hopkins Privacy Statement goes on to include information it collects automatically and through third-party tools, as well as what information it shares, how users can control their information, and security measures, among other clauses.

3. Give Users the Option to Share Their Information

Any time your company collects personal data, you should give users the option to share their information. This means that anytime a user inputs their data in a form (such as for a newsletter or email sign-up), responds to a survey, or signs up for an account on your website, they should be provided with an obvious and easily-understandable option for sharing their information.

A simple way to do this is by including an interactive checkbox within your information collection forms.

When a user creates an account on Pizza Hut's website, they're given the option to click a box showing that they have read and agree to Pizza Hut's Terms of Use and Terms and Conditions:

Pizza Hut Create Account form with Accept Terms checkbox highlighted

It's important to note that once COPRA goes into effect, you may need to take this step a little further and make sure that it is very obvious that customers only need to provide minimal information in order to use your company's products or services.

Penalties for Non-Compliance

Penalties for Non-Compliance

If your company is found to be non-compliant with COPRA, then an attorney general or consumer protection officer of the State can bring a civil action against your business.

The civil action may require that your business abide by COPRA guidelines, and may also require that your business pay financial fines.

Individuals can also bring a civil action against your business for non-compliance. If the plaintiff wins, then your business will be responsible for paying a range of financial fines.

Financial fines can include the amount of $1000 per violation per day or more, depending on the cost of actual damages, as well as attorney's fees and any other relief costs concerning the case.

COPRA is a federal bill that affects all of the United States, but it still allows for individual states to create their own regulations regarding the enforcement of the digital privacy Act. COPRA does supersede any State law that is in direct conflict with its rules.

The important thing to understand about the penalties for violating COPRA is that both the State and individuals can bring civil actions against your company for not following the digital privacy rules.

This is a big deal, as it opens formerly protected larger corporations up to litigation from potentially thousands of people if they are found to be in violation of COPRA.


It's essential that you understand how to keep your business in compliance with COPRA once it goes into effect, as well as potential penalties for non-compliance.

Taking steps now to provide safety measures for your users' personal information not only protects your business from possible legal ramifications, but also shows your customers that your business cares about keeping their data secure.

Key takeaways from this article that can help your company to be COPRA compliant include:

  • COPRA is a digital privacy bill that was created in order to protect consumers' personal data
  • COPRA applies to all individuals or entities who are subject to the Federal Trade Commission Act
  • COPRA requires that a business refrains from harmful or deceptive data processing practices and that it is transparent about its intended use of the data collected
  • COPRA also requires that a business ensures the rights of its users to easily access, edit, or delete their data
  • COPRA ensures that consumers can obtain information about any third-parties who may have access to their data
  • COPRA holds CEOs accountable for their companies' data collection practices and requires annual certification
  • COPRA demands that all data is securely processed
  • Your company can take steps now that may help it to be COPRA compliant. These steps include hiring and training Privacy and Data Security Officers, updating your company's Privacy Policy, and making sure that users have an obvious and easily-accessible means of opting in to sharing their data with your company.
  • Both the State and individuals can bring civil actions against your business under COPRA. If your business is found to be in violation with COPRA laws, then it can be fined and held responsible for damages.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy