Starting Point for Negotiation: An Analysis of Senate Democratic Leadership’s Landmark Comprehensive Privacy Bill

Today, Senate Commerce Committee Ranking Member Maria Cantwell (D-WA), joined by top Democrats on the Senate Commerce Committee – Senators Markey, Schatz and Klobuchar – introduced a new comprehensive federal privacy bill, the Consumer Online Privacy Rights Act (COPRA). The bill is consistent with the Senate Democratic leadership positions announced last week and comes in advance of a December 4th Senate Commerce Committee hearing convened by Senator Wicker (R-Miss), Examining Legislative Proposals to Protect Consumer Data Privacy.

In substance, the bill primarily emphasizes individual control, codifying strong rights for individuals to be informed of data processing, and to be able to access, delete, correct, and port their data. The definition of covered data is broad, aligning with the GDPR and most other US privacy bills to date (data that “identifies, or is linked or reasonably linkable to an individual or a consumer device, including derived data”), although it excludes “de-identified data.” The FTC is tasked with rulemaking to enable centralized opt-outs for non-sensitive data, while “sensitive data” requires opt-in consent.

Notably, the bill contains a nuanced exception to support ethical commercial research if approved, monitored, and governed by an Institutional Review Board (IRB) or an IRB-like oversight entity that meets standards promulgated by the FTC. Such oversight would provide stronger legal protections for “scientific, historical, or statistical research in the public interest” in situations where informed consent is impractical, such as commercial research conducted on Big Data or other large, less readily identifiable datasets.

Below are FPF’s highlights of COPRA’s other provisions.

1. Jurisdictional Scope

2. Data Minimization and Data Security

3. Sensitive Data (and Opt-Outs for Non-Sensitive Data)

4. Third Parties and Service Providers

5. Interaction with State and Federal Laws

6. Algorithmic Discrimination and Civil Rights

7. Enforcement, Accountability, and Whistleblower Protections

 

READ MORE:

Statement by Future of Privacy Forum CEO Jules Polonetsky on the Consumer Online Privacy Rights Act

WASHINGTON, DC – November 26, 2019 – Statement by Future of Privacy Forum CEO Jules Polonetsky regarding the introduction of a new comprehensive federal privacy bill, the Consumer Online Privacy Rights Act (COPRA), proposed today by Senators Maria Cantwell, Amy Klobuchar, Brian Schatz, and Ed Markey:

“This is the most sophisticated federal proposal to emerge to date and demonstrates that Senate Democrats are committed to setting a high bar for consumer privacy. The bill would codify strong individual rights, meeting and exceeding the California Consumer Privacy Act. It also requires companies to implement training and accountability measures and includes a nuanced exception to support ethical research. The bill provides a strong starting point that will move bipartisan debate forward, with private rights of action, limits on preemption, and the definition of sensitive data, among other issues, likely to be points of ongoing negotiation.”

# # #

The Future of Privacy Forum will post a more detailed analysis of the legislation on its blog.

Media Contacts:

Nat Wood

Future of Privacy Forum

[email protected]

410-507-7898

Collin Boylin

Future of Privacy Forum

[email protected]

860-490-8326

About the Future of Privacy Forum

Future of Privacy Forum is a global non-profit organization that serves as a catalyst for privacy leadership and scholarship, advancing principled data practices in support of emerging technologies. Learn more about FPF by visiting www.fpf.org.

Questions to Ask Before You Buy a Genetic Testing Kit on Black Friday

By Rachele Hendricks-Sturrup and Katelyn Ringrose

On Black Friday and Cyber Monday, millions of consumers will hurry to their nearest doorbuster sale or boot up their favorite sales portal to buy a price-slashed consumer genetic testing kit. Some genetic testing kits will be up to half off this year, and the market as a whole is projected to more than triple from a valuation of $99 million this past year to a projected $310 million in 2022

Last year on Black Friday, AncestryDNA alone sold about 1.5 million testing kits. According to Wired, that means that consumers sent in around 2,000 gallons of saliva—enough spit to fill a modest above-ground swimming pool. Consumers are drawn to the tests for genealogical purposes, and new market offerings are being used as strategies to help raise consumer awareness on genetic health risks. 

With that much genetic material exchanging hands, it is important for consumers to think carefully about which kit provider will prioritize consumer privacy. DNA contains deeply personal information which can be incredibly beneficial for consumers. But that same information may also contain unexpected and deeply personal information that could be unsettling, and reveal information about the test taker’s family members. It deserves a high standard of protection. 

However, laws like the Health Insurance Portability and Accountability Act (HIPAA), the central U.S. health privacy law, do not apply to genetic information collected and housed by consumer genetic testing companies. Due to this regulatory gap, consumers should find out from the companies themselves, and prior to buying a test for themselves or a loved one, how the companies will protect and use the genetic data they provide and collect.

Here are five important questions consumers should ask before buying a genetic testing kit on Black Friday or Cyber Monday:

