ver the years, Congress has put forth various legislative proposals regarding data privacy. None of the past legislation received the support necessary to enable passage of a comprehensive national data privacy law. In the face of the ongoing COVID-19 pandemic, however, promising new privacy legislation has been introduced by Senator Roger Wicker (R-MS), chairman of the U.S. Senate Committee on Commerce, Science, and Transportation; Senator John Thune (R-SD), chairman of the Subcommittee on Communications, Technology, Innovation, and the Internet; Senator Jerry Moran (R-KN), chairman of the Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security; and Senator Marsha Blackburn (R-TN).
On April 30, 2020, Wicker, Thune, Moran, and Blackburn announced plans for the COVID-19 Consumer Data Protection Act, a bill that contains protections for personal information (particularly health information), geolocation, and proximity data.
The bill is specifically intended to protect personal information related to contact tracing. As we discussed in detail in a prior article, contact tracing is the process of identifying individuals with whom a person who tested positive for COVID-19 may have been in contact while that person was likely infectious. Contact tracing can be a laborious process involving numerous interviews of individuals who have tested positive to determine with whom they have had contact. Because it is difficult to contract trace large numbers of individuals and because individuals often give inaccurate reports, an opportunity was created to improve the process through technology. Digital equipment, tools and applications that can assist in contact tracing have been developed that can assist with identifying contacts and, potentially, by notifying users that they are at risk of exposure.
As currently drafted, the COVID-19 Consumer Data Protection Act would protect precise geolocation data, proximity data, and personal health information and make it unlawful to collect, process, or transfer the covered data of an individual for the “purposes of tracking the spread of COVID-19” without prior notice and express consent unless necessary to comply with a legal obligation.
Even if the bill does not become law, it nevertheless contains several provisions that employers may want to consider before deploying newly available technology to track COVID-19 infection in the workplace. In addition to its notice and consent mandates, the bill provides a right to opt out of data collection, a right to revoke consent to use technology to track employee movement, and a requirement that entities using such technology “delete or de-identify personally identifiable information when it is no longer being used for the COVID-19 public health emergency.”
Entities would also need to minimize their collection, processing, and transfer of data to only “what is reasonably necessary, proportionate, and limited” to the initial purpose of the collection. Finally, the bill would mandate that covered entities put in place cybersecurity protections, requiring them to “establish, implement, and maintain reasonable administrative, technical, and physical data security policies and practices to protect against risks to the confidentiality, security, and integrity” of the data covered by the law.
Employers may also want to consider analyzing factors and questions relevant to how contact-tracing tools will be used in their workplaces:
- Will the use of the contract-tracing tool be voluntary or mandatory?
- If mandatory, how will employees who refuse to use the tool or “turn it off” be handled?
- When will the tool perform its tracking function—during work hours or outside of work time?
- Who will have access to the information collected?
While it is too early to tell how much support the proposed COVID-19 Consumer Data Protection Act will gain in Congress, the bill does provide helpful guidance and potential best practices for employers that are planning to utilize new technology related to COVID-19 in the workplace.