As the federal government, state governments, businesses and other entities continue their response efforts related to the COVID-19 pandemic, the privacy and security of consumers’ personal health information remains a top concern of lawmakers. Recently, Republicans and Democrats in the US Senate and House of Representatives released competing bills that aim to address some of the concerns surrounding COVID-19 contact tracing and related technologies. This article examines the two bills, identifying points in common as well as key differences.
IN DEPTH
Senate Republicans and Democrats in the House and Senate recently introduced competing bills aimed at protecting consumers’ personal health information during the Coronavirus (COVID-19) pandemic.
Senate Commerce Committee Chairman Roger Wicker (R-MS) introduced the Republican bill (the “COVID-19 Consumer Data Protection Act of 2020”) on May 7, 2020. Senators John Thune (R-SD), Debra Fischer (R-NE), Jerry Moran (R-KS) and Marsha Blackburn (R-TN) co-sponsored the bill. The bill was referred to the Senate Committee on Commerce, Science, and Transportation.
On May 14, 2020, House and Senate Democrats—including Representatives Suzan DelBene (D-WA), Anna Eshoo (D-CA) and Jan Schakowsky (D-IL), and Senators Richard Blumenthal (D-CT) and Mark Warner (D-VA)—introduced a competing bill (the “Public Health Emergency Privacy Act”). Senators Michael Bennet (D-CO), Elizabeth Warren (D-MA), Richard Durbin (D-IL), Edward Markey (D-MA), Tammy Baldwin (D-WI), Kamala Harris (D-CA), Mazie Hirono (D-HI) and Amy Klobuchar (D-MN) also joined as co-sponsors. The bill was referred to the Senate Committee on Health, Education, Labor and Pensions.
The competing bills are introduced against the backdrop of various critically important efforts to help governments track the spread of COVID-19 through various technological solutions. These tools can be deployed to alert users who have been in close proximity to someone who has tested positive for the virus and for contact tracing efforts.
Purpose
Both bills focus on privacy considerations believed to be presented by the current national pandemic. As further described in the table below, the two bills exclude from their regulatory scope information that is already subject to protection under the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Both bills seek to prevent the collection, use and disclosure of consumers’ personal information for coronavirus response efforts, such as contact tracing, without consumers’ consent to the collection, use and/or disclosure of their Covered Data (described in the table below).
Both bills also require Covered Organizations (described in the table below) to permit individuals to revoke their consent to the collection, use and/or disclosure of their Covered Data, to implement and publish privacy policies, and to periodically issue public reports. These public reports must describe the number of individuals whose data has been collected, used and/or disclosed by the Covered Organization, the categories of information collected, the purposes for which each data category is used and the categories of recipients to whom the data is disclosed.
Key Differences
Despite the common elements present in both bills, there are some key differences in their scope and approach. The table below provides a summary of these differences.
The Democrats’ proposal generally covers a broader scope of data and regulated entities, contains additional reporting requirements and includes express prohibitions on the use of Covered Data for discriminatory purposes, including interference with voting rights and employment opportunities. The Democrats’ proposal also creates a private right of action that allows consumers to bring lawsuits for alleged violations and preserves states’ ability to legislate additional consumer protections. The Republicans’ proposal, in contrast, does not provide consumers with a private right of action. The Republican proposal also expressly preempts state legislation with a similar purpose.
Recent Attempts at Passing Federal Privacy Protections
In late 2019, Congressional efforts to pass a federal privacy bill stalled after Chairman Wicker circulated a draft of the United States Consumer Data Privacy Act of 2019 for discussion, and Senate Democrats introduced the Consumer Online Privacy Rights Act. If last year’s attempts presage the outcome of the newly introduced coronavirus-related privacy bills, disagreements between the parties about a private right of action and state pre-emption could be stumbling blocks. These key differences will likely be the central focus of negotiations if the bills progress and could serve as a blueprint for resolving the thorny issues that have hindered the advancement of national consumer privacy legislation.
