The COVID-19 Consumer Data Protection Act of 2020: What Companies Should Expect If Passed

| Legal Alert
Donna Urban & Krishna Jani

*This alert was updated to reflect that the Bill that was formally introduced on
May 7, 2020.*

On April 30, 2020, Four U.S. Senators announced plans to introduce the COVID-19 Consumer Data Protection Act (the “Act”).

What would the Act do?

According to the press release, the Act would “provide all Americans with more transparency, choice, and control over the collection and use of their personal health, geolocation, and proximity data” during the COVID-19 public health emergency. Recognizing the importance individual privacy, according to Senator Thune, the bill seeks to “strike the right balance between innovation—allowing technology companies to continue their work toward developing platforms that could trace the virus and help flatten the curve and stop the spread—and maintaining privacy protections for U.S. citizens.”

Specifically, the Act would:

The bill reportedly contains a provision that will pre-empt provisions of state privacy laws that are more prescriptive than the federal protections. Additionally, information from education records that is already subject to the Family Educational Rights and Privacy Act, as well as health information already subject to the Health Insurance Portability and Accountability Act, would both be exempt from the Act.

Will it be passed?

It’s hard to tell. The bill was not a bipartisan effort, and one of the Republicans behind the bill, Senator Marsha Blackburn of Tennessee, said that she had yet to discuss the proposal with her Democratic colleagues just a few days ago. It is possible that conversations are now happening across the aisle.

Moreover, several other broader pieces of federal privacy legislation remain pending. Some political commentators have speculated that the coronavirus has made privacy an even more pressing issue. This may leave room for the COVID-19 Consumer Data Protection Act. 

What are the implications here?

Some companies are struggling without a comprehensive federal consumer privacy law during of COVID-19. Businesses have had to speculate whether data uses related to the pandemic are up to existing (fragmented) privacy standards. The Commissioner of the Federal Trade Commission, Christine Wilson, even remarked that the lack of a federal privacy law “has been a hindrance to the response of COVID-19.” She went on to say that an established federal law would have, and could still, help companies know when they are being asked to “cross the line.”

Accordingly, companies that collect data related to COVID-19 should clearly disclose to consumers what particular data is being collected, and when it will be deleted, Wilson urged. She also explained that pandemic-related data should be segregated from other information. While this proposed legislation applies only to health, proximity, and geolocation data during the COVID-19 pandemic, if enacted, it may pave the path toward a permanent and comprehensive federal privacy law.

Regulatory Updates

To date, the Federal Trade Commission had not issued new guidance in response to Senator Edward Markey’s April 8, 2020 letter requesting best practices for users of online video platforms.

If you have any questions, please feel free to reach out to Donna Urban, Krishna Jani, or any member of Flaster Greenberg’s Telecommunications or Privacy & Data Security Groups.  

In light of recent changes to data protection laws, we have updated our Privacy Policy and Terms & Conditions, which explain how we collect, use, maintain, and secure your information. By using this site, you agree to our updated Privacy & Terms of Use Policies