Highlights
- The Senate is expected to take up the COVID-19 Consumer Data Protection Act of 2020, which proposes strict new restrictions on the collection and use of personal information
- The bill would require notice and express consent prior to collection of personal information and give individuals opportunity to opt-out
- Companies implementing various procedures in response to COVID-19 should be watching for new developments
Aiming to ensure the protection of individual privacy and personal information during the time of the COVID-19 crisis, on April 30, 2020, a group of Republican senators – led by the chairman of the Senate Commerce Committee, Sen. Roger Wicker – announced plans to introduce the COVID-19 Consumer Data Protection Act of 2020. The proposed bill seeks to “protect the privacy of consumers’ personal health information, proximity data, and geolocation data during the coronavirus public health crisis.”
The COVID-19 Consumer Data Protection Act of 2020 would put rules in place regarding the collection, processing and transfer covered data used to combat the spread of the coronavirus. The law would only apply temporarily, during the “COVID–19 public health emergency,” and only to specific uses of individuals’ personal data.
While this bill has not yet been introduced, companies seeking to implement new procedures as a result of the COVID-19 pandemic, including activities like testing and temperature checks for employees, should be monitoring its developments as the bill’s language can change during this process.
What is “Covered Data”?
According to the proposed bill, “covered data” would include “precise geolocation data, proximity data, and personal health information.” However data that is aggregated, de-identified or publicly (data that does not identify and is not reasonably linked to a particular individual) available would not be considered “covered data.” Note the scope of this covered data is broader than “protected health information” under the Health Insurance Portability and Accountability Act (HIPAA) and more in-line with new privacy laws like the California Consumer Privacy Act (CCPA).
Who Are “Covered Entities”?
The bill would broadly apply to any entity or person who “collects, processes, or transfers covered data.”
What Are the Obligations Under the Proposed Bill?
The bill would require that covered entities provide individuals with notice prior to the collection, processing and transfer of covered data. Such notice would describe how geolocation data, proximity data and personal health information are used to track the spread, signs or symptoms of COVID-19; measure compliance with social distancing guidelines or other COVID-19-related requirements imposed by federal, state or local governments; and conduct contact tracing for COVID-19 cases.
The bill would also require covered entities obtain affirmative express consent from individuals to collect, process or transfer their personal health, geolocation or proximity information for the purposes of tracking the spread of COVID-19, unless the processing is otherwise necessary to comply with a legal obligation.
Covered entities would be required under the bill to issue a “public report” at least once every 30 days, to include:
- the aggregate number of individuals whose data the entity has collected, processed or transferred
- the categories of data that were collected, processed or transferred
- the purposes for which data was collected, processed or transferred
- those to whom it was transferred
Additionally, the bill would require that covered entities:
- provide individuals with the right to opt-out or a mechanism that permits them to revoke consent; upon receiving such a request, covered entities would be required to stop collecting, processing or transferring the covered data, or to de-identify it within 14 days
- delete or de-identify all covered data when it is no longer being used for a for the purpose for which it was initially collected, processed or transferred
- minimize collection, processing and transfer of covered data to “what is reasonably necessary, proportionate and limited” to carry out the covered purpose
- “establish, implement, and maintain reasonable administrative, technical, and physical data security policies and practices to protect against risks to the confidentiality, security, and integrity” to protect against risks to confidentiality, security and integrity of the covered data
Other Provisions
The COVID-19 Consumer Data Protection Act would be enforced by the Federal Trade Commission pursuant to its powers under the FTC Act. State attorneys general would also have the power to bring civil actions against covered entities that adversely affect the interest of residents of their state, who are not subject to the enforcement authority of the Federal Trade Commission.
Importantly, the bill contains a preemption clause that would prevent states from adopting, enforcing or continuing to maintain any law that is “related to the collection, processing, or transfer of covered data” for purposes covered in the bill.