Key Provisions |
Republican Proposal |
Democrat Proposal |
Covered Data |
Includes precise geolocation data, proximity data, persistent identifiers (such as IP addresses) and personal health information. Excludes aggregated data, business contact information, de-identified data, employee screening data and publicly available information.The definition of “personal health information” excludes information included in certain education records (e.g., FERPA records) and information regulated by HIPAA. |
Includes geolocation data, proximity data, personal health information, demographic data, contact information for identifiable individuals (such as an address book or call log) and “any other data collected from a personal device.” |
Covered Organizations |
Includes entities under the jurisdiction of the Federal Trade Commission (FTC) Act, common carriers, and nonprofit organizations that (i) collect, process or transfer covered data or (ii) determine the means and purposes for the collection, processing or transfer of covered data. Covered Organization’s employees, owners, directors, officers or staff members (among others) who are permitted to enter a physical site of operation of the Covered Organization are not included as protected individuals. Excludes service providers that process or transfer covered data for the purpose of performing services on behalf of a Covered Organization, and that are not related to the Covered Organization. |
Includes any person (including a government entity) that collects, uses or discloses covered data, or that develops or operates a website, web application, mobile application, mobile operating system feature or smart device application for the purpose of tracking, screening, monitoring, contact tracing or mitigation, or otherwise responding to the COVID-19 public health emergency. Excludes health care providers, service providers or public health authorities; generally does not apply to “covered entities” and “business associates” under HIPAA. |
Consent Requirements |
Makes it unlawful for a Covered Organization to collect, process or transfer an individual’s covered data to track the spread, signs or symptoms of COVID-19, to measure compliance with social distancing guidelines or to conduct COVID-19 contact tracing, without the individual’s affirmative express consent.“Affirmative express consent” means an affirmative act by an individual that clearly communicates the individual’s authorization of the collection, use or disclosure of covered data, and is taken after the individual has been presented with a clear and conspicuous description of the collection, use or disclosure of covered data. Consent may not be inferred from inaction on the part of the individual. Requires Covered Organizations to provide an effective mechanism to revoke consent. After a Covered Organization receives a revocation request, it must stop collecting, processing or transferring the covered data for the previously consented-to purposes within 14 days. |
Makes it unlawful for a Covered Organization to collect, use or disclose covered data without obtaining the individual’s affirmative express consent.“Affirmative express consent” means an affirmative act by an individual that clearly and conspicuously communicates the individual’s authorization of the collection, use or disclosure of covered data, and there must not be any mechanism in the user interface that is intended to, or has the substantial effect of, “obscuring, subverting, or impairing decision making or choice to obtain consent.” Consent may not be inferred from inaction on the part of the individual. Requires Covered Organizations to provide an effective mechanism to revoke consent. After a Covered Organization receives a revocation request, it must stop collecting, using or disclosing covered data from the individual within 15 days. The Covered Organization must also destroy or de-identify that individual’s data within 30 days of the revocation. |
Use and Disclosure Limitations |
Requires the Covered Organization to provide prior notice to the individual, and requires the Covered Organization to publicly commit not to collect, process or transfer the covered data for other purposes (unless required by law, the use is necessary to carry out the consented-to purposes, or the individual separately consents to the other purposes). |
Covered Organizations can only collect, use or disclose covered data that is necessary, proportionate and limited for a good-faith public health purpose. Prohibits the use of covered data for discriminatory and unauthorized purposes, such as screening individuals from employment, insurance and housing opportunities, and using data for commercial advertising (among other things). Prohibits the use of the covered data to deny, restrict or interfere with the right to vote. |
Data Integrity and Security |
Covered Organizations must take reasonable measures to ensure the accuracy of the covered data and cannot use the data beyond what is reasonably necessary to carry out the consented-to purposes. Covered Organizations must establish, implement and maintain reasonable administrative, technical, and physical data security policies and practices to protect against risks to the confidentiality, security and integrity of the covered data. Covered Organizations must delete or de-identify covered data when the data is no longer being used for the consented-to purposes and is no longer necessary to comply with legal obligations or to support legal claims. |
Covered Organizations must take reasonable measures to ensure the accuracy of the covered data and must adopt reasonable safeguards to prevent unlawful discrimination on the basis of the covered data. Covered Organizations must establish and implement reasonable data security policies, practices and procedures to protect the security and confidentiality of the covered data. Requires data destruction or de-identification 60 days after the termination of the national public health emergency; 60 days after the termination of a public health emergency declared by a governor or chief executive of a state in which the individual resides; or 60 days after the initial collection (whichever date is latest). |
Transparency |
Requires Covered Organizations to publish a privacy policy that is disclosed to individuals before (or at the point of) data collection, is made publicly available, states whether the Covered Organization transfers the data to other recipients, and includes a general description of data retention and data security practices. |
Requires Covered Organizations to provide the individual with a privacy policy that is conspicuously disclosed, is in the language the individual typically uses to communicate with the entity, and that describes the data collection purposes, recipients of the data, data retention and security policies, the procedures for exercising individual rights under the Act, and the procedures for filing a complaint with the FTC. |
Reporting Requirements |
Requires Covered Organizations to submit a report within 30 days of enactment (and at least once every 60 days after that). The report(s) must state how many individuals the Covered Organization has collected, processed or transferred data from, must describe the categories of covered data the Covered Organization has collected, must identify the specific purposes for which each data category is used and must disclose the recipients to whom the data is transferred. |
Requires Covered Organizations that collect data on 100,000 individuals (or more) to issue a public report at least once every 90 days. The report(s) must include the number of individuals the Covered Organization has collected, used or disclosed data from, must describe the categories of data collected and how those categories of data were used, and must describe the categories of third parties to which the Covered Organization disclosed the data. Requires the Secretary of Health and Human Services to consult with the United States Commission on Civil Rights and the FTC to prepare and submit to Congress a report on the civil rights impact of the covered data collection. |
State Law Preemption |
Expressly preempts state legislation enacted for a similar purpose. |
Expressly does not preempt any state or other federal laws. |
Enforcement |
Enables the FTC and state attorneys general to enforce the Act. |
Enables the FTC and state attorneys general to enforce the Act. Provides a private right of action. Generally invalidates pre-dispute arbitration agreements and pre-dispute joint action waivers regarding disputes that arise under the Act. |