Consumers across the globe have heard new acronyms regarding privacy. From the General Data Protection Regulation (GDPR) to California Consumer Protection Act (CCPA). All of these regulations have a simple goal; create trust between brands and consumers. However, most of the regulations have been developed in silo’s at the state or regional level only. 

The latest US legislation is known as the Consumer Online Privacy Rights Act (COPRA). COPRA is designed to “provide consumers with foundational data privacy rights, create strong oversight mechanisms, and establish meaningful enforcement,” laudable goals and ones on which privacy advocates, consumers and industry are increasingly finding common ground as states around the countries craft disparate rules on privacy protection.

The quote above comes from a recent IAPP article entitled “US Senators Unveil New Federal Privacy Legislation” which can be found here. The article also highlights the penalty level included in COPRA which is between $100-1,000 per infraction per day.

One novelty or twist that COPRA brings to the table is the bill tackles algorithmic decision-making, requiring those engaged in the practice to facilitate advertising or eligibility determinations for housing, education, employment or credit to conduct an impact assessment annually for accuracy, fairness, bias and discrimination. Challenges related to “deep fakes” are also addressed.

Below is an excerpt from the article that highlights the six pillars of COPRA:

Consent: The bill requires individual consent for data processing, including express affirmative consent for processing sensitive data, which is very broadly defined but excludes “publicly-available information.” Much like the California Consumer Privacy Act, COPRA provides individuals the right to opt out of the transfer of their covered data for “valuable consideration” and would grant the FTC rulemaking in that area.

  1. Access: The act requires covered entities to provide individuals with their own covered data upon request, in a portable format, as well as the name of any third party to which it has been transferred for valuable consideration.
  2. Correction and deletion: Individuals are granted the right to correct and delete their own covered data.
  3. Transparency: Covered entities must publish a privacy policy that includes information commonly seen in such policies today. This includes contact information for the entity, the categories of data processed, and the categories of third parties and service providers to which information is transferred. Somewhat more novel requirements include retention timelines, and perhaps more contentious, the identity of each third party to which covered data is transferred. The policy must be made available in all languages in which the covered entity does business.
  4. Data minimization: Covered entities may only process covered data for specific purposes, subject to necessity and proportionality standards.
  5. Data security: Covered entities must provide reasonable security, assess vulnerabilities, implement corrective action when risks are identified and dispose of data that is no longer needed.

As noted in the third bullet point above consumer deletion request will continue to be a key part in almost all new privacy regulations. For digital marketers, finance, IT professionals and legal teams the greatest hurdle may be consent management and the “Right to Erasure/Deletion” itself. 

Contemporary organizations are searching for a module based solutions such as RIVN to step up to meet this need with an easy to use SaaS based single function that allows brands worldwide to meet business needs and be ready for what is next.

To learn more about regulations mentioned above please see the following links below: