preloader

COPRA vs. CDPA. Clear-cut differences

blog-image

COPRA vs. CDPA

Two noteworthy proposals for a comprehensive U.S. federal data privacy law, debate in U.S. Congress continues. Consumer Online Privacy Rights Act (COPRA) is introduced by the Republican Party and U.S. Consumer Data Privacy Act (CDPA) by the Democratic Party

COPRA vs. CDPA: What’s the difference?

📐 COPRA’s definition of “sensitive covered data” is broader

🌎 📅 Under CDPA geolocation data to be considered sensitive only with temporal metadata

👙 📟 COPRA includes media that shows the naked or undergarment-clad private area of an individual and telephone numbers

📤 COPRA states explicitly about opt-out of transfers covered data

📝 CDPA establish a “right to request” correction rather than a “right to correction”

🔙 Under CDPA exception would allow a entity to deny a request if it is “impossible or demonstrably impracticable to comply with”

🚫 CDPA would preempt any state law related to data privacy or security.
🔝 COPRA would leave in place state laws that afford a greater level of protection than it does.

Consumer Online Privacy Rights Act Consumer Data Privacy Act
DEFINITION OF SENSITIVE COVERED DATA “The term ‘sensitive covered data’ means the following forms of covered data: A government-issued identifier, such as a Social Security number, passport number, or driver’s license number. Any information that describes or reveals the past, present, or future physical health, mental health, disability, or diagnosis of an individual. A financial account number, debit card number, credit card number, or any required security or access code, password, or credentials allowing access to any such account. Biometric information. Precise geolocation information that reveals the past or present actual physical location of an individual or device. The content or metadata of an individual’s private communications or the identity of the parties to such communications unless the covered entity is an intended recipient of the communication. An email address, telephone number, or account log-in credentials. Information revealing an individual’s race, ethnicity, national origin, religion, or union membership in a manner inconsistent with the individual’s reasonable expectation regarding disclosure of such information. Information revealing the sexual orientation or sexual behavior of an individual in a manner inconsistent with the individual’s reasonable expectation regarding disclosure of such information. Information revealing online activities over time and across third-party website or online services. Calendar information, address book information, phone or text logs, photos, or videos maintained on an individual’s device. A photograph, film, video recording, or other similar medium that shows the naked or undergarment-clad private area of an individual. Any other covered data processed or transferred for the purpose of identifying the above data types. Any other covered data that the [commission] determines to be sensitive covered data through a rulemaking pursuant to section 553 of title 5, United States Code.” “The term ‘sensitive covered data’ means any of the following forms of covered data of an individual: A unique, government-issued identifier, such as a Social Security number, passport number, or driver’s license number. Any covered data that describes or reveals the diagnosis or treatment of past, present, or future physical health, mental health, or disability of an individual. A financial account number, debit card number, credit card number, or any required security or access code, password, or credentials allowing access to any such account. Covered data that is biometric information. Precise geolocation information capable of determining with reasonable specificity the past or present actual physical location of an individual or device at a specific point in time. The contents of an individual’s private communications or the identity of the parties subject to such communications, unless the covered entity is the intended recipient of the communication; Account log-in credentials such as a user name or email address, in combination with a password or security question and answer that would permit access to an online account. Covered data revealing an individual’s racial or ethnic origin, or religion in a manner inconsistent with the individual’s reasonable expectation regarding the processing or transfer of such information. Covered data revealing the sexual orientation or sexual behavior of an individual in a manner inconsistent with the individual’s reasonable expectation regarding the processing or transfer of such information. Covered data about the online activities of an individual that relate to a category of covered data described in another subparagraph of this paragraph. Covered data that is calendar information, address book information, phone or text logs, photos, or videos maintained on an individual’s device. Any covered data collected or processed by a covered entity for the purpose of identifying covered data described in another paragraph of this paragraph. Any other category of covered data designated by the [commission] pursuant to a rulemaking under section 553 of title 5, United States Code, if the [commission] determines that the processing or transfer of covered data in such category in a manner that is inconsistent with the reasonable expectations of an individual would be likely to be highly offensive to a reasonable individual.”
DUTY OF LOYALTY “A covered entity shall not engage in a deceptive data practice or a harmful data practice; or process or transfer covered data in a manner that violates any provision of this [act].”“The term ‘deceptive data practice’ means an act or practice involving the processing or transfer of covered data in a manner that constitutes a deceptive act or practice in violation of section 5(a)(1) of the Federal Trade Commission Act (15 U.S.C. 45(a)(1)).”“The term ‘harmful data practice’ means the processing or transfer of covered data in a manner that causes or is likely to cause any of the following: Financial, physical, or reputational injury to an individual. Physical or other offensive intrusion upon the solitude or seclusion of an individual or the individual’s private affairs or concerns, where such intrusion would be offensive to a reasonable person. Other substantial injury to an individual.” N/A
PROHIBITION ON DENIAL OF GOODS AND SERVICES “A covered entity shall not condition the provision of a service or product to an individual on the individual’s agreement to waive privacy rights guaranteed by sections 101, 105(a), and 106 through 109 of this [act]; and sections 102 through 104, and 105(b) and © of this [act] …” “A covered entity shall not deny goods or services to an individual because the individual exercised any of the rights established under this title.”
RIGHT TO TRANSPARENCY “A covered entity shall make publicly and persistently available, in a conspicuous and readily accessible manner, a privacy policy that provides a detailed and accurate representation of the entity’s data processing and data transfer activities.” “A covered entity that processes covered data shall, with respect to each service or product provided by the covered entity, publish a privacy policy that is disclosed, in a clear and conspicuous manner, to an individual prior to or at the point of the collection of covered data from the individual; and made available, in a clear and conspicuous manner, to the public.”
RIGHT TO OBJECT/OPT-OUT OF TRANSFERS “A covered entity shall not transfer an individual’s covered data to a third party if the individual objects to the transfer; and shall allow an individual to object to the covered entity transferring covered data of the individual to a third party through a process established under the rule issued by the [commission] pursuant to paragraph (2).”“Not later than 18 months after the date of enactment of this [act], the [commission] shall issue a rule under section 553 of title 5, United States Code, establishing one or more acceptable processes for covered entities to follow in allowing individuals to opt out of transfers of covered data.”“The processes established by the [commission] pursuant to this subparagraph shall be centralized, to the extent feasible, to minimize the number of opt-out designations of a similar type that a consumer must make; include clear and conspicuous opt-out notices and consumer friendly mechanisms to allow an individual to opt out of transfers of covered data; allow an individual that objects to a transfer of covered data to view the status of such objection; allow an individual that objects to a transfer of covered data to change the status of such objection; be privacy protective; and be informed by the [commission’s] experience developing and implementing the National Do Not Call Registry.” “A covered entity shall provide an individual with the right to object to the processing and transfer of such individual’s covered data.”
DATA MINIMIZATION “A covered entity shall not process or transfer covered data beyond what is reasonably necessary, proportionate, and limited to carry out the specific processing purposes and transfers described in the privacy policy made available by the covered entity as required under section 102; to carry out a specific processing purpose or transfer for which the covered entity has obtained affirmative express consent; or for a purpose specifically permitted under subsection (d) of section 110 (on “Exceptions to Affirmative Express Consent”).” “… a covered entity shall not collect, process, or transfer covered data beyond what is reasonably necessary, proportionate, and limited to provide or improve a product, service, or a communication about a product or service, including what is reasonably necessary, proportionate, and limited to provide a product or service specifically requested by an individual or reasonably anticipated within the context of the covered entity’s ongoing relationship with an individual.”
DESIGNATION OF PRIVACY OFFICER AND DATA SECURITY OFFICER “A covered entity shall designate [one] or more qualified employees as privacy officers; and [one] or more qualified employees … as data security officers.” “A covered entity shall designate [one] or more qualified employees or contractors as privacy officers; and [one] or more qualified employees or contractors … as data security officers.”
RIGHT TO DATA SECURITY “A covered entity shall establish, implement, and maintain reasonable data security practices to protect the confidentiality, integrity, and accessibility of covered data.” “A covered entity shall establish, implement, and maintain reasonable administrative, technical, and physical data security policies and practices to protect against risks to the confidentiality, security, and integrity of sensitive covered data.”
