On April 30th, U.S. Senators from across multiple committees joined together to announce legislation that would protect consumer privacy rights in the wake of the COVID-19 pandemic. Sen. Roger Wicker (R-MS), Chair of the Senate Committee on Commerce, Science, and Transportation; Sen. John Thune (R-SD), Chair of the Subcommittee on Communications, Technology, Innovation, and the Internet; Sen. Jerry Moran (R-KS), Chair of the Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security; and Sen. Marsha Blackburn (R-TN) plan to introduce a bill that would provide individuals with transparency, choice, and control over the collection and use of their personal health, geolocation, and proximity data, while also holding businesses accountable to individuals if those businesses use personal information in response to COVID-19.
The COVID-19 Consumer Data Protection Act relies on notice and consent to protect personal information. The bill would require disclosures about how personal information will be used, to whom it might be transferred, and for how long it would be held. This would include tracking the spread, signs, or symptoms of COVID-19; measuring compliance with social distancing guidelines; monitoring compliance with COVID-19 orders or directives issued by federal, state or local governments; and conducting contact tracing of COVID-19 cases. These disclosures would allow individuals to make informed choices about whether to give express consent for a business to “collect, process, or transfer the covered data of an individual.” However, individuals will also have the right to opt-out at any time after giving consent, and upon receiving an opt-out request, a business must honor such opt out within 14 days by stopping any such collecting, processing, or transferring of the personal information, or the business can de-identify the personal information.
Once personal information has been collected, businesses will be required to “establish, implement, and maintain reasonable administrative, technical, and physical data security policies and practices to protect against risks to the confidentiality, security, and integrity” of the personal information. Furthermore, businesses will be required to delete or de-identify personal information when it is no longer being used for a COVID-19 purpose. Businesses would also be required to issue publicly available reports every 30 days about: the aggregate number of individuals whose data has been collected, processed or transferred; the categories of data that were collected, processed or transferred; the purposes for which data was collected, processed or transferred; and those to whom it was transferred.
The bill contains a number of exemptions, including for: aggregated, de-identified, or publicly available data; information from education records that is already subject to the Family Educational Rights and Privacy Act; health information already subject to the Health Insurance Portability and Accountability Act; and for compliance with legal obligations.
The bill would task the Federal Trade Commission (FTC) with the responsibility to issue “guidelines recommending best practices” for data minimization of personal information being collected and/or processed for a COVID-19 purpose. The FTC and state attorneys general would also be empowered to enforce the new requirements.
Opposition to the bill will likely focus on the failure of the bill to create an individual private right of action to enforce the privacy rights created as well as the inclusion of a preemption clause that would prevent states from adopting, enforcing, or continuing to maintain any law that is “related to the collection, processing, or transfer of covered data” in the bill.