{"id":17218,"date":"2019-12-17T10:10:03","date_gmt":"2019-12-17T18:10:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2019\/12\/17\/news-10954\/"},"modified":"2019-12-17T10:10:03","modified_gmt":"2019-12-17T18:10:03","slug":"news-10954","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2019\/12\/17\/news-10954\/","title":{"rendered":"New Consumer Online Privacy Rights Act (COPRA) would empower American users"},"content":{"rendered":"

Credit to Author: David Ruiz| Date: Tue, 17 Dec 2019 17:28:37 +0000<\/strong><\/p>\n

Despite the already dizzying number of comprehensive data privacy proposals before the US Senate\u2014nearly 10 have been introduced since mid-2018\u2014yet another bill has entered the conversation<\/a>: the Consumer Online Privacy Rights Act. <\/p>\n

This time, the bill, called COPRA for short,<\/a> is sponsored by a Democratic Senator from Washington whose name has rarely been cited in the country\u2019s ongoing debate as to how to best protect Americans\u2019 data. <\/p>\n

The biggest differentiator about this 2019 latecomer bill? It ticks almost every box on the data privacy wishlist. <\/p>\n

Granting Americans the right to access data about them? This bill\u2019s got it. The right to grab that data and move it to another company? Also included. What about the right to opt out of data sharing and selling? Yep. And the requirement that companies get explicit approval for the processing and sharing of sensitive data, including biometrics, precise geolocation, and emails? You bet. <\/p>\n

But, perhaps most importantly, the bill would give everyday Americans the right to sue a company that violated their data privacy rights, extending enforcement capabilities directly to the public. <\/p>\n

Introduced by Senator Maria Cantwell, the Consumer Online Privacy Rights Act has already been welcomed by data privacy advocates across the country. <\/p>\n

“This is the most sophisticated federal proposal to emerge to date and demonstrates that Senate Democrats are committed to setting a high bar for consumer privacy,\u201d said Jules Polonetsky, the CEO of the nonprofit Future of Privacy Forum. \u201cThe bill provides a strong starting point that will move bipartisan debate forward, with private rights of action, limits on preemption, and the definition of sensitive data, among other issues, likely to be points of ongoing negotiation.”  <\/p>\n

Consumer Online Privacy Rights Act: in a nutshell<\/strong><\/h3>\n

The Consumer Online Privacy Rights Act (COPRA) would improve the relationship that Americans currently have with the multitude of companies that collect, store, share, and sell their data across the Internet. <\/p>\n

COPRA would accomplish this by extending new rights to consumers\u2014like the right to access data collected about them and the right to delete that data\u2014while also placing new restrictions on companies. <\/p>\n

Under COPRA, companies would no longer be able collect \u201csensitive covered data\u201d without first getting explicit approval from a user. Nor would companies be able to ignore the data privacy and security of their users\u2019 data, as each company subject to COPRA would need to appoint a privacy officer and a data security officer, both of whom would be tasked with performing annual data risk assessments. <\/p>\n

COPRA would also create a new bureau within the Federal Trade Commission to aid enforcement. Further, state Attorneys General could file civil claims on behalf of their states\u2019 residents when they believe there has been a violation of the law. <\/p>\n

Though some of these ideas have propped up in federal data privacy bills introduced this year, COPRA differs in two major ways. <\/p>\n

First, it would not impact any state data privacy laws that improve the data privacy of that state\u2019s residents. <\/p>\n

In 2018 and 2019, dozens of individual state legislatures took it upon themselves to try to solve data privacy, with California passing the California Consumer Privacy Act<\/a> last year and Maine passing a data privacy bill focused on Internet Service Providers this year<\/a>, to name just two. Similar efforts have produced laws that will either bolster or study data privacy in Nevada, Vermont, Illinois, Louisiana, and North Dakota. <\/p>\n

Under COPRA, these laws\u2014and new, similar ones\u2014would go untouched. <\/p>\n

This preservation and respect of state laws goes directly against the wishes of many of the companies that COPRA would regulate. Earlier this year, the CEOs of 50 of the largest global companies informed Congress about what a federal data privacy bill should include<\/a>. High on the list was the demand that any federal bill negate, or preempt current and future state data privacy bills. <\/p>\n