PRIVACY AND DATA SECURITY PROGRAMS, RISK/IMPACT ASSESSMENTS “An employee who is designated by a covered entity as a privacy officer or a data security officer shall be responsible for, at a minimum implementing a comprehensive written data privacy program and data security program to safeguard the privacy and security of covered data throughout the life cycle of development and operational practices of the covered entity’s products or services; annually conducting privacy and data security risk assessments, data hygiene, and other quality control practices; and facilitating the covered entity’s ongoing compliance with this [act].” “Not later than [one] year after the date of enactment of this [act] /(or, if later, not later than [one] year after a covered entity first meets the definition of large data holder (as defined in section 2))/, each covered entity that is a large data holder shall conduct a privacy impact assessment that weighs the benefits of the covered entity’s covered data collection, processing, and transfer practices against the potential adverse consequences to individual privacy of such practices.”“A privacy impact assessment required under paragraph (1) shall be reasonable and appropriate in scope given the nature of the covered data collected, processed, or transferred by the covered entity; the volume of the covered data collected, processed, or transferred by the covered entity; and the potential risks posed to individuals by the collection, processing, and transfer of covered data by the covered entity; shall be documented in written form and maintained by the covered entity unless rendered out of date by a subsequent assessment conducted under subsection (b); and shall be approved by the privacy officer of the covered entity.”“A covered entity that is a large data holder shall, not less frequently than once every [two] years after the covered entity conducted the privacy impact assessment required under subsection (a), conduct a privacy impact assessment of the collection, processing, and transfer of covered data by the covered entity to assess the extent to which the ongoing practices of the covered entity are consistent with the covered entity’s published privacy policies and other representations that the covered entity makes to individuals; any customizable privacy settings included in a service or product offered by the covered entity are adequately accessible to individuals who use the service or product and are effective in meeting the privacy preferences of such individuals; the practices and privacy settings described in subparagraphs (A) and (B), respectively meet the expectations of a reasonable individual; and provide an individual with adequate control over the individual’s covered data; the covered entity could enhance the privacy and protection of covered data through technical or operational safeguards such as encryption, deidentification, and other privacy-enhancing technologies; and the processing of covered data is compatible with the stated purposes for which it was collected.”“The privacy officer of a covered entity shall approve the findings of an assessment conducted by the covered entity under this subsection.”
DATA PRIVACY AND SECURITY RELIEF FUND “There is established in the Treasury of the United States a separate fund to be known as the ‘Data Privacy and Security Relief Fund.’”“The [commission] shall deposit into the Relief Fund the amount of any civil penalty obtained against any covered entity in any judicial or administrative action the [commission] commences to enforce this [act] or a regulation promulgated under this [act].” “There is established in the Treasury of the United States a separate fund to be known as the ‘Data Privacy and Security Victims Relief Fund.’”“The [commission] shall deposit into the Victims Relief Fund the amount of any civil penalty obtained against any covered entity in any judicial or administrative action the [commission] commences to enforce this [act] or a regulation promulgated under this [act].”
RIGHT TO ACCESS “A covered entity, upon the verified request of an individual, shall provide the individual, in a human-readable format that a reasonable individual can understand, with a copy or accurate representation of the covered data of the individual processed or transferred by the covered entity; and the name of any third party to whom covered data of the individual has been transferred by the covered entity and a description of the purpose for which the entity transferred such data to such third party.” “A covered entity shall provide an individual, immediately or as quickly as possible and in no case later than 45 days after receiving a verified request from the individual, with the right to access the covered data of the individual, or an accurate representation of the covered data of the individual, that is processed by the covered entity and any service provider of the covered entity.”
RIGHT TO CORRECTION “A covered entity, upon the verified request of an individual, shall correct, or allow the individual to correct, inaccurate or incomplete information in the covered data of the individual that is processed by the covered entity; and inform any service provider or third party to which the covered entity transferred such data of the corrected information.” “A covered entity shall provide an individual … with the right to … request that the covered entity correct inaccuracies or incomplete information with respect to the covered data of the individual that is processed by the covered entity; and notify any service provider or third party to which the covered entity transferred such covered data of the corrected information.”
RIGHT TO DELETION “A covered entity, upon the verified request of an individual, shall delete, or allow the individual to delete, any information in the covered data of the individual that is processed by the covered entity; and inform any service provider or third party to which the covered entity transferred such data of the individual’s deletion request.” “A covered entity shall provide an individual … with the right to … request that the covered entity delete or deidentify covered data of the individual that is processed by the covered entity; and notify any service provider or third party to which the covered entity transferred such covered data of the individual’s request.”
