Copra – Consumer Online Privacy Rights Act

Democrats in the U.S. Parliament present a Consumer Online Privacy Rights Act (Copra) with rights for consumers to have control over their personal data and knowledge about the algorithms. The European GDPR is partly the example.

On the understanding that, as usual, the American formulations are simpler than the European equivalent, which is a compromise of the wishes of thousands of lobbyists and politicians. For example, the Dutch translation of the General Data Protection Regulation or AVG counts 55,000 words; a considerable fourfold increase compared to Directive 95/46, which was replaced in May 2018.

The American proposal contains 12,000 words, but will undoubtedly still have the necessary amendments to process. After all, it was submitted in November 2019 by the democratic senator Maria Cantwell, also on behalf of party colleagues Brian Schatz, Amy Jean Klobuchar and Edward John Markey. It is expected that there will be the necessary Republican opposition, especially to defend the company’s interests.

Months of negotiations between Democrats and Republicans on a joint bill broke down. The Republican senator Roger Wicker has also made a draft privacy law, which Reuters reports. According to Wicker, his proposal doesn’t differ that much from the Democrats’ Copra. However, he does want separate state laws on privacy, for example that will come into force in California on 1 January 2020, to be invalidated by a state law.

Control over personal data

According to Cantwell, the core objective of the Copra is, in a summary: ‘Every day, personal data is transferred from company to company, collected in digital profiles, and then used without the knowledge, understanding or consent of the consumer. Without meaningful rights and protection, consumers will remain powerless and vulnerable to abuse. As our devices become smarter and our digital profiles more accurate and powerful, these risks will increase’.

To Washington Post, Cantwell says: “You have to start saying these aspects of your life belong to you, and you have the right to decide how they’re used.” This reflects the question of control over personal data. The right of deletion is particularly important in this respect, arising from the European right of forgetting. The GDPR contains articles that give citizens the right to have their data deleted by companies. The Americans have adopted this, also subject to a number of conditions. In summary, this means that companies must make it clear that they still need the data, otherwise they must comply with the deletion request. (p 31-33 of the Copra proposal).

In an interview with US public broadcaster NPR, Cantwell says: ‘In the digital age, you must have the right to control your data – that is, what information is collected about you, what information may be transferred or sold to a third party, the ability to have your information deleted if that organisation or entity does not like you. And also to ensure that no discriminatory practices are used against you’.

The interviewer is sceptical about the prospect of control by citizens over the commercial use of their data, because in practice ‘permission’ for data processing by companies means that surfers click ‘yes’ as soon as possible to get rid of the nagging. Cantwell is looking for the solution in high fines for companies that deceive consumers with their conditions and methods to obtain permission for data processing.

She mentions an amount of online advertising of $126 billion a year. Fines have to match those revenues and revenues have to come into a fund to compensate consumers: the Data Privacy and Security Relief Fund. Consumers must also be able to personally sue companies that violate their privacy, to obtain compensation, including legal fees.

Control of algorithms

The Consumer Online Privacy Rights Act of 2019 provides for the following:

• The right to be protected from deceptive data practices that are financially, physically and/or reputational detrimental; and from acts that you perceive as intrusive;
• The right of access to data and greater transparency; detailed information and clear information on how data is used and shared;
• The right to control the movement of data, including blocking transfers of data to third parties;
• The right to delete or rectify data and to take it to a competitive service;
• Protection against the collection of sensitive data, such as biometric and location data.

New watchdog

As in Europe, companies must comply with principles such as data minimisation and requirements for quality and security. Whistleblowers who uncover violations of privacy will be protected.

What is new is the requirement for companies to have their algorithms assessed in detail annually so that they do not discriminate in terms of origin, race, ethnicity, biometric data, income and nationality. This applies in particular to housing, credit, education and job vacancies.

Enforcement must be done by a new privacy oversight agency at the Federal Trade Commission (FTC), as well as state attorneys. Such a watchdog has been advocated in the U.S. for years because the FTC would act too arbitrarily and politically bound.

Consent EFF

In a detailed commentary Adam Schwartz of the Electronic Frontier Foundation writes that his club agrees with the proposal, but that on some points it does not go far enough. The EFF is concerned that personal data will be considered as a means of payment: those who do not participate will not get access to a service; or will have to pay more.

In an earlier advice for privacy legislation the EFF already asked for rules against this ‘pay for privacy’. Privacy must remain a fundamental right and not become a right to be traded that consumers have to weigh up against other rights and benefits. Then there is also the threat that the rich can afford more privacy than the poor.

However, the Copra does provide an article that completely forbids companies to refuse a service if someone does not provide data. This article 109 Prohibition On Waiver Of Rights states the following for companies (‘covered entity’).

A covered entity shall not condition the provision of a service or product to an individual on the individual’s agreement to waive privacy rights guaranteed…except in the case where

(A) there exists a direct relationship between the individual and the covered entity initiated by the individual;

(B) the provision of the service or product requested by the individual requires the processing or transferring of the specific covered data of the individual and the covered data is strictly necessary to provide the service or product; and

(C) an individual provides affirmative express consent to such specific limitations.

Furthermore, the EFF wants simple provisions to block data collection by companies to become law: for example, by obliging companies to respect the Do Not Track of browsers and those who set up DNT not to collect data from surfing or app use.

Democrats and Republicans will further discuss a new law where lobby clubs such as EFF will come back.