*This alert was updated to reflect that the Bill that was formally introduced on
May 7, 2020.*
On April 30, 2020, Four U.S. Senators announced plans to introduce the COVID-19 Consumer Data Protection Act (the “Act”).
What would the Act do?
According to the press release, the Act would “provide all Americans with more transparency, choice, and control over the collection and use of their personal health, geolocation, and proximity data” during the COVID-19 public health emergency. Recognizing the importance individual privacy, according to Senator Thune, the bill seeks to “strike the right balance between innovation—allowing technology companies to continue their work toward developing platforms that could trace the virus and help flatten the curve and stop the spread—and maintaining privacy protections for U.S. citizens.”
Specifically, the Act would:
- Require companies subject to the Federal Trade Commission’s jurisdiction to obtain affirmative express consent from individuals to collect, process, or transfer their personal health, geolocation, or proximity information for the purposes of tracking the spread of COVID-19.
- Direct companies to disclose to consumers at the point of collection how their data will be handled, to whom it will be transferred, and how long it will be retained.
- Establish clear definitions about what constitutes “aggregate” and “de-identified” data to ensure companies adopt certain technical and legal safeguards to protect consumer data from being re-identified.
- Require companies to allow individuals to opt out of the collection, processing, or transfer of their personal health, geolocation, or proximity information.
- Direct companies to publish transparency reports to the public describing their data collection activities related to COVID-19.
- Establish data minimization and data security requirements for any personally identifiable information collected by a covered entity.
- Require companies to delete or de-identify all personally identifiable information when it is no longer being used for the COVID-19 public health emergency.
- Authorize state attorneys general to enforce the Act.
The bill reportedly contains a provision that will pre-empt provisions of state privacy laws that are more prescriptive than the federal protections. Additionally, information from education records that is already subject to the Family Educational Rights and Privacy Act, as well as health information already subject to the Health Insurance Portability and Accountability Act, would both be exempt from the Act.
Will it be passed?
It’s hard to tell. The bill was not a bipartisan effort, and one of the Republicans behind the bill, Senator Marsha Blackburn of Tennessee, said that she had yet to discuss the proposal with her Democratic colleagues just a few days ago. It is possible that conversations are now happening across the aisle.
Moreover, several other broader pieces of federal privacy legislation remain pending. Some political commentators have speculated that the coronavirus has made privacy an even more pressing issue. This may leave room for the COVID-19 Consumer Data Protection Act.
What are the implications here?
Some companies are struggling without a comprehensive federal consumer privacy law during of COVID-19. Businesses have had to speculate whether data uses related to the pandemic are up to existing (fragmented) privacy standards. The Commissioner of the Federal Trade Commission, Christine Wilson, even remarked that the lack of a federal privacy law “has been a hindrance to the response of COVID-19.” She went on to say that an established federal law would have, and could still, help companies know when they are being asked to “cross the line.”
Accordingly, companies that collect data related to COVID-19 should clearly disclose to consumers what particular data is being collected, and when it will be deleted, Wilson urged. She also explained that pandemic-related data should be segregated from other information. While this proposed legislation applies only to health, proximity, and geolocation data during the COVID-19 pandemic, if enacted, it may pave the path toward a permanent and comprehensive federal privacy law.
To date, the Federal Trade Commission had not issued new guidance in response to Senator Edward Markey’s April 8, 2020 letter requesting best practices for users of online video platforms.