Privacy Bill A Week: Consumer Online Privacy Rights Act

Yesterday, we posted the political backdrop for the introduction of the “Consumer Online Privacy Rights Act“ (COPRA). Today, let’s turn to the substance of the bill.

Under COPRA, entities covered by the new requirements is a broad class simply defined as those already subject to the FTC Act and “process[] or transfer[] covered data.” The bill carves out sub-classes of entities that might otherwise be covered but some of which may not fall into the definition of covered entity.

Service providers are defined to be covered entities that are performing a service on behalf of another covered entity that process of transfer covered data. However, the definition is written to include only those activities undertaken at the behest of another covered entity and is explicit that the “term does not include a covered entity that processes or transfers the covered data outside of the direct relationship between the service provider and the covered entity.” Consequently, entities such as Verizon and Amazon would be deemed service providers only to the extent they are providing services like broadband internet and cloud services. Otherwise, they would be covered entities and subject to all the responsibilities the bill would place on them. Third parties are those who received covered data from covered entities for processing or transfer that are not service providers, affiliates, subsidiaries, or otherwise controlled by the covered entity.

Additionally, small businesses would be carved out of much of the bill, and these are defined as those with $25 million or less in annual revenues for the preceding three years, processed the covered data of fewer than 100,000 individuals, and earns 50% or less of its gross revenue from processing covered data. So, non-profits and other discrete classes of entities would be outside the confines of this bill (e.g. some of the activities in the privacy and data security spheres of telecommunications companies would still be regulated by the Federal Communications Commission.)

“Covered data” is “information that identifies, or is linked or reasonably linkable to an individual or a consumer device, including derived data.” But this term excludes “de-identified data,” “employee data,” and “public records.” Turning to those terms, de-identified data are generally “information that cannot reasonably be used to infer information about, or otherwise be linked to, an individual, a household, or a device used by an individual or household.” However, before any such information may be deemed de-identified data, in addition to ensuring the information cannot be linked to a person, device, or household and also that inferences cannot be reasonably drawn, the entity must put in place reasonable measures to block the re-identification of such information and publicly commit not to re-identifying and to only process or transfer in a de-identified state. Moreover, any entity seeking to de-identify data must also obligate any other entities who receive the information to meet all of the aforementioned requirements.

Employee data are the information employers collect, process, and transfer solely related to a person’s employment, application for employment, emergency contacts, and administration of benefits. Public records are “information that is lawfully made available from Federal, State, or local government records provided that the covered entity processes and transfers such information in accordance with any restrictions or terms of use placed on the information by the relevant government entity.” This last definition may receive some scrutiny, for a number of Departments of Motor Vehicles are selling the personal information of people who hold driver’s licenses, so this could prove a significant loophole that may be exploited.

COPRA creates a subset of covered data, ‘‘sensitive covered data,’’ which includes the following list, which has been shortened:

• A government-issued identifier, such as a Social Security number, passport number, or driver’s license number.
• Any information that describes or reveals the past, present, or future physical health, mental health, disability, or diagnosis of an individual.
• Biometric information.
• Precise geolocation information that reveals the past or present actual physical location of an individual or device.
• The content or metadata of an individual’s private communications or the identity of the parties to such communications unless the covered entity is an intended recipient of the communication.
• Information revealing an individual’s race, ethnicity, national origin, religion, or union membership in a manner inconsistent with the individual’s reasonable expectation regarding disclosure of such information.
• Information revealing the sexual orientation or sexual behavior of an individual in a manner inconsistent with the individual’s reasonable expectation regarding disclosure of such information.
• Information revealing online activities over time and across third-party website or online services.
• Calendar information, address book information, phone or text logs, photos, or videos maintained on an individual’s device.
• A photograph, film, video recording, or other similar medium that shows the naked or undergarment-clad private area of an individual.
• Any other covered data processed or transferred for the purpose of identifying the above data types.
• Any other covered data that the Commission determines to be sensitive covered data through a rulemaking pursuant to [the Administrative Procedure Act]

While we will not dive into all the categories of information considered sensitive covered data, one bears mention for it sets COPRA apart from the only major privacy bill introduced in the House this year, the “Online Privacy Act of 2019“ (H.R. 4978). In COPRA, both the content and metadata of private communications are provided privileged status. The same is not true in the other bill, which protects only the contents of communications with metadata being subject to lesser standards.

