On May 7, Republican members of the Senate Commerce, Science and Transportation Committee formally introduced the COVID-19 Consumer Data Protection Act of 2020 (the Act), which would put temporary rules in place regarding the collection, processing and transfer of data used to combat the spread of COVID-19.
In What Situations Would the Act Apply?
The Act would apply to any person or entity that is both covered by the Federal Trade Commission (FTC) Act or is a common carrier or nonprofit organization and also collects, transfers or processes covered data. Notably, the Act would only apply during the COVID-19 Public Health Emergency as declared by the Secretary of Health and Human Services.
The Act would only apply to personal health information, proximity data, and geolocation data used for any of the following purposes:
- To track the spread, signs or symptoms of COVID-19;
- To measure compliance with social distancing guidelines or other government-imposed requirements related to COVID-19; or
- To conduct contact tracing for COVID-19 cases.
This Act comes as various technology companies rush to develop opt-in functionality and applications that track movements in order to determine potential exposure to the deadly virus.
What Would the Act Do?
Many of the proposed Act’s key requirements are similar to those seen in existing privacy laws, requirements or norms, such as the California Consumer Privacy Act of 2018 (CCPA) and General Data Protection Regulation 2016/679 (GDPR). For example, the Act includes requirements to post a clear and conspicuous privacy policy, to obtain affirmative consent to collect the covered data, and to maintain reasonable data security policies and practices. In addition to the above requirements, the Act would mandate certain new obligations, including:
- Requiring entities to allow individuals to opt-out of the collection, processing or transfer of the covered data for COVID-19 purposes.
- Requiring entities to delete or de-identify all covered data when it is no longer being used for COVID-19 purposes.
- Directing entities to provide transparency reports to the public describing their data collection activities related to COVID-19.
- Establishing data minimization requirements for covered data once it has been collected.
Are There Exemptions to the Act?
There are specific exemptions for aggregated, de-identified and publicly available information. Otherwise, covered health and location information is defined to include the following:
- Personal health information, meaning either genetic information or information relating to the diagnosis or treatment of past, present or future physical or mental health or disability of the individual that identifies or is reasonably linkable to an individual, but excluding information that is subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or the Family Educational Rights and Privacy Act of 1974 (FERPA).
- Precise geolocation data, which refers to technologically derived information capable of determining with reasonable specificity the past or present actual physical location of an individual at a specific point in time.
- Proximity data, which refers to technologically derived information that identifies with reasonable specificity the past or present proximity of one individual to another.
How Would the Act be Enforced?
The Act would be enforced by both the FTC and state attorneys general. It would prevent states from adopting or enforcing any laws or regulations related to the collection, processing or transfer of covered data used for purposes covered in the Act.
The Act is still in the early stages of the legislative process but may have greater success than some of the attempts at a federal consumer privacy law of late, given the urgency of the COVID-19 pandemic.
If you have questions about the Act and how it will affect you or your business, please contact the authors.