HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Consumer Online Privacy Rights Act Offers CCPA-Style Privacy Protections for All U.S. Citizens

A federal law giving U.S. citizens new rights over their personal data has been introduced by U.S. Sen. Maria Cantwell (D-Washington). The Consumer Online Privacy Rights Act (COPRA) proposes California Consumer Privacy Act (CCPA) style protections at a national level to better protect the privacy of consumers and give them greater control over how their personal data is used.

CCPA will take effect on January 1, 2020, but only applies to California residents. While there are laws in most states covering privacy and data security, there is no federal law covering all states. If such a law is introduced, it would make the rights of all U.S. citizens crystal clear and all Americans would have the same rights over how their personal data is used, irrespective of where they live.

The bill, co-sponsored by Sens, Amy Klobuchar (D-Minnesota.), Ed Markey (D-Massachusetts), and Brian Schatz (D-Hawaii), is not the first of its type to be introduced. Several other bills have been introduced but they have failed to receive the required support.

This bill may gather more support than others as it does not place an undue burden on small businesses, who are largely exempt. COPRA will apply to businesses, not-for-profits, certain financial institutions, and other entities covered by the Federal Trade Commission Act, but compliance with COPRA will not be mandatory for businesses with revenues of less than $25 million per year. COPRA will also not apply to entities that generate less than 50% of their revenue from transferring covered consumer data for valuable consideration.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

At the heart of the bill is the requirement for consent to be obtained from U.S. citizens before their personal data is collected, processed, or used. Similar to the EU’s General Data Protection Regulation (GDPR), affirmative consent will be required. That means consent must be provided by an affirmative act that confirms consent to a specific act or practice. An individual must be told, in clear, precise, and easy-to-understand language that consent is required and what the individual is consenting to.

The law introduces a duty of loyalty, which prohibits deceptive data practices and harmful data practices, which includes those that may cause financial, reputational, or physical injury.

COPRA gives U.S. citizens the right to access the personal data stored on them by a covered entity. A copy of that information must be provided, on request, along with details of the entities to whom that data has been disclosed and the reason why data transfer occurred.

Covered entities will be required to publish a privacy policy, written in easy-to-understand language, that describes how an individual’s data will be used, to whom that data will be made available, for how long the information will be retained, and the covered entity’s data security and data minimization policies. To ensure all consumers understand how data will be used, COPRA requires privacy policies to be made available in all languages in which the covered entity provides the product or services. Consumers must also be told how they can exercise the rights they are afforded by COPRA.

COPRA also includes a Right to Delete. U.S. citizens can request that all personal data held by a covered entity is deleted and for all processing to stop and to opt out of data sharing.

COPRA will be enforced by the Federal Trade Commission (FTC). The proposed penalties for noncompliance range from $100 to $1,000 per violation per day, along with the cost of attorneys’ fees and equitable relief. Those financial penalties will be deposited in a fund that will be used for education efforts and for redress and compensation for individuals affected by any privacy violations.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.