COVID-19 Privacy Law Proposed in Senate
Privacy in Focus®
On May 7, Sen. Roger Wicker (R-MS), the Chairman of the Senate Committee on Commerce, Science, and Transportation, along with four of his colleagues, introduced the COVID-19 Consumer Data Protection Act. The proposed bill would regulate the collection, use, and transfer of specific kinds of information used to fight the COVID-19 pandemic. While it is more limited in scope than Sen. Wicker’s draft comprehensive privacy proposal, it would impose significant restrictions on how companies could collect and use certain data – such as geolocation and health information – for the purposes of contact tracing and other efforts to combat the pandemic. With omnibus federal privacy legislation currently stalled, but legislators raising questions about privacy protections during the pandemic, the proposed legislation represents another attempt to establish federal privacy rules around certain sets of data.
What does the bill cover?
The bill is limited in scope to collection, use, and transfer of (1) certain data, (2) for certain purposes, (3) during a limited duration.
- The covered data includes four types of data: precise geolocation data, proximity data (showing the proximity of one individual to another), persistent identifiers that identify or link to an individual over time and across services and platforms, and health information not covered by the Health Insurance Portability and Accountability Act (HIPAA).
- The bill covers collection, processing, and transfer of that data for certain covered purposes: to track the spread, signs, or symptoms of the coronavirus (COVID-19), to measure compliance with social distancing or similar requirements imposed by government order, or to conduct contact tracing for COVID-19 cases.
- The bill applies during the time period of the declared COVID-19 public health emergency.
In short, the bill targets the kinds of data collection and use to track COVID that have been adopted in other countries and are emerging in the United States – either by the government or private actors.
What requirements are included?
The bill imposes a number of substantive requirements on covered companies that collect, use, or transfer covered information. A company must:
- Provide notice and obtain affirmative express consent prior to collection, use, or transfer. A company must also provide an opt-out right for individuals that have previously consented.
- Publish bimonthly public reports on scope of data collected and its use.
- Delete or de-identify data when it is no longer being used for a covered purpose.
- Engage in data minimization and not collect, process, or transfer covered data beyond what is reasonably necessary, proportionate, and limited to carry out the covered purpose.
- Implement reasonable administrative, technical, and physical data security policies and practices.
The bill also excludes aggregated data and de-identified data from the definition of covered data, thus permitting the use of data that cannot be reasonably linked to an individual. It also contains exemptions for publicly available information, employee data, and business contact information. Enforcement would be given to the Federal Trade Commission and State Attorneys General, and the bill would preempt state laws that are related to the covered purposes.
Taken together, these requirements would give consumers the ability to opt into COVID tracking applications, limit the use of COVID-related information to specific purposes, and require destruction or de-identification when no longer used for a covered purpose. In this respect, the bill goes much further than any current federal privacy laws regarding this kind of covered data.
So far, Congress has seen various competing proposals on comprehensive privacy legislation, but no significant action. This has resulted in a patchwork approach across states. The COVID-19 Consumer Data Protection Act represents an attempt to find a common approach in a limited area – dealing with COVID-19 – that is top of mind for legislators and industry working to develop solutions. We will be closely monitoring how privacy laws and regulations develop on both the federal and state level as efforts to fight the pandemic continue.
© 2020 Wiley Rein LLP