RIGHT TO DATA PORTABILITY “A covered entity, upon the verified request of an individual, shall export the individual’s covered data, except for derived data, without licensing restrictions in a human-readable format that allows the individual to understand such covered data of the individual; and in a structured, interoperable, and machine-readable format that includes all covered data or other information that the covered entity collected to the extent feasible.” “A covered entity shall provide an individual … with the right to … to the extent that is technically feasible, provide covered data (except for inferred data) … in a portable, structured, standards-based, interoperable, and machine-readable format that is not subject to licensing restrictions.”
VERIFICATION OF REQUESTS “A covered entity shall not permit an individual to exercise a right described in sections 102 through 105(a) if the covered entity cannot reasonably verify that the individual making the request to exercise the right is the individual whose covered data is the subject of the request or an individual authorized to make such a request on the individual’s behalf.”“If a covered entity cannot reasonably verify that a request to exercise a right described in sections 102 through 105(a) is made by the individual whose covered data is the subject of the request (or an individual authorized to make such a request on the individual’s behalf), the covered entity shall request the provision of additional information necessary for the sole purpose of verifying the identity of the individual and shall not process or transfer such additional information for any other purpose.”“A covered entity shall minimize the inconvenience to consumers relating to the verification or authentication of requests.” “A covered entity shall not comply with a request to exercise the rights described in paragraph (1) if the covered entity cannot verify that the individual making the request is the individual to whom the covered data that is the subject of the request relates.”“A covered entity shall not comply with a request to exercise the rights described in paragraph (1) if the covered entity cannot verify that the individual making the request is the individual to whom the covered data that is the subject of the request relates; and may decline to comply with a request that would require the entity to retain any covered data for the sole purpose of fulfilling the request; be impossible or demonstrably impracticable to comply with; or require the covered entity to reidentify covered data that has been deidentified.”“Not later than 1 year after the date of enactment of this [act], the [commission] shall promulgate regulations under section 553 of title 5, United States Code, establishing requirements for covered entities with respect to the verification of requests to exercise rights described in subsection (a)(1).”
CONSENT TO PROCESS SENSITIVE DATA “A covered entity shall not process the sensitive covered data of an individual without the individual’s prior, affirmative express consent; shall not transfer the sensitive covered data of an individual without the individual’s prior, affirmative express consent; shall provide an individual with a consumer-friendly means to withdraw affirmative express consent to process the sensitive covered data of the individual; and is not required to obtain prior, affirmative express consent to process or transfer publicly available information.” “A covered entity shall not without the prior, affirmative express consent of the individual to whom the covered data relates transfer sensitive covered data to a third party; or process sensitive covered data.”“In obtaining the affirmative express consent of an individual to process the sensitive covered data of the individual as required under subsection (a)(2), a covered entity shall provide the individual with notice that shall include a description of the processing purpose for which consent is sought; clearly identify and distinguish between a processing purpose that is necessary to fulfill a request made by the individual and a processing purpose that is not necessary to fulfill a request made by the individual; include a prominent heading that would enable a reasonable individual to easily identify the processing purpose for which consent is sought; and clearly explain the individual’s right to provide or withhold consent.
CONSENT TO TRANSFER CHILDREN’S DATA N/A “A covered entity shall not transfer the covered data of an individual to a third-party without affirmative express consent from the individual or the individual’s parent or guardian if the covered entity has actual knowledge that the individual is less than 16 years of age.”
BIOMETRIC DATA “Not later than [one] year after the date of enactment of this [act], the [commission] shall promulgate regulations pursuant to section 553 of title 5, United States Code, identifying privacy protective requirements for the processing of biometric information …” “The [commission] may promulgate regulations pursuant to section 553 of title 5, United States Code, identifying additional privacy-protective exemptions for biometrics consent.”
EXECUTIVE RESPONSIBILITY “Beginning [one] year after the date of enactment of this [act], the chief executive officer of a covered entity that is a large data holder (or, if the entity does not have a chief executive officer, the highest ranking officer of the entity) and each privacy officer and data security officer of such entity shall annually certify to the [commission], in a manner specified by the [commission], that the entity maintains adequate internal controls to comply with this [act]; and reporting structures to ensure that such certifying officers are involved in, and are responsible for, decisions that impact the entity’s compliance with this [act].”“A certification submitted under subsection (a) shall be based on a review of the effectiveness of a covered entity’s internal controls and reporting structures that is conducted by the certifying officers no more than 90 days before the submission of the certification.” N/A
