On April 30, 2020, four Republican Senators announced plans to introduce the COVID-19 Consumer Data Protection Act. The four Senators, John Thune (R-S.D), Roger Wicker (R-Miss.), Jerry Moran (R-Kan.), and Marsha Blackburn (R-Tenn.), are all Members of the Commerce Committee, with Wicker the Committee’s chair.
According to the April 30 Senate press release regarding the COVID-19 Consumer Data Protection Act, the legislation would “provide all Americans with more transparency, choice, and control over the collection and use of their personal health, geolocation, and proximity data” for data processing related to fighting the COVID-19 pandemic. The press release also states that the bill would “hold businesses accountable to consumers if they use personal data to fight the COVID-19 pandemic.” Under the bill, covered purposes include “(1) collecting, processing, or transferring the covered data of an individual to track the spread, signs, or symptoms of COVID-19; (2) collecting, processing, or transferring the covered data of an individual to measure compliance with social distancing guidelines or other requirements related to COVID-19 that are required by federal, state, or local government order; (3) collecting, processing, or transferring the covered data of an individual to conduct contact tracing for COVID-19 cases.” The press release states that the legislation would:
- Require companies under the jurisdiction of the Federal Trade Commission to obtain affirmative express consent from individuals to collect, process, or transfer their personal health, geolocation, or proximity information for the purposes of tracking the spread of COVID-19.
- Direct companies to disclose to consumers at the point of collection how their data will be handled, to whom it will be transferred, and how long it will be retained.
- Establish clear definitions about what constitutes aggregate and de-identified data to ensure companies adopt certain technical and legal safeguards to protect consumer data from being re-identified.
- Require companies to allow individuals to opt out of the collection, processing, or transfer of their personal health, geolocation, or proximity information.
- Direct companies to provide transparency reports to the public describing their data collection activities related to COVID-19.
- Establish data minimization and data security requirements for any personally identifiable information collected by a covered entity.
- Require companies to delete or de-identify all personally identifiable information when it is no longer being used for the COVID-19 public health emergency.
- Authorize state attorneys general to enforce the Act.
The provisions of the bill thereby appear to adopt certain protections found in many existing State and sector-specific privacy laws, such as notice and information security requirements. Other provisions are not as common: for instance, data minimization and use restrictions and the requirement that covered entities issue a “public report” every 30 days.
The bill’s implications for liability will be a particular subject of focus, as companies wrestle with whether to return to work. To this end, the bill does not provide a liability shield, although companies may argue that compliance with the bill’s requirements serves as a safe harbor. The bill also includes a preemption clause that would prohibit states from adopting, enforcing, or continuing to maintain any law that is “related to the collection, processing, or transfer of covered data” as defined in the bill. This is significant given the scope of the data covered by the bill, which includes “precise geolocation data, proximity data, and personal health information,” and the breadth of entities that would be regulated, specifically any entity or person who “collects, processes, or transfers covered data,” and is regulated by the FTC Act, is a common carrier subject to the Communications Act of 1934, or is a nonprofit organization. In this way, the bill would create the broadest coverage for a privacy law in the United States to date.
There are meaningful proposed exemptions, however. While the bill covers data that that is aggregated, deidentified or publicly available, the proposed regulation exempts information from education records that is already covered by FERPA as well as health information covered by HIPAA.
The bill proposes for the law to be enforced under the FTC Act’s section 5 authorities. Moreover, state attorneys general, as parens patriae, would be authorized to bring a civil action in federal district court against covered entities that are not subject to FTC enforcement and whose act or practice adversely affect state residents’ interests.
The future of the bill is uncertain. If Congress chooses to take up consideration of the bill, we anticipate that the bill’s effect on potential programs to combat the pandemic, as well as its enforcement and preemption provisions, will be key topics of debate.