Consumer Online Privacy Rights Act

Consumer Online Privacy Rights Act

This bill places requirements on entities that process or transfer a consumer's data.

Specifically, the bill requires such entities to

• make their privacy policy publicly available and provide an individual with access to their personal data;
• delete or correct, upon request, information in an individual's data;
• export, upon request, an individual's data in a human-readable and machine-readable format;
• establish data security practices to protect the confidentiality and accessibility of consumer data; and
• designate a privacy officer and a data security officer to implement and conduct privacy and data security programs and risk assessments.

Further, the bill prohibits such entities from

• engaging in deceptive or harmful data practices;
• transferring an individual's data to a third party if the individual objects;
• processing or transferring an individual's sensitive data without affirmative express consent;
• processing or transferring data beyond what is reasonably necessary or for which they have obtained affirmative express consent;
• processing or transferring data on the basis of specified protected characteristics (e.g., race, religion, or gender);
• conditioning the provision of a service or product on an individual's agreement to waive their privacy rights; and
• retaliating against an employee who provides information about a potential violation of the bill's provisions, or who testifies or assists in an investigation or judicial proceeding concerning such a violation.

The Federal Trade Commission must establish a new bureau to assist with enforcement of these provisions.