There’s a lot to like about the Senate privacy bill, if it’s not watered down
Last week, Sen. Maria Cantwell (D-Wash.), joined by Sens. Ed Markey (D-Mass.), Brian Schatz (D-Hawaii) and Amy Klobuchar (D-Minn.), introduced what is probably the most robust U.S. privacy bill in history: the Consumer Online Privacy Rights Act (COPRA). If, like most people, you are concerned about modern threats to your privacy from digital technologies, there is much to like about this bill.
To get a better sense of what COPRA is all about, it’s helpful to think of it as three different kinds of bills rolled into one. As a data protection bill, COPRA incorporates some of the best elements of Europe’s General Data Protection Regulation (GDPR), such as limits on data collection and retention, as well giving people strong rights of access, deletion and correction of their personal information.
As a consumer protection effort, COPRA enhances the structures of consumer protection law by giving more power and resources to our top privacy regulator, the Federal Trade Commission. It also places a duty of loyalty on large technology companies, preventing them from using data to harm their customers; empowers state legislatures and state attorneys general; and gives individuals the right to sue for privacy violations that cause them harm.
Finally, as a privacy bill, COPRA adopts a broad and inclusive view of information rules that protect people with novel provisions on algorithmic accountability, civil rights, protection for whistleblowers, deep fakes (“digital content forgeries”), and a strong presumption against biometric surveillance.
Unfortunately, though, COPRA also takes on many of the same shortcomings of existing data protection frameworks such as the GDPR that over-leverage concepts of consent, notice and choice. Since COPRA’s data protection provisions are, even in its original state, generally less protective of consumers than Europe’s GDPR, the bill risks becoming what we’ve elsewhere called a “GDPR-lite.”
We know from decades of experience that consent and control have failed to protect privacy (and consumers and voters), but COPRA still idealizes control over personal information. Although rights of access, deletion and correction are critical, requirements to get “consent” and procedures to “opt in” or “opt out” of certain practices often have the practical effect of shifting the risk of dangerous practices onto people. Who among us has seriously read what we’ve agreed to in Facebook’s privacy policy? Even frequent, simple and detailed pop-up banners and “I agree” buttons burden us and risk blurring into the background as we use our phones and computers.
The retreat to consent leaves the whole COPRA framework open for exploitation and dilution. Our privacy law should prohibit dangerous and abusive practices, rather than provide road maps for consent to them. Companies have every reason to devote all their efforts to getting us to share and click “I agree,” and people cannot indefinitely resist or consistently shield themselves. Unless hard lines are drawn that outright prohibit certain data practices, such as persistent tracking and facial recognition, companies will never stop asking for our information — and they are quite skilled at getting it.
So now comes the hard part: negotiation. Industry no doubt will fight to weaken or eliminate some of COPRA’s strongest provisions. They will push for the statute to preempt state efforts, effectively having the statute serve as a ceiling rather than a floor of protection. They may challenge it with spurious First Amendment attacks that ignore the lessons of the Cambridge Analytica scandal that meaningful privacy protections are essential to democracy.
In fact, many of these factors are present in the recent draft bill circulated by Sen. Roger Wicker (R-Miss.), the chair of the Senate Commerce Committee. Wicker’s bill is widely preemptive of state law and contains no private right of action. Negotiation and compromise are, of course, part of the legislative process, but COPRA’s accommodation of state rules, distributed enforcement through state attorneys general and private causes of action, and protections against dilution through contracts must be non-negotiable.
In an ideal world, COPRA would be even stronger. For example, while COPRA’s recognition of a duty of loyalty is an important first step (and one that we have called for in our academic scholarship), its definition of loyalty should mean more than simply “do no harm.” In practice, the reluctance of federal courts to recognize new forms of legal harm has bedeviled privacy rules and efforts. The duty of loyalty should protect against unjust enrichment, wrongful manipulation, and abusive trade practices (sometimes called “dark patterns” online) that exploit known limits in consumer resources and cognition.
If the Cantwell bill is the opening salvo in a sustained attempt to enact a broader privacy framework that actually protects people, it is a strong and commendable effort. However, if it ends up being the high-water mark for negotiations, instead of an upward trajectory, we seem destined to settle for an ineffective U.S. version of a “GDPR-lite” that will only more deeply entrench the pathologies and power of tech giants, data brokers and ad surveillance networks.
We can do better on privacy than a GDPR-lite, or the inadequate Wicker bill, and the Cantwell bill is a good, if imperfect, place to begin.
Woodrow Hartzog is a professor of law and computer science at Northeastern University, and a fellow of the Cordell Institute for Policy in Medicine & Law at Washington University in St. Louis.
Neil Richards is the Koch Distinguished Professor in Law and a director of the Cordell Institute for Policy in Medicine & Law at Washington University in St. Louis.
Copyright 2023 Nexstar Media Inc. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed. Regular the hill posts