A final definition to note: “affirmative express consent.” Since so much of a person’s rights under COPRA is linked to the provision of “affirmative express consent,” it bears a bit of investigation. First, the bill makes clear that this cannot be inferred by a person’s actions or inaction or even her continued use of a covered entity’s products and services. Consequently, only affirmative actions that clearly communicate agreement in response to a specific request that meets defined criteria will qualify. Namely, this request must be by itself, describe each act or practice for which consent is being requested, expressed in easily understood language, and explains applicable rights. Any consent short of this would violate the Act, for then any subsequent processing or transference of covered data would be contrary to a number of requirements.

Covered entities would have a duty of loyalty. However, the bill is not explicit as to whom this duty if owed, but the context is fairly clear that this duty is due to the people whose covered data is collected, processed, and transferred. This duty has two parts: 1) a prohibition against engaging in deceptive or harmful data practices; and 2) processing or transferring covered data in any way that violates COPRA. The definition of what is deceptive is the same as those practices currently barred as deceptive under the FTC Act, but COPRA would institute a new definition of harmful that would considerably widen the scope of the FTC’s powers to punish illegal privacy or data security practices. Specifically, harmful data practices are “the processing or transfer of covered data in a manner that causes or is likely to cause any of the following:

• Financial, physical, or reputational injury to an individual.
• Physical or other offensive intrusion upon the solitude or seclusion of an individual or the individual’s private affairs or concerns, where such intrusion would be offensive to a reasonable person.
• Other substantial injury to an individual.”

Obviously, the FTC will have views on how to construe some potentially harmful data practices that will ultimately be adjudicated upon by federal courts. For example, how would one define “reputational harm”? Likewise, what constitutes “[o]ther substantial injury” given that financial, physical, reputational, and broad privacy harms are already enumerated. Quite possibly, this language was included to provide the agency and courts with the flexibility to include new harms yet to be seen. As for the other component of the duty of loyalty, it is simply not to violate the myriad requirements of the Act, which provides a very broad means for the FTC and state attorneys general to pursue and prosecute violations.

People would be able to request and receive a human-readable version of their covered data a covered entity holds along with the names of all third parties with whom such information has been shared and why. Covered entities must make publicly available “a privacy policy that provides a detailed and accurate representation of the entity’s data processing and data transfer activities.” This policy must include

• each category of data the covered entity collects and the processing purposes for which such data is collected
• whether the covered entity transfers covered data and, if so—
  • each category of service provider and third party to which the covered entity transfers covered data and the purposes for which such data is transferred to such categories; and
  • the identity of each third party to which the covered entity transfers covered data and the purposes for which such data is transferred to such third party, except for transfers to governmental entities pursuant to a court order or law that prohibits the covered entity from disclosing such transfer;
• how long covered data processed by the covered entity will be retained by the covered entity and a description of the covered entity’s data minimization policies;
• how individuals can exercise his or her individual rights; and
• a description of the covered entity’s data security policies

This is a fairly comprehensive list of information a consumer must be provided. Unless the FTC issues regulations or guidance directing covered entities to use a uniform format or keep this disclosure to a certain length, it is possible covered entities will favor longer, denser privacy policies in order to either obfuscate or discourage reading.

And, of course, any material changes to a covered entity’s privacy policy will require obtaining affirmative express consent from users.

Another right granted by COPRA is that of deletion. Upon receiving a verified request from a person, a covered entity must delete the requested information and then also inform third parties and service providers of the deletion request. However, it is not clear that the latter two entities would be bound to honor the request and actually carry out the deletion. It may be necessary for the FTC”s regulations to require such language be inserted into contracts between covered entities and their service providers and third parties.

Likewise, an individual may ask that a covered entity correct any inaccuracies in the covered data they hold and process. Again, any such request would need to be verified and again the covered entity would need to inform third parties and service providers.

The bill creates a right of data portability in that covered entities must honor verified requests from people and provide them with both human-readable and machine-readable copies of their covered data. COPRA also establishes a right to object to and opt-out of transfers of covered data to third parties, and the FTC would need to conduct a rulemaking to establish the procedures one may use to affect this right. The bill lists the features this final rule must have, including requirements for clear and conspicuous opt-out notices and easy to use mechanisms and a centralization of opting out so a person will not need to repeatedly opt-out of a covered entity’s transfers.

