Brad Elbein and Beth Fulkerson co-author article about likely Consumer Online Privacy Rights Act (COPRA)

Brad Elbein and Beth Fulkerson co-author article about likely Consumer Online Privacy Rights Act (COPRA)

COPRA May Be Coming, and It’s Not Too Soon to Prepare

By Brad M. Elbein and Beth A. Fulkerson
(originally published on E-Commerce Times)

All eyes are on the West Coast as the state of California reins in the unfettered collection, use and sale of the personal data consumers share as part of the bargain for “free” online services. For years this bargain has been explained in privacy policies that few people read, because there is not a lot of negotiating in the personal data market. The California Consumer Privacy Act (CCPA) gives consumers revolutionary rights to access, delete, transfer, and prevent the sale of their data.

As revolutionary as the CCPA is, there are even more significant privacy and data security law developments brewing on the other side of the continent. In Washington, D.C., for the first time in history, Congress is giving serious consideration to legislation providing comprehensive privacy and data security (PDS). A confluence of unlikely events makes it more likely than ever that Congress actually will pass PDS legislation introduced at the end of November as the Consumer Online Privacy Rights Act (COPRA).

Bits and Pieces

Neither CCPA nor COPRA is the first PDS statute by a long shot. Nearly a dozen federal statutes include PDS elements. Each is narrowly focused — none are broadly applicable to privacy and data security concerns. Among the patchwork quilt of PDS statutes:

  • CAN-SPAM (Controlling the Assault of Non-Solicited Pornography and Marketing)
  • COPPA (Children’s Online Privacy Protection Act)
  • FACTA (Fair and Accurate Credit Transactions Act)
  • FCRA (Fair Credit Reporting Act)
  • HIPAA (Health Insurance Portability and Accountability Act
  • RFPA (Right to Financial Privacy Act)
  • TCPA (Telephone Consumer Protection Act)

There are also some relevant rules:

  • DNC (Do-Not-Call)
  • Graham-Leach-Bliley Privacy Rule and Safeguards Rule
  • Red Flags Rule
  • TSR (Telemarketing Sales Rule)

The granddaddy statute of them all, Section 5 of the FTC Act, provides the foundation for many of these laws and a majority of the enforcement activity. The FTC for years has led enforcement efforts against bad actors and provided industry with guidelines.

The FTC’s 2012 report on protecting consumers set forth best practices for businesses. Among its recommendations: privacy by design (consumer privacy should be considered at every stage of product development); do-not-track mechanisms; and greater transparency. It also recommended — in 2012 — that Congress consider enacting general privacy legislation, legislation regulating data brokers, and data security and breach notification legislation.

Existing PDS laws are not just split among a witches’ brew of federal statutes. They also are split among the 50 states’ laws. All 50 state legislatures have passed data security breach laws, and they continue to amend them. A collage of state laws was relatively manageable in the brick-and-mortar world. Now it is a compliance nightmare. There are so many PDS laws that there is a need for a solution that might have been imagined by Tolkien: one statute to rule them all. Surprisingly, Congress appears to have stepped up to provide it in the form of COPRA.

Why now? One, Silicon Valley is an easy political target. The immense wealth of Facebook and Google suggests that consumers have not received a fair bargain in the trade of free online services for personal data. Two, the FTC brought actions against each of those companies for data privacy violations and settled for amounts that congressional Democrats have ridiculed as entirely too low to incentivize better behavior.

Three, the Cambridge Analytica scandal revealed how profiling can be used for nefarious purposes. Four, the European Union’s GDPR has provided a model for how to give consumers control over their own personal information. European PDS law might be ignored, but California stepping alone into the breach is an embarrassment to Congress and carries the threat of businesses having to contend with 50 comprehensive (and conflicting) PDS statutes coming from the states.

Regulate Us, Please

As is usual at this point in an area of rapidly evolving state enforcement, businesses that typically have opposed federal legislation now want federal legislation to save them from state efforts. Last spring, four major online advertising trade organizations (4A’s, ANA, IAB and NAI) formed a coalition with top legal experts to work with Congress to support comprehensive consumer data privacy and security legislation. The coalition, Privacy America, recommends creating a new Data Protection Bureau within the FTC.

For years the online advertising industry tried to fend off federal regulation by self-regulating, and providing consumers with mechanisms to opt out of online targeting. Efforts for a universal Do-Not-Track (DNT) option failed. The major browsers added a DNT setting, but websites have no legal obligation to honor DNT settings.

Consumers generally understand that online content is “free” so long as websites are supported by advertising, but with ads also appearing on e-commerce sites, where they’ve become an additional revenue stream, this stretches the traditional ad-assisted model. Consumers may or may not understand that the prices paid to websites for ad inventory are a function of the narrowness of the site’s audience.

Advertising technology now makes it possible for each ad impression (each ad space you see) to be submitted to real-time bidding by agents for advertisers. Adtech also makes it possible for consumers to block trackers and even block ads altogether. Each consumer who uses an adblocker becomes a free rider, putting more pressure on the website to generate more revenue from the unblocked ad impressions, and to purchase anti-adblocking technology, which diverts more money away from content development.

Other technology offers anonymous browsing and the ability to change IP addresses. Software developers will continue to develop more privacy-enhancing tools, and the most sophisticated consumers will make use of these self-help measures to protect their privacy. But what about everyone else?