This corporate demand is not the only one that COPRA contradicts. <\/p>\n

COPRA would extend what is called a \u201cprivate right of action\u201d to consumers, granting them the ability to personally file a civil claim against a company to allege that the company violated their data privacy rights. The group of 50 CEOs also oppose this idea, asking that no private right of action be included in a federal data privacy law. <\/p>\n

Until now, everyday US consumers have suffered limited options in enacting their own data privacy rights<\/a>, instead having to rely on state Attorneys General to act on their behalf, or having to try and prove the near-unprovable when making claims about alleged data breaches. <\/p>\n

This private right of action is, as Purism CEO Todd Weaver told Malwarebytes earlier this year<\/a>, a key component in any meaningful data privacy bill.<\/p>\n

\u201cIf you can\u2019t sue or do anything to go after these companies that are committing these atrocities, where does that leave us?\u201d Weaver said. <\/p>\n

Below is a more detailed look at COPRA\u2019s rights and restrictions. <\/p>\n

COPRA’s consumer rights<\/strong><\/h3>\n

The Consumer Online Privacy Rights Act would create new definitions of the types of data that receive protection in the United States. \u201cCovered data,\u201d the bill describes, is any information that \u201cidentifies, or is linked or reasonably linkable to an individual or a consumer device, including derived data.\u201d Not included in this definition, though, is de-identified data, employee data, and public records. <\/p>\n

Further, COPRA would create new restrictions on what it calls \u201csensitive covered data.\u201d The defined list is long, but not exhaustive, including passport numbers, Social Security numbers, information about physical and mental health, financial account usernames and passwords, biometrics, precise geolocation, communications content and metadata (which means not just the words that consumers send to one another, but the time they sent it, and to what user or phone number they sent it to), emails, phone numbers, and any information that reveals race, religion, sexual orientation and behavior, and union membership. <\/p>\n

That\u2019s not all. Also included in \u201csensitive covered data\u201d are calendars and address books, photos and videos\u2014plus any nude pictures\u2014and online activity over time and across different third-party services. <\/p>\n

Unfortunately, the list leaves much to be desired, said Adam Schwartz, senior staff attorney at Electronic Frontier Foundation, as it still fails to include \u201cextraordinarily sensitive\u201d information like immigration status, marital status, employment history, and political history. <\/p>\n

\u201cSo COPRA\u2019s list of sensitive data is under-inclusive,\u201d Schwartz wrote<\/a>. \u201cIn fact, any such list will be under-inclusive, as new technologies make it ever-easier to glean highly personal facts from apparently innocuous bits of data. Thus, all covered information should be free from processing and transfer, absent opt-in consent, and a few other tightly circumscribed exceptions.\u201d<\/p>\n

Still, with these definitions of data, COPRA offers new data privacy rights to consumers. <\/p>\n

For \u201ccovered data,\u201d consumers have the rights to access, delete, and correct inaccuracies, along with the right to data portability and the right to opt-out of having their covered data \u201ctransferred\u201d to other companies. That last right means that consumers would have the right to tell companies that they do not want to have their covered data disclosed, released, shared, disseminated, sold, or licensed to other companies. <\/p>\n

The right to access under COPRA would allow consumers to not only obtain a copy of what covered data a company has on them, but also a list of the third parties that their data has been shared with to that point. Further, companies would have to explain why they shared a user\u2019s covered data with a third party. <\/p>\n

This level of information equips consumers with a better understanding of just how far their data travels in today\u2019s data-driven economy. <\/p>\n

Similarly, COPRA\u2019s \u201cright to delete\u201d would extend to third parties. If a user requests that a company delete data collected on them, that company would also be obligated to inform the third parties with which it had shared that user\u2019s data about the deletion request. <\/p>\n

For \u201csensitive covered data,\u201d consumers could relax, knowing that companies would not be allowed to collect any of that type of data without a user\u2019s explicit, opt-in approval. <\/p>\n

COPRA’s requirements for companies <\/strong><\/h3>\n

As explained above, the Consumer Online Privacy Rights Act has two primary levers for accomplishing change\u2014extending new rights to users while placing new restrictions on companies. <\/p>\n

COPRA\u2019s scope\u2014the definition of the businesses it applies to\u2014is broad, hewing exactly in line with the current Federal Trade Commission Act. Any entity subject to that law would also be subject to COPRA, with the exception of what COPRA defines as \u201csmall businesses.\u201d <\/p>\n