  1. Does the Company Ask for Your Consent Before Sharing Your Individual-Level Genetic Data with Third Parties? People choose to share their genetic data with third parties for a range of purposes (e.g., to participate in scientific research or connect with unknown biological relatives). However, genetic testing companies should never share your individual-level genetic data with third parties without your knowledge and consent, particularly with insurers, employers, and educational institutions.
  2. Do You Have the Ability to Delete Your Genetic Data and Destroy Your Biological Sample If You Choose? Companies may have default policies to destroy all samples once testing is completed, retain data or samples for only a finite period of time or in accordance with regulations, or retain data and samples indefinitely or until you close your account. Companies should be clear about their retention practices and offer prominent ways to delete your genetic data from their databases and destroy your biological sample.
  3. Does the Company Require a Valid Legal Process Before They will Disclose Your Genetic Data to Law Enforcement? As we have seen in prolific cases like the Golden State Killer, genetic data can be a powerful investigative tool for government. However, government access to your genetic data presents substantial privacy risks. Companies should require that government entities obtain valid legal process, like a warrant, subpoena, or a legal order before they disclose genetic data.
  4. What are the Company’s Notification Practices When it Comes to Conveying Material Changes to Their Privacy Policies? Companies may modify their privacy policies or statements occasionally, and sometimes they significantly change how genetic data is collected, used, and stored. But before changes are implemented, you should be notified and given an opportunity to review the changes to decide if you want to continue using the company’s services.
  5. Has the Company Committed to Strong Technical Data Security Practices? As more than 26 million individuals have had their DNA tested, the potential for hacking and data breaches is an increasing concern. Given the uniqueness of genetic data, companies should maintain a comprehensive security program through practices such as: secure storage of biological samples and genetic data, encryption, data-use agreements, contractual obligations, and accountability measures.

For consumers who are interested in learning more, the Future of Privacy Forum’s Privacy Best Practices for Consumer Genetic Testing Services set forth standards for the collection, use, and sharing of genetic data. The standards embrace express consent mechanisms for the transfer of data to third parties and have provisions restricting marketing based on genetic data, among other privacy-centric protections. Companies that currently support these best practices include: Ancestry, 23andMe, Helix, MyHeritage, Habit, African Ancestry, and Living DNA.

Before you buy a genetic test kit as a gift or for yourself for this holiday season, take a moment to consider how our genetic information shapes who we are… and whether you are dealing with a company that promises to protect it.

For more information and to learn how to become involved with FPF’s health privacy efforts, please contact Katelyn Ringrose at [email protected] or Rachele Hendricks-Sturrup at [email protected].

FPF Welcomes New Members to the Youth & Education Privacy Project

We are thrilled to announce three new members of FPF’s Youth & Education Privacy team. The new staff – Jasmine Park, Anisha Reddy, and Katherine Sledge – will help expand FPF’s technical assistance and training, resource creation and distribution, and state and federal legislative tracking.

You can read more about Katherine, Anisha, and Jasmine below. Please join us in welcoming them to the team!


JasminePark_HeadshotJasmine Park

Jasmine Park is a Policy Fellow for the Youth and Education Privacy Project. Jasmine is primarily supporting FPF’s outreach, training, and technical assistance for local and state education agencies (LEAs and SEAs), including FPF’s pilot Train-the-Trainer program and the K-12 privacy working group for LEA/SEA staff. She will also be helping to grow FPF’s child privacy portfolio in the U.S. and abroad. Jasmine recently graduated with an M.A. in Global Affairs from the Yale Jackson Institute for Global Affairs, where she focused on tech policy and digital anthropology. From 2015 to 2017, Jasmine served as a Peace Corps Volunteer in Cambodia, where she gained two years of on-the-ground experience as an educator. She worked closely with local government, school administrators, law enforcement, and community leaders to conduct needs assessments and to provide access to the training and resources necessary to address self-identified needs. She previously interned with the Los Angeles Mayor’s Office of International Affairs and Asian Americans Advancing Justice. Jasmine serves on the board of Brio, a nonprofit that empowers local partners to design and launch mental health solutions in vulnerable communities globally. Jasmine received her B.A. cum laude in History and East Asian Studies from Harvard University.

I most look forward to joining the FPF Education Privacy team’s efforts to equip local administrators with the knowledge and tools they need to implement best practices in their communities.


Anisha Reddy

Anisha Reddy is a Policy Fellow for the Youth and Education Privacy Project. Anisha is primarily supporting FPF’s state and federal legislative analysis and resources. Anisha is also running FPF’s K-12 working group for edtech companies and overseeing the bi-weekly education privacy newsletter. At Penn State’s Dickinson Law, Anisha was honored with the University’s 2017-2018 Montgomery and MacRae Award for Excellence in Administrative Law. She held the offices of Executive Editor for Digital Media of the Dickinson Law Review, President of the Asian Pacific Law Students Association, and Vice President of the Women’s Law Caucus. Anisha served as a Certified Legal Intern for the Children’s Advocacy Clinic in Carlisle, PA, where she represented children involved in civil court actions like adoption, domestic violence, and custody matters. She previously interned at the Governor of Pennsylvania’s Office of General Counsel, at Udacity in Mountain View, CA and at Blockchain, Inc. in New York, NY.

I’m most excited about the unique opportunity to impact the way the student privacy conversation is framed by helping include the voices of all stakeholders – not just the edtech industry – but parents, districts, and the students themselves.


Katherine Sledge

As the Policy Manager for Youth and Education Privacy at the Future of Privacy Forum, Katherine manages the progression of projects related to youth and student privacy at FPF. Before coming to FPF, Katherine worked with the executive team at the National Network to End Domestic Violence. She also has national and state-level political advocacy experience at the National Alliance to End Homelessness and the ACLU. Prior to transitioning to a career in public policy, Katherine was the Operations Specialist at an environmental firm that specializes in remediation projects. In that role, Katherine headed administrative and logistical support for environmental projects across the US.

Katherine graduated from American University with a Master of Public Administration with a custom concentration in Applied Politics: Women, Public Policy, and Political Advocacy. In addition to the core public management curriculum, Katherine focused her studies on the intersection of public policy and gender, as well as advocacy strategy, process, and best practices. Originally from Tennessee, Katherine attended the University of Tennessee, Knoxville, where she earned her B.A. in Political Science.

 


 

Interested in student privacy? Subscribe to our monthly education privacy newsletter here. Want more info? Check out FERPA|Sherpa, the education privacy resource center website.