Another Attempt at Federal Privacy Legislation

Written by: Richard Sheinis, Esq.

In yet another attempt to pass federal privacy legislation, on November 26, U.S. Senator Maria Cantwell, D-Wash., introduced the Consumer Online Privacy Rights Act (“COPRA”).  COPRA would apply to information that identifies or is reasonably linked to an individual residing in the U.S. or a consumer device.  COPRA would generally exclude most non-profits, certain financial institutions and telecommunications and common carrier activities.  Many small businesses would also be excluded, as well as entities that are subject to other federal privacy laws such as the Gramm-Leach-Bliley Act, HIPAA, FCRA, and FERPA.

COPRA would provide individuals with various rights concerning their personal information, such as a right to access, right to correction and deletion, and the right to transparency through a published privacy policy.  In this regard, COPRA is very similar to the California Consumer Privacy Act (“CCPA”).  A new element would be the “duty of loyalty,” which prohibits entities from engaging in deceptive or harmful practices.

While most of these provisions have come to be recognized as the basis of any privacy legislation, two aspects of COPRA are sure to draw vigorous debate.  COPRA provides for a private right of action, and a very limited pre-emption of state laws.  COPRA would preempt state laws that directly conflict with it, but it would not preempt state laws that create separate and more stricter requirements.

In the current political climate, however, where Congress seems to be occupied with doing everything other than considering legislation, don’t expect anything to happen soon.