Furthermore, covered entities may neither process nor transfer a person’s sensitive covered data with “prior, affirmative express consent” and must “provide an individual with a consumer-friendly means to withdraw affirmative express consent to process the sensitive covered data of the individual.” However, covered entities do not need prior, affirmative express consent to process or transfer publicly available information. Considering that these passages are in the same section of the bill, the drafters are clearly contemplating that sensitive covered data may be available from public sources. For example, as mentioned earlier, some DMVs are selling the personal information of drivers, making some available information that would likely be considered sensitive covered data that could then be processed and transferred without the consent of the person to which it pertains.

Covered entities must limit their data processing and transferring to what is necessary, proportionate, and limited. This right to data minimization would task covered entities with engaging in the bare minimum “to carry out the specific processing purposes and transfers described in the privacy policy made available by the covered entity as required” unless it has affirmative express consent for other processing or transferring. This right to data minimization would be abridged by the exceptions discussed below.

Cantwell has long expressed her view that privacy legislation should include data security requirements, and so COPRA does. Covered entities must “establish, implement, and maintain reasonable data security practices to protect the confidentiality, integrity, and accessibility of covered data…appropriate to the volume and nature of the covered data at issue.” This provision spells out further requirements, including the need to conduct vulnerability assessments to turn up reasonable foreseeable threats, developing and implementing a process to address any such vulnerabilities, destroying or deleting any covered data that is no longer needed or for which affirmative express consent to hold has not been provided, and to properly train the covered entity’s employees to properly handle and safeguard covered data. The FTC would need to issue training guidelines to assist covered entities, and even though this provision does not specifically task the agency with promulgating regulations, COPRA provides the FTC with a broad grant of authority to promulgate regulations under the Administrative Procedure Act.

Next, the bill turns to the civil rights granted to individuals residing in the U.S. regarding data privacy, many of which address practices the Obama Administration called digital redlining. Covered entities are barred from processing or transferring covered data on the basis of real, or perceived, classes, including but not limited to, race, national origin, ethnicity, gender, sexual orientation and others, for a variety of defined purposes. Broadly speaking the purposes for processing and transferring covered data using protected classes pertain to differentiating opportunities for employment, education, housing, and credit on the basis of different classes. As an example of a practice that would be barred is the Department of Housing and Urban Development’s allegations that Facebook allowed people placing ads on the social platform to target certain racial groups and exclude others. This bar on discriminatory treatment would also be applied to public accommodations writ large meaning any services or products offered generally to the public. Consequently, covered data could not be used by covered entities to discriminate against women, for example, in providing a different, lower price for men for a service. Additionally, “[a] covered entity may request advice from the Commission concerning the covered entity’s potential compliance with this subsection, in accordance with the Commission’s rules of practice on advisory opinions.”

These civil rights are extended to algorithmic decision making. Covered entities using algorithmic decision making in processing or transferring covered data in the same contexts must perform impact assessments annually, keep them on file, and make them available to the FTC upon request. Presumably, the FTC could use these impact assessments as evidence, if warranted, in finding that a covered entity has violated the Act through discriminatory actions flowing from such decision making. In any event, the FTC would be required to public a report “examining the use of algorithms” for decision making in this context within 3 years of enactment and then every 3 years thereafter.

COPRA would bar people from being allowed to waive certain of their rights under any circumstances and other rights under circumscribed circumstances. Those rights that cannot be waived are the duty of loyalty covered entities owe to people, data portability, data minimization, data security, and the various civil rights. And yet, the rights of access, transparency, deletion, correcting inaccuracies may be waived if three circumstances are present:

• “there exists a direct relationship between the individual and the covered entity initiated by the individual;
• the provision of the service or product requested by the individual requires the processing or transferring of the specific covered data of the individual and the covered data is strictly necessary to provide the service or product; and
• an individual provides affirmative express consent to such specific limitations.”

Of course, in the latter category, covered entities that believe all three conditions are at work will prompt or perhaps even require people to waive those rights. And, it is all but certain that covered entities will seek to expand as much as possible the concept of what “is strictly necessary to provide the service or product.” Consequently, should the provision of a service such as FaceTime require the processing and/or transfer of covered data, then Apple would need to obtain affirmative, express consent and only after an individual initiates the relationship. However, would covered entities be able to advertise or spam people with offers for their services and products in exchange for waivers? Also, it will undoubtedly be a point of contention as to what processing and transferring of covered data is necessary for certain services and products to be provided. Presumably, a company like Google could make the case that its provision of free email through Gmail is financed through the harvesting and sharing of data and without this, it is not viable. It seems to me the FTC will need to weigh in on the contours of what constitutes “strictly necessary” in terms of seeking waivers from these rights.