APPROVED CERTIFICATION PROGRAMS N/A “The [commission] may approve certification programs developed by 1 or more covered entities or associations representing categories of covered entities to create standards or codes of conduct regarding compliance with or more provisions in this [act].”“To be eligible for approval by the [commission], a certification program shall specify clear and enforceable requirements for covered entities participating in the program that provide an overall level of privacy or data security protection that is equivalent to or greater than that provided in the relevant provisions in this [act]; require each participating covered entity to post in a prominent place a clear and conspicuous public attestation of compliance and a link to the website … ; include a process for the independent assessment of a participating covered entity’s compliance with the program prior to certification and on an annual basis; create a website describing the program’s goals and requirements, listing participating covered entities, and providing a method for individuals to ask questions and file complaint about the program or any participating covered entity; take meaningful action for non-compliance with the relevant provisions of this [act] by any participating covered entity, which shall depend on the severity of the non-compliance and may include removing the covered entity from the program; referring the covered entity to the [commission] for enforcement; publicly reporting the disciplinary action taken with respect to the covered entity; providing redress to individuals harmed by the non-compliance; making voluntary payments to the United States Treasury; and taking any other action or actions to ensure the compliance of the covered entity with respect to the relevant provisions of this [act] and deter future non-compliance; and issue annual reports to the [commission] and to the public detailing the activities of the program and its effectiveness during the preceding year in ensuring compliance with the relevant provisions of this [act] by participating covered entities and taking meaningful disciplinary action for non-compliance with such provisions by such entities.”
DATA BROKER REGISTRATION N/A “Not later than [Jan.] 31 of each calendar year that follows a calendar year during which a covered entity acted as a data broker, such covered entity shall register with the [commission] pursuant to the requirements of this section.”“In registering with the [commission] as required under subsection (a), a data broker shall do the following: Pay to the [commission] a registration fee of $100. Provide the [commission] with the following information: The name and primary physical, email, and internet addresses of the data broker. Any additional information or explanation the data broker chooses to provide concerning its data collection and processing practices.”“A data broker that fails to register as required under subsection (a) of this section shall be liable for a civil penalty of $50 for each day it fails to register, not to exceed a total of $10,000 for each year; and an amount equal to the fees due under this section for each year that it failed to register as required under subsection (a).”“The [commission] shall publish on the internet website of the [commission] the registration information provided by data brokers under this section.”
WHISTLEBLOWER PROTECTIONS “A covered entity shall not, directly or indirectly, discharge, demote, suspend, threaten, harass, or in any other manner discriminate against a covered individual of the covered entity because the covered individual, or anyone perceived as assisting the covered individual, takes (or the covered entity suspects that the covered individual has taken or will take) a lawful action in providing to the [federal government] or the attorney general of a [state] information relating to any act or omission that the covered individual reasonably believes to be a violation of this [act] or any regulation promulgated under this [act]; the covered individual provides information that the covered individual reasonably believes evidences such a violation to a person with supervisory authority over the covered individual at the covered entity; or another individual working for the covered entity who the covered individual reasonably believes has the authority to investigate, discover, or terminate the violation or to take any other action to address the violation; the covered individual testifies (or the covered entity expects that the covered individual will testify) in an investigation or judicial or administrative proceeding concerning such a violation; or the covered individual assists or participates (or the covered entity expects that the covered individual will assist or participate) in such an investigation or judicial or administrative proceeding, or the covered individual takes any other action to assist in carrying out the purposes of this [act].”