Consumer Online Privacy Rights Act (COPRA)

Codifies privacy as a right, creates a private right of action to enforce privacy rights and enables platform enforcement and accountability
Introduced on November 18, 2019

If this bill passed, what is one way a social media interface could look?

Mockup of a screen with a table displaying the number of interactions a user had with a hypothetical website with the ability to edit when data will be deleted for each interactions type. Buttons also exist to download, delete, and transfer data to another platform.

What are some things this bill would do?

Codify privacy as a right and create foundational privacy rights to empower citizens, including:
The right to be free from deceptive and harmful data practices that could lead to financial, physical, and reputational injury; the right to access detailed and clear information on how data is used and shared; the right to control the movement of data and prevent data from being distributed to unknown third parties; the right to delete or correct data; and the right to take their data to a competing product or service.
Improve data security, protect sensitive personal data, and support civil rights in the digital economy.
This bill would create data minimization standards and new data quality control mechanisms. It would also create heightened privacy standards for collecting and sharing sensitive data, such as biometric data and geolocation data.
Place enforcement & accountability mechanisms.
This bill would create new enforcement powers for the FTC to take action against unlawful discrimination. It would also empower consumers with a strong private right of action. Accountability requirements would be created so that senior executives take responsibility for decisions that impact privacy and risk penalties when they fall short. States would be given the authority to fully enforce COPRA.

We compiled these highlights from: Full text of the bill, Ars Technica article: “Senate takes another stab at privacy law with proposed COPRA bill”, Official COPRA one-page summary

If this bill passed, what is one way a social media interface could look?

Mockup of a screen with a table displaying the number of interactions a user had with a hypothetical website with the ability to edit when data will be deleted for each interactions type. Buttons also exist to download, delete, and transfer data to another platform.

How people responded to the Consumer Online Privacy Rights Act

We interviewed 41 people, from privacy experts to everyday people, to get feedback on the bill and prototype.
Read more about our interviews

Thoughts from the public

“I like that instead of creating limitations, it's creating user rights...I feel like if you were to limit infinite scroll that it would create some new sort of populating device. So I think it makes more sense to create rights on the side of the user engagement.”

- Valerie Michel, Systems Engineering PhD Candidate at University of Virginia

Insights from our interviews

Privacy is a fundamental human right.
Some interviewees argued that companies should be required to embed privacy into their platforms and that privacy should not cost a premium.
It’s unclear what users should expect from platforms in terms of their responsibility to uphold user privacy.
One interviewee questioned how privacy rights, which are quite broadly defined, would translate into tangible changes for users of online platforms.
It’s unclear how “duty of loyalty” would be acted upon.
Several interviewees wondered about the definition of this term, if a concept like this is actionable and how different companies would interpret their responsibilities to users.

Thoughts from the public

“I like that instead of creating limitations, it's creating user rights...I feel like if you were to limit infinite scroll that it would create some new sort of populating device. So I think it makes more sense to create rights on the side of the user engagement.”

- Valerie Michel, Systems Engineering PhD Candidate at University of Virginia

Positive responses to the bill

“I like all of these. I mean, this is like saying, I like apple pie, right? I particularly like the data portability part. I think data portability is a really important element to especially our social graph, like my friend graph and my contact graph. If we're going to have movement out of Facebook and Twitter toward decentralized privacy, enabling networks, having that graph portable is really important as a form of anti-competitive, soft power.”

- John Wilbanks, Chief Commons Officer Sage Bionetworks

“The right to correct inaccuracies makes more sense for health data. I have had a coworker who accidentally entered the wrong height in the [NIH’s] All of Us program, and he can't change it now. So he's a two foot six inches person who weighs 180 pounds.”

- Woody MacDuffie, Senior User Experience Designer, Thinkering

Concerns over the bill

“I would encourage more definition of things, right? Like, ‘Duty of Loyalty’ -- I don't have a law degree so that might be very clear to some audiences but not me.”

- Maria Filippelli, Public Interest Technology Census Fellow at New America

“None of this matters unless it has teeth, can be enforced and there are actually penalties that are commensurate with the actual profits that are being derived.”

- Peter Dolanjski, former Director of Privacy & Security products at Mozilla
letstalkprivacy@media.mit.edu