Of course, the exercise of a number of these rights hinges on verifying that the person making the request is who he claims to be (i.e. the rights to access, transparency, deletion, correction, and portability). Covered entities would be able to deny people the exercise of these rights if they cannot reasonably verify the identity of the requester, which seems on its face a reasonable step to avoid allowing people to make mischief with others’ data and accounts. Covered entities must request additional information to verify a person’s identity in cases of uncertainty. In any event, covered entities must minimize burdens and cannot charge for these requests.

And yet, there circumstances that would allow covered entities to deny these requests:

• if complying with the request would be demonstrably impossible,
• complying with the request would prevent the covered entity from carrying out internal audits, performing accounting functions, processing refunds, or fulfilling warranty claims, provided that the covered data that is the subject of the request is not processed or transferred for any purpose other than such specific activities;
• the request is made to correct or delete publicly available information, and then only to the extent the data is publicly available information;
• complying with the request would impair the publication of newsworthy information of legitimate public concern to the public by a covered entity, or the processing or transfer of information by a covered entity for such purpose;
• complying with the request would impair the privacy of another individual or the rights of another to exercise free speech; or
• the covered entity processes or will process the data subject to the request for a specific purpose described in [provisions detailing when express affirmative consent is not needed], and complying with the request would prevent the covered entity from using such data for such specific purpose

However, covered entities may also deny these requests if they reasonably believe they would interfere with a contract between the covered entity and another individual.

COPRA also stipulates that “[t]he rights and remedies provided for in this section shall not be waived by any policy form or condition of employment, including by a predispute arbitration agreement.” Moreover, “[n]o predispute arbitration agreement shall be valid or enforceable if the agreement requires arbitration of a dispute.”

As noted earlier, covered entities may process or transfer covered data without in the affirmative express consent of a person “provided that the processing or transfer is reasonably necessary, proportionate, and limited to such purpose:

• To complete a transaction or fulfill an order or service specifically requested by an individual, such as billing, shipping, or accounting.
• To perform system maintenance, debug systems, or repair errors to ensure the functionality of a product or service provided by the covered entity.
• To detect or respond to a security incident, provide a secure environment, or maintain the safety of a product or service.
• To protect against malicious, deceptive, fraudulent or illegal activity.
• To comply with a legal obligation or the establishment, exercise, or defense of legal claims.
• To prevent an individual from suffering harm where the covered entity believes in good faith that the individual is in danger of suffering death or serious physical injury.
• To effectuate a product recall pursuant to Federal or State law.
• To conduct scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board or a similar oversight entity that meets standards promulgated by [the FTC in an APA rulemaking.]

The FTC and state attorneys general will need to closely monitor the use of these exceptions by covered entities, for the inclination of regulated entities is to push the limits of legal or excepted behavior. Consequently, regulators will need to review the use of these exceptions lest one or more become the exception that ate the federal privacy statute.

The FTC will need to promulgate regulations “identifying privacy protective requirements for the processing of biometric information” for two of the above exceptions to the requirement for affirmative express consent: to detect or respond to a security incident, provide a secure environment, or maintain the safety of a product or service, or to protect against malicious, deceptive, fraudulent or illegal activity. This section further details the requirements of such a rulemaking.

The bill carves out “the publication of newsworthy information of legitimate public concern to the public by a covered entity, or to the processing or transfer of information by a covered entity for that purpose.”

COPRA would exempt those covered entities subject to other federal privacy and data security statutes such as the “Financial Services Modernization Act of 1999” (aka Gramm-Leach-Bliley) and “Health Insurance Portability and Availability Act of 1996” (HIPAA) to a certain degree. There are provisions making clear that entities in compliance with the named federal regimes shall be deemed to be in compliance with the privacy and data security requirements of COPRA “with respect to data subject to the requirements of such regulations, part, title, or Act.” This would suggest that for data that falls outside those regimes (e.g. biometric data and geolocation data are not subject to Gramm-Leach-Bliley), any covered entities would need to meet the privacy and data security requirements of COPRA in addition to their existing responsibilities. The FTC must issue guidance describing the implementation of this section within one year.

