Consumer Online Privacy Rights Act This bill places requirements on entities that process or transfer a consumer's data. Specifically, the bill requires such entities to make their privacy policy publicly available and provide an individual with access to their personal data; delete or correct, upon request, information in an individual's data; export, upon request, an individual's data in a human-readable and machine-readable format; establish data security practices to protect the confidentiality and accessibility of consumer data; and designate a privacy officer and a data security officer to implement and conduct privacy and data security programs and risk assessments. Further, the bill prohibits such entities from engaging in deceptive or harmful data practices; transferring an individual's data to a third party if the individual objects; processing or transferring an individual's sensitive data without affirmative express consent; processing or transferring data beyond what is reasonably necessary or for which they have obtained affirmative express consent; processing or transferring data on the basis of specified protected characteristics (e.g., race, religion, or gender); conditioning the provision of a service or product on an individual's agreement to waive their privacy rights; and retaliating against an employee who provides information about a potential violation of the bill's provisions, or who testifies or assists in an investigation or judicial proceeding concerning such a violation. The Federal Trade Commission must establish a new bureau to assist with enforcement of these provisions.