202005.05
0

On April 30, 2020, Senator Roger Wicker (R-Miss.), chairman of the U.S. Senate Committee on Commerce, Science, and Transportation announced his plan to introduce the “COVID-19 Consumer Data Protection Act.” The bill, which is co-sponsored by three Republican Senators—Senator John Thune (R-S.D.), Senator Jerry Moran (R-Kan.), and Senator Marsha Blackburn (R-Tenn.)—aims to protect consumer geolocation data, proximity data, and personal health information as businesses tap into consumer data to fight the spread of the coronavirus.

In a press release accompanying the bill, Senator Wicker stated, “This data has great potential to help us contain the virus and limit future outbreaks, but we need to ensure that individuals’ personal information is safe from misuse.”

The announcement of the bill comes in the wake of Google and Apple’s collaboration to develop a contact-tracing app, which implements Bluetooth technology to gauge proximity between mobile devices that have downloaded the app. If an individual contracts the virus (“Infected Individual”), [s]he may self-report his or her infection to the app, which then would notify individuals that they may have been in contact with an Infected Individual during the contagious period of the virus. The app performs this function by cataloguing individuals’ geolocation over the course of days, as well as the amount of time Infected Individuals are in close proximity to other individuals, to determine whether a risk of the infection spreading exists. The bill would regulate these activities, as well as the activities of similar apps to collect, process, and transfer information according to the following standards:

Information & Entities Governed

If passed, the bill will regulate “Covered Entities” that collect, process, or transfer “Covered Data” for purposes of (1) tracking the spread, signs, or symptoms of COVID-19; (2) measuring compliance with social distancing guidelines or requirements related to COVID-19; or (3) conducting contact tracing for COVID-19 cases.  The term “Covered Entities” is defined by the bill to include any person or entity that collects, processes, or transfers Covered Data, and also is subject to the Federal Trade Commission Act (FTC Act), is a common carrier subject to the Communications Act of 1934, or is a nonprofit organization.  “Covered Data” includes:

  • Precise geolocation data, defined as technologically derived information capable of determining with reasonable specificity the past or present actual physical location of an individual at a specific point in time;
  • Proximity data, defined as technologically derived information that identifies with reasonable specificity the past or present proximity of one individual to another; and
  • Personal health information, defined as information relating to an individual that identifies, or is reasonably linkable to, the individual, and consists of genetic information of the individual or information relating to the diagnosis or treatment of past, present, or future physical, mental health, or disability of the individual.

Aggregated, deidentified or publicly available information, as well as information already subject to the Family Educational Rights and Privacy Act or the Health Insurance Portability and Accountability Act are not considered Covered Data under the bill.

Requirements Under the Bill

The bill prohibits Covered Entities from collecting, processing, or transferring Covered Data unless the Covered Entity provides the individual with prior notice and receives affirmative express consent from the individual. Covered Entities must provide this notice via a privacy policy that is published within 14 days of the bill’s enactment; is publicly available and provided to the individual at or before the point of collection of Covered Data; and includes information regarding whether Covered Data is transferred, the categories of recipients of transferred Covered Data, a general description of the Covered Entity’s retention practices for Covered Data, and a general description of the Covered Entity’s data security practices.

Covered entities must also issue a public report every 30 days that (1) sets forth the aggregate number of individuals whose Covered Data the entity has collected, processed, or transferred; and (2) describes the categories of Covered Data collected, processed, or transferred; the specific purposes for such collection, processing, or transfer; and, for transferred Covered Data, to whom such data was transferred. The bill also requires Covered Entities to provide individuals with a right to opt-out, allowing individuals who have previously consented to the collection, processing, or transfer of their Covered Data to revoke such consent. Once an individual exercises his or her right to opt-out, Covered Entities have 14 days to comply with the opt-out request.

The bill, which emphasizes the importance of data security, requires covered entities to implement data security policies and practices to protect Covered Data, and sets forth retention and data minimization requirements. For instance, Covered Data must be deleted when the purpose for which it was collected, processed, or transferred ceases to exist. The bill also requires the Federal Trade Commission (FTC) to issue guidelines recommending data minimization best practices for Covered Entities within 30 days of the bill’s enactment.

Enforcement

The bill places primary enforcement authority in the hands of the FTC and also provides state attorneys general with enforcement powers. The bill treats any violation by a Covered Entity as equivalent to an unfair or deceptive act or practice under Section 5 of the FTC Act, subject to the same penalties.  Under specified conditions, state attorneys general may also bring civil actions for acts or practices that violate the bill.  States are preempted from adopting any law, regulation, rule, or standard relating to the collection, processing, or transfer of Covered Data for the purposes specified in the bill.

Final Thoughts

In times of uncertainty, human innovation continues to thrive, seeking new ways of problem-solving. However, this rise in innovation can pose risks to individual privacy values. The announcement of the COVID-19 Consumer Data Protection Act indicates an attempt to balance technological innovation with personal privacy rights during the present crisis. Although many privacy advocates view the announcement of the bill as a step in the right direction, some fear the bill does not go far enough. Regardless, the forthcoming bill will ignite an important conversation in Congress regarding individual privacy rights. As Senator Thune stated, “even during times of crisis, [individual privacy] remains critically important.”

Fey LLC will continue to closely monitor developments in the COVID-19 Consumer Data Protection Act.  To ensure you don’t miss out on any articles and alerts we prepare on this or other significant data protection laws and developments, you can follow our LinkedIn page here.

Mary Colleen Fowler, a third-year law student at the University of Kansas School of Law, contributed to this post.  Ms. Fowler is a law clerk with Fey LLC.

Laura Fey

Laura Clark Fey, Privacy Law Specialist (IAPP), is the principal at Fey LLC.

Hannah Zimmerman

Hannah Zimmerman, CIPT, is an associate attorney with Fey LLC.