“An individual who alleges discharge or other discrimination in violation of subsection (a) may bring an action governed by the rules, procedures, statute of limitations, and legal burdens of proof in section 42121(b) of title 49, United States Code. If the individual has not received a decision within 180 days and there is no showing that such delay is due to the bad faith of the claimant, the individual may bring an action for a jury trial, governed by the burden of proof in section 42121(b) of title 49, United States Code, in the appropriate district court of the United States for the following relief: (1) Temporary relief while the case is pending. (2) Reinstatement with the same seniority status that the individual would have had, but for the discharge or discrimination. (3) Three times the amount of back pay otherwise owed to the individual, with interest. (4) Consequential and compensatory damages, and compensation for litigation costs, expert witness fees, and reasonable attorneys’ fees.” “In seeking penalties under section 401 for a violation of this [act] or a regulation promulgated under this [act] by a covered entity, the [commission] shall consider whether the covered entity retaliated against an individual who was a whistleblower with respect to original information that led to the successful resolution of an administrative or judicial action brought by the [commission] or the [attorney general] of the United States under this [act] against such covered entity.”
DIGITAL CONTENT FORGERIES “Not later than [one] year after the date of enactment of this [act], and annually thereafter, the [director] of the National Institute of Standards and Technology shall publish a report regarding digital content forgeries.”“Each report under subsection (a) shall include the following: A definition of digital content forgeries along with accompanying explanatory materials. The definition developed pursuant to this section shall not supersede any other provision of law or be construed to limit the authority of any executive agency related to digital content forgeries. A description of the common sources in the United States of digital content forgeries and commercial sources of digital content forgery technologies. An assessment of the uses, applications, and harms of digital content forgeries. An analysis of the methods and standards available to identify digital content forgeries as well as a description of the commercial technological counter-measures that are, or could be, used to address concerns with digital content forgeries, which may include the provision of warnings to viewers of suspect content. A description of the types of digital content forgeries, including those used to commit fraud, cause harm or violate any provision of law. Any other information determined appropriate by the [director].” “Not later than [one] year after the National Institute of Standards and Technology publishes the definition and materials required under subsection (a), the [commission] shall publish a report regarding the impact of digital content forgeries on individuals and competition.”“Not later than [two] years after the publication of the report required under paragraph (1), and as often as the [commission] shall deem necessary thereafter, the [commission] shall publish an updated version of such report.”“Each report required under this subsection shall include a description of the types of digital content forgeries, including those used to commit fraud, cause adverse consequences, violate any provision of law enforced by the [commission], or violate civil rights recognized under [federal] law; a description of the common sources in the United States of digital content forgeries and commercial sources of digital content forgery technologies; an assessment of the uses, applications, and adverse consequences of digital content forgeries, including the impact of digital content forgeries on consumers, digital identity, and competition; an analysis of the methods available to consumers to identify digital content forgeries as well as a description of commercial technological counter-measures that are, or could be, used to address concerns with digital content forgeries, which may include counter-measures that warn viewers of suspect content; a description of any remedies available to protect an individual’s identity and reputation from adverse consequences caused by digital content forgeries, such as protections or remedies available under the Federal Trade Commission Act (15 U.S.C. 41 et seq.) or any other law; and any additional information the [commission] determines appropriate.”“Not later than [one] year after 10 the date of enactment of this [act], the Director of the National Institute of Standards and Technology, in coordination with the Federal Trade Commission, shall establish under section 24 of the Stevenson-Wydler Technology Innovation Act of 1980 (15 U.S.C. 3719) a prize competition to spur the development of technical solutions to assist individuals and the public in identifying on digital content forgeries and related technologies.”“Not later than [six] months after the date of enactment of this [act], the National Institute of Standards and Technology shall develop and publish a definition of ‘digital content forgery’ and accompanying explanatory materials.” “In developing a definition of ‘digital content forgery’ under subsection (a), the National Institute of Standards and Technology shall consider the following factors: Whether the content is created with the intent to deceive viewers or listeners into believing the content was genuine. Whether the content is genuine or manipulated. The impression the content makes on a reasonable observer. Whether the production of the content was substantially dependent upon technical means, rather than the ability of another person to physically or verbally impersonate such person. The scope of technologies that may be utilized during the creation or publication of digital content forgeries, including video recording or film; sound recording; electronic image, or photograph; or any digital representation of speech or conduct.”“The definition published by the National Institute of Standards and Technology under subsection (a) shall not supersede any other provision of law or be construed to limit the authority of any executive agency related to digital content forgeries.”