There are two current legislative proposals before the Senate Commerce Committee, but COPRA has somehow stolen the limelight. Known as “the Democrats’ bill” as a nod to its sponsors in the Senate, COPRA is an attempt to create a comprehensive DPS regime applying to all business sectors in the U.S.

The proposed statute for the first time would establish that American consumers have rights to their data. These rights would, under COPRA, include the right to access their data, to move their data, to restrict data sharing and sales, and to be able to grant (or withhold) rights to process that data.

COPRA contains many proposals, and it is, alas, merely the legislative equivalent of a discussion draft doomed to be marked up by Congress. Following are the things we believe probably will survive the legislative process, in this bill or another:

  • The acknowledgment of some set of consumers’ rights to control some of their data;
  • A definition of “covered data” expanding consumers’ rights beyond merely the information they provide businesses;
  • A right by consumers to access, review and correct data;
  • Consumers’ right to control sale of some of their data;
  • Disclosure by companies of where at least some of their data on the consumer originated; and
  • Imposition upon companies holding data of duties to consumers, including posting privacy policies, creating training, and reporting to the responsible federal agency about their practices.

There are other proposed provisions that seem less likely to pass, if history is any guide. A statute that passes both houses is unlikely to include comprehensive rights for consumers to control all their data without regard to origin; a comprehensive “opt in” PDS regime; the right to move data at will; and a private right of action for damages.

One provision that has made a public splash in the news — but it pay to be skeptical about it — is the proposal for a new bureau at the FTC to handle privacy and data security matters. It’s true that the FTC has been the most consistent regulator of PDS for nearly three decades. It’s also true that given the history, the FTC is the logical place to house a regulator of PDS.

However, that same recent history counsels skepticism. After all, the FTC was the ideal place for the new regulator of consumer financial practices, but that’s not where CFPB ended up. Then there’s another reason to be skeptical: the bizarre sight of FTC commissioners testifying in Congress and begging lawmakers to not.

The Republican bill differs significantly from the Democrats’ bill in that it would preempt state laws and, like the CCPA, does not provide for a private right of action. Both the Republican and Democratic bills give lip service to providing the FTC with more resources.

Checklist for E-Commerce Companies

Given the historical moment that confronts us — the imminence of DPS legislation, the rapid development by all of the states of unique approaches, and the characteristic inability of Congress to pass laws — what should e-commerce businesses do? We have a few suggestions:

  1. Conduct a data audit. What do you have, where is it coming from, where is it stored, and where is it going? If you don’t need it, stop collecting it. This is part of basic data hygiene.
  2. Get contracts in place in both directions — inbound and outbound.
  3. Review the data security provisions in your data storage agreements. You may be unpleasantly surprised about the terms of your agreements.
  4. Review your data breach insurance.
  5. Review your contractual obligations in the event of a data breach. Watch out for open-ended indemnities.
  6. Determine what your legal responsibilities actually are now. If you do business in the EU, get compliant with GDPR. (There are American lawyers who are experts in GDPR.) If you do business in or are located in California, get compliant with CCPA. Check your state laws: They have a more immediate impact on your business than GDPR, CCPA or the anticipated federal legislation.
  7. Update compliance with existing PDS laws and regulations. As of now, the patchwork of federal statutes and rules mentioned above are the law. It’s entirely possible that compliance with existing law will grandfather you into whatever comes down the road from Washington. At the very least, updating or polishing your compliance program will give you a good foundation to leap up to the next big thing, whatever it is.
  8. If you have to make a big investment in DPS now, before things become clear — let’s say you’re starting a compliance program from scratch — the best bet is to comply with the requirements of the current federal DPS laws and your local state laws. Where no federal or state standard clearly applies, you might want to use the CCPA as a suggestion to inform your choices. (For example, no current federal law explicitly requires a company to publish a privacy policy on its website or to place a privacy policy link on its website. However, CCPA does. It’s not hard to predict that CCPA’s requirements for both will appear in whatever federal legislation finally passes.)

In any case, no matter what your situation, find an experienced compliance lawyer to guide you. Many e-commerce businesses shy away from any discussion of a compliance program, because the burden seems so extreme.

The truth is, no one needs to start from scratch to build a comprehensive compliance structure. A compliance lawyer can help you prioritize by identifying what compliance policies you need right now, what you can save for later, and what you don’t need at all.

Brad M. Elbein is a partner with the Atlanta offices of Culhane Meadows PLLC and former regional director of two regional offices of the FTC. His practice includes advertising, Internet marketing, the regulation of consumer financial products, and defense of government investigations.


Beth A. Fulkerson is a partner with the Chicago office of Culhane Meadows, PLLC. She formerly served as the chief privacy officer for Encyclopaedia Brittanica and Merriam-Webster, and senior counsel for Tribune Media. Her expertise includes e-commerce, privacy & data security, and the Internet of Things.
Email Beth.


About Culhane Meadows: With over 70 partners in 10 offices across the U.S., uniquely structured and cloud-based Culhane Meadows utilizes its Disruptive Law business model to deliver outstanding, partner-level legal services to major corporations and emerging companies across industry sectors more efficiently and cost-effectively than conventional law firms. US News & World Report has named Culhane Meadows among the country’s “Best Law Firms” in its 2014 through 2020 rankings.