May 72020

In Midst of COVID-19 Pandemic, Senators Propose Privacy Bill Aimed At Businesses’ Use of Consumer Data

Colleen Theresa Brown, Kate Heinzelman, Christopher Fonzone and Michael R. Roberts
, , , , ,

On April 30, 2020, four Republican Senators announced plans to introduce the COVID-19 Consumer Data Protection Act.  The four Senators, John Thune (R-S.D), Roger Wicker (R-Miss.), Jerry Moran (R-Kan.), and Marsha Blackburn (R-Tenn.), are all Members of the Commerce Committee, with Wicker the Committee’s chair.

According to the April 30 Senate press release regarding the COVID-19 Consumer Data Protection Act, the legislation would “provide all Americans with more transparency, choice, and control over the collection and use of their personal health, geolocation, and proximity data” for data processing related to fighting the COVID-19 pandemic.  The press release also states that the bill would “hold businesses accountable to consumers if they use personal data to fight the COVID-19 pandemic.” Under the bill, covered purposes include “(1) collecting, processing, or transferring the covered data of an individual to track the spread, signs, or symptoms of COVID-19; (2) collecting, processing, or transferring the covered data of an individual to measure compliance with social distancing guidelines or other requirements related to COVID-19 that are required by federal, state, or local government order; (3) collecting, processing, or transferring the covered data of an individual to conduct contact tracing for COVID-19 cases.” The press release states that the legislation would:

  • Require companies under the jurisdiction of the Federal Trade Commission to obtain affirmative express consent from individuals to collect, process, or transfer their personal health, geolocation, or proximity information for the purposes of tracking the spread of COVID-19.
  • Direct companies to disclose to consumers at the point of collection how their data will be handled, to whom it will be transferred, and how long it will be retained.
  • Establish clear definitions about what constitutes aggregate and de-identified data to ensure companies adopt certain technical and legal safeguards to protect consumer data from being re-identified.
  • Require companies to allow individuals to opt out of the collection, processing, or transfer of their personal health, geolocation, or proximity information.
  • Direct companies to provide transparency reports to the public describing their data collection activities related to COVID-19.
  • Establish data minimization and data security requirements for any personally identifiable information collected by a covered entity.
  • Require companies to delete or de-identify all personally identifiable information when it is no longer being used for the COVID-19 public health emergency.
  • Authorize state attorneys general to enforce the Act.

The provisions of the bill thereby appear to adopt certain protections found in many existing State and sector-specific privacy laws, such as notice and information security requirements.  Other provisions are not as common: for instance, data minimization and use restrictions and the requirement that covered entities issue a “public report” every 30 days.

The bill’s implications for liability will be a particular subject of focus, as companies wrestle with whether to return to work. To this end, the bill does not provide a liability shield, although companies may argue that compliance with the bill’s requirements serves as a safe harbor.  The bill also includes a preemption clause that would prohibit states from adopting, enforcing, or continuing to maintain any law that is “related to the collection, processing, or transfer of covered data” as defined in the bill.  This is significant given the scope of the data covered by the bill, which includes “precise geolocation data, proximity data, and personal health information,” and the breadth of entities that would be regulated, specifically any entity or person who “collects, processes, or transfers covered data,” and is regulated by the FTC Act, is a common carrier subject to the Communications Act of 1934, or is a nonprofit organization.  In this way, the bill would create the broadest coverage for a privacy law in the United States to date.

There are meaningful proposed exemptions, however.  While the bill covers data that that is aggregated, deidentified or publicly available, the proposed regulation exempts information from education records that is already covered by FERPA as well as health information covered by HIPAA.

The bill proposes for the law to be enforced under the FTC Act’s section 5 authorities.  Moreover, state attorneys general, as parens patriae, would be authorized to bring a civil action in federal district court against covered entities that are not subject to FTC enforcement and whose act or practice adversely affect state residents’ interests.

The future of the bill is uncertain.  If Congress chooses to take up consideration of the bill, we anticipate that the bill’s effect on potential programs to combat the pandemic, as well as its enforcement and preemption provisions, will be key topics of debate.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Kate Heinzelman

kheinzelman@sidley.com

Christopher Fonzone

cfonzone@sidley.com

Michael R. Roberts

mroberts@sidley.com

You might also like
UK Sets Out It’s “Pro-Innovation” Approach To AI Regulation

On 29 March 2023, the UK’s Department for Science Innovation and Technology (“DSIT”) published its long awaited White Paper on its “pro-innovation approach to AI regulation” (the “White Paper”), along with a corresponding impact assessment. The White Paper builds on the “proportionate, light touch and forward-looking” approach to AI regulation set out in the policy paper published in July 2022. Importantly, the UK has decided to take a different approach to regulating AI compared to the EU, opting for a decentralised sector-specific approach, with no new legislation expected at this time. Instead, the UK will regulate AI primarily through sector-specific, principles based guidance and existing laws, with an emphasis on an agile and innovation-friendly approach. This is in significant contrast to the EU’s proposed AI Act which is a standalone piece of horizontal legislation regulating all AI systems, irrespective of industry.

EU Moving Closer to an AI Act – Key Areas of Impact for Life Sciences/MedTech Companies

The European Union is moving closer to adopting the first major legislation to horizontally regulate artificial intelligence. Today, the European Parliament (Parliament) reached a provisional agreement on its internal position on the draft Artificial Intelligence Regulation (AI Act). The text will be adopted by Parliament committees in the coming weeks and by the Parliament plenary in June. The plenary adoption will trigger the next legislative step of trilogue negotiations with the European Council to agree on a final text. Once adopted, according to the text, the AI Act will become applicable 24 months after its entry into force (or 36 months according to the Council’s position), which is currently expected in the second half of 2025, at the earliest.

New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers

The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector.  Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).