COPRA would add compliance responsibilities for “large data holders,” those covered entities that process or transfer the covered data of 5 million or more individuals per year or processed or transferred the sensitive covered data of 100,000 or more individuals in a year. These entities would need to annually certify compliance with the Act after a review of its internal procedures and processes for compliance. The CEO, chief privacy officer, and chief data security officer must sign this certification. This language is obviously aimed at the largest of data collectors and processors and is intended to make the CEOs aware and responsible for privacy and data security practices, so they would not be able to claim they were ignorant of problems that turn up.

However, all covered entities must designate both chief privacy and chief data security officers who “shall be responsible for, at a minimum—

• implementing a comprehensive written data privacy program and data security program to safeguard the privacy and security of covered data throughout the life cycle of development and operational practices of the covered entity’s products or services;
• annually conducting privacy and data security risk assessments, data hygiene, and other quality control practices; and
• facilitating the covered entity’s ongoing compliance with this Act.”

COPRA spells out the responsibilities of service providers and third parties. Service providers may only process covered data in accordance with the wishes of the covered entity from whom it received the information or to comply with a legal obligation. Service providers may not transfer covered data “without the affirmative express consent… of the individual to whom the service provider data is linked or reasonably linkable.” Additionally, service providers must delete or de-identify covered data once they have completed their services for a covered entity. Third parties may not “process third party data for a purpose that is inconsistent with the expectations of a reasonable individual” and “may reasonably rely on representations made by the covered entity that transferred third party data regarding the expectation of a reasonable individual, provided the third party conducts reasonable due diligence on the representations of the covered entity and finds those representations to be credible.” Service providers and third parties would be exempted from some of the rights people would be given under COPRA (e.g. the right of access.)

Covered entities must exercise reasonable due diligence regarding service providers and third parties:

• in selecting a service provider and conduct reasonable oversight of its service providers to ensure compliance with the applicable requirements of this section; and
• in deciding to transfer covered data to a third party, and conduct oversight of third parties to which it transfers data to ensure compliance with the applicable requirements of this subsection.

The bill has provisions to protect and encourage whistleblowers in coming forward to uncover illegal privacy and data security practices. Additionally, the National Institute of Standards and Technology “shall publish a report regarding digital content forgeries,” an area of increasing concern for policymakers as deep fakes become more and more prevalent and lifelike.

With respect to enforcement, the FTC would receive broad authority to draft regulations and guidance to effectuate COPRA. The FTC and state attorneys general could bring actions under this bill. They could seek civil penalties of $42,530 per violation in the first instance and all the other relief that can currently be sought such as equitable remedies including rescission, disgorgement, and injunctions. All of this is fairly anodyne and even Republicans have come to accept what they long resisted earlier in the decade when data security legislation was debated and opposed state attorneys general getting on the field or giving the FTC authority to seek fines for first offenses. However, what many stakeholders may be relying on is that the FTC and state attorneys general are only capable of bringing so many actions and there may well be conduct that goes unpunished that is quite possibly at odds with COPRA.

Additionally, the FTC must “establish a new Bureau within the Commission comparable in structure, size, organization, and authority to the existing Bureaus with the Commission related to consumer protection and competition” within two years of enactment. However, this bill does not specifically authorize extra appropriations for this purpose and rather includes language authorizing those sums necessary to implement the Act. And, without additional funds to set up and resource this new Bureau, then this may be a hollow grant of authority that may be obeyed by the FTC cannibalizing its other current operations. However, an account titled the “Data Privacy and Security Relief Fund” would be established to collect all civil awards won by the FTC and to primarily make consumers whole who were harmed by covered entities.

As noted, individuals could sue for violations in any competent federal or state court and could win the greater of actual damages and between $100-$1000 per violation, punitive damages, and attorney’s fees. This is the most expansive such right in a major privacy bill released this year and may be seen as the lynchpin of enforcement efforts, for if state attorneys general and the FTC are only able to police a small set of violations, then people and their attorneys through the use of class actions may be able to enforce the statute for many companies may emphasize compliance in order to avoid a huge settlement. And yet, giving plaintiffs’ attorneys another means by which they can sue corporations is anathema to Republicans. Therefore, it will be an uphill battle for any private right of action to survive in a final privacy and data security bill passed by the Senate and sent to the White House.