PREEMPTION OF STATE LAW “This [act] shall supersede any [state] law to the extent such law directly conflicts with the provisions of this [act], or a standard, rule, or regulation promulgated under this [act], and then only to the extent of such direct conflict. Any [state] law, rule, or regulation shall not be considered in direct conflict if it affords a greater level of protection to individuals protected under this [act].” “No [state] or political subdivision of a [state] may adopt, maintain, enforce, or continue in effect any law, regulation, rule, requirement, or standard related to the data privacy or security and associated activities of covered entities.”“Subsection (b) may not be construed to preempt [state] laws that directly establish requirements for the notification of consumers in the event of a data breach.”
PROHIBITION ON DISRIMINATORY DATA PROCESSING “A covered entity shall not process or transfer covered data on the basis of an individual’s or class of individuals’ actual or perceived race, color, ethnicity, religion, national origin, sex, gender, gender identity, sexual orientation, familial status, biometric information, lawful source of income, or disability for the purpose of advertising, marketing, soliciting, offering, selling, leasing, licensing, renting, or otherwise commercially contracting for a housing, employment, credit, or education opportunity, in a manner that unlawfully discriminates against or otherwise makes the opportunity unavailable to the individual or class of individuals; or in a manner that unlawfully segregates, discriminates against, or otherwise makes unavailable to the individual or class of individuals the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation.” N/A
NEW FTC BUREAU “The [commission] shall establish a new [bureau] within the [commission] comparable in structure, size, organization, and authority to the existing [bureaus] with the [commission] related to consumer protection and competition.” N/A
PRIVATE RIGHT OF ACTION “Any individual alleging a violation of this [act] or a regulation promulgated under this [act] may bring a civil action in any court of competent jurisdiction, [state] or [federal].” N/A
EXCEPTIONS “A covered entity may process or transfer covered data without the individual’s affirmative express consent for any of the following purposes, provided that the processing or transfer is reasonably necessary, proportionate, and limited to such purpose: To complete a transaction or fulfill an order or service specifically requested by an individual, such as billing, shipping, or accounting. To perform system maintenance, debug systems, or repair errors to ensure the functionality of a product or service provided by the covered entity. To detect or respond to a security incident, provide a secure environment, or maintain the safety of a product or service. To protect against malicious, deceptive, fraudulent or illegal activity. To comply with a legal obligation or the establishment, exercise, or defense of legal claims. To prevent an individual from suffering harm where the covered entity believes in good faith that the individual is in danger of suffering death or serious physical injury. To effectuate a product recall pursuant to [federal] or [state] law. To conduct scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws and is approved, monitored, and governed by an institutional review board or a similar oversight entity that meets standards promulgated by the [commission] pursuant to section 553 of title 5, United States Code.” “… a covered entity may collect, process or transfer covered data for any of the following purposes, provided that the collection, processing, or transfer is reasonably necessary, proportionate, and limited to such purpose: To complete a transaction or fulfilling an order or service specifically requested by an individual, including associated routine administrative activities such as billing, shipping, and accounting. To perform internal system maintenance and network management. Subject to subsection ©, to detect or respond to a security incident, provide a secure environment, or maintain the safety of a product or service. Subject to subsection ©, to protect against malicious, deceptive, fraudulent, or illegal activity. To comply with a legal obligation or the establishment, exercise, or defense of legal claims. To prevent an individual from suffering serious harm where the covered entity believes in good faith that the individual is at risk of death or serious physical injury. To effectuate a product recall pursuant to [federal] or [state] law. To conduct internal research to improve, repair, or develop products, services, or technology. To engage in an act or practice that is fair use under copyright law. To conduct a public or peer-reviewed scientific, historical, or statistical research that is in the public interest; adheres to all applicable ethics and privacy laws; and is approved, monitored, and governed by an institutional review board or other oversight entity that meets standards promulgated by the [commission] pursuant to section 553 of title 5, United States Code.”

Overall:

  • Preemption of stricter state laws (CDPA)
  • Private right of action (COPRA)
  • Recognition of “harmful” data practices (COPRA)
  • Shifting the burden of request verification to covered entities (COPRA)
  • Protection of civil rights (COPRA)
  • Algorithmic decision-making impact assessment (COPRA)
  • Executive responsibilities (COPRA)
  • Approved certification programs (CDPA)
  • Data broker registration (CDPA)
  • Establishment of a new #FTC bureau (COPRA)