These are, the bill explains, businesses that do not exceed $25 million in revenue; do not process the covered data of an average of 100,000 or more individuals, households, and devices; and do not derive 50 percent or more of their annual revenue from transferring individuals\u2019 data. <\/p>\n

What that means is that COPRA would absolutely apply to the most common names in Big Tech\u2014Facebook, Google, Amazon, Apple, Microsoft, Twitter, Oracle, and far more. <\/p>\n

Under COPRA, companies would need to, for starters, post an easily-accessible privacy policy, a requirement that already applies to companies doing business in California. The privacy policy would need to include, among other things, the contact information for the company\u2019s privacy and data security officers, the categories of data the company collects and processes and the reasons why, whether the company transfers data to third parties, and if so, what categories of data it transfers with stated purposes for the transfers and the identity of each third party that receives data in those transfers. <\/p>\n

Companies would also be subject to new duties\u2014a \u201cduty of loyalty,\u201d a \u201cduty to secure data,\u201d and a \u201cduty to build privacy protective systems.\u201d Combined, the new duties would prohibit companies from engaging in deceptive or harmful data practices, along with requiring companies to name a privacy officer and a data security officer. The officers, the bill explains, would need to oversee the implementation of a comprehensive data privacy program while also performing annual data risk assessments. <\/p>\n

Further, companies would need to commit to what is called \u201cdata minimization.\u201d Under this rule, companies could not \u201cprocess or transfer covered data beyond what is reasonably necessary, proportion, and limited.\u201d <\/p>\n

Unfortunately, COPRA would allow companies to engage in certain data processing practices that consumers may personally view as invasive, so long as the company clearly lays out these practices in its stated privacy policy. This is a small mis-step in the bill, according to privacy advocates, as even the most thoughtful, well-written privacy policies gain few, if any, full reads from the average consumer. <\/p>\n

Companies should not be given the opportunity to engage in potentially invasive data processing practices so long as they bury those practices in concise language on page 100 of their privacy policies. <\/p>\n

Separately, a few of COPRA\u2019s rights offered to consumers actually impact companies first. <\/p>\n

Take, for example, the consumers\u2019 \u201cright to data security,\u201d which would require companies to \u201cestablish, implement, and maintain reasonable data security practices to protect the confidentiality, integrity, and accessibility of covered data.\u201d The specific requirements of those actions include assessing vulnerabilities, disposing of data when required, training employees, and taking preventive actions to correct and mitigate vulnerabilities, which could include installing administrative, technical, and physical safeguards. <\/p>\n

The bill\u2019s requirement that companies post privacy policies is another example, as it falls under the consumers\u2019 \u201cright to transparency.\u201d <\/p>\n

Finally of interest, COPRA would create a new requirement for companies that have implemented algorithmic decision-making processes into their data processing systems. Such companies would need to perform an annual assessment if their tools are used to determine housing eligibility, education, employment, or credit, along with distributing ads for the same areas, and access to public accommodations. Annual assessments would need to study whether the algorithmic decision-making systems produce discriminatory results. <\/p>\n

A contender for comprehensive change<\/strong><\/h3>\n

Data privacy has undergone massive change in the past 10 years alone. For much longer than that, the US has lacked comprehensive data privacy protections for everyone, no matter which state they live in. <\/p>\n

It\u2019s time for that to change. With the Consumer Online Privacy Rights Act, the US Senate now has one of the firmest options to consider. COPRA would not only extend new data privacy rights to Americans, it would also give them the tools to defend them. <\/p>\n

We look forward to the next year in hopes that Congress will finally, actually, enact a meaningful federal data privacy law. <\/p>\n

The post New Consumer Online Privacy Rights Act (COPRA) would empower American users<\/a> appeared first on Malwarebytes Labs<\/a>.<\/p>\n

https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

Credit to Author: David Ruiz| Date: Tue, 17 Dec 2019 17:28:37 +0000<\/strong><\/p>\n\n\n\n
<\/a><\/td>\n<\/tr>\n
The Consumer Online Privacy Rights Act (COPRA) would give everyday Americans the right to sue a company that violated their privacy rights, extending enforcement capabilities directly to the public. <\/p>\n

Categories: <\/p>\n