Senators to Introduce COVID-19 Consumer Data Protection Act
Although it is unclear whether the forthcoming bill has any chance of becoming law, it is further evidence that companies need to consider the significant privacy issues and risks associated with implementing COVID-19-related technology.
On April 30, 2020, a group of four Republican Senators announced their plan to introduce federal privacy legislation that would regulate the collection and use of personal information relating to the fight against the Coronavirus pandemic. The four Senators are U.S. Sens. John Thune (R-S.D), chairman of the Subcommittee on Communications, Technology, Innovation, and the Internet; Roger Wicker (R-Miss.), chairman of the Senate Committee on Commerce, Science, and Transportation; Jerry Moran (R-Kan.), chairman of the Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security; and Marsha Blackburn (R-Tenn.).
In a press release Senator Thune stated:
“While the severity of the COVID-19 health crisis cannot be overstated, individual privacy, even during times of crisis, remains critically important. This bill strikes the right balance between innovation – allowing technology companies to continue their work toward developing platforms that could trace the virus and help flatten the curve and stop the spread – and maintaining privacy protections for U.S. citizens.”
As we have chronicled in prior blog posts (see here and here), there are numerous privacy concerns associated with the rapid development and deployment of COVID-19-related technology. These privacy concerns are amplified in the United States because there is no overarching privacy bill that applies to this technology. According to the press release announcing the bill, the proposed bill, entitled the COVID-19 Consumer Data Protection Act, would attempt to solve this problem by:
- Requiring companies under the jurisdiction of the Federal Trade Commission to obtain affirmative express consent from individuals to collect, process, or transfer their personal health, geolocation, or proximity information for the purposes of tracking the spread of COVID-19.
- Directing companies to disclose to consumers at the point of collection how their data will be handled, to whom it will be transferred, and how long it will be retained.
- Establishing clear definitions about what constitutes aggregate and de-identified data to ensure companies adopt certain technical and legal safeguards to protect consumer data from being re-identified.
- Requiring companies to allow individuals to opt out of the collection, processing, or transfer of their personal health, geolocation, or proximity information.
- Directing companies to provide transparency reports to the public describing their data collection activities related to COVID-19.
- Establishing data minimization and data security requirements for any personally identifiable information collected by a covered entity.
- Requiring companies to delete or de-identify all personally identifiable information when it is no longer being used for the COVID-19 public health emergency.
- Authorizing state attorneys general to enforce the Act.
Whether this forthcoming bill has any chance of passage is unclear. Since the enactment of the California Consumer Privacy Act in 2018, federal lawmakers have proposed many different federal privacy bills. While Republicans and Democrats agree on the general contours of such legislation, they have been unable to agree on how the law would be enforced and whether it would preempt stricter state laws. The press release announcing the bill does not address preemption, but it does state that the FTC and state attorneys general would enforce the bill (as opposed to private litigants as has been urged by Democrats).
Even if the bill does not gain traction, it provides companies with a road map for developing and deploying COVID-19-related technology. This includes providing proper disclosures to users, establishing opt-in / opt-out rights, utilizing data minimization principles, ensuring data security, and only keeping the data for as long as is minimally necessary.