As new ideas to use data to track and mitigate the spread of COVID-19 continue to be put forth, lawmakers in Congress are working to ensure that personal health information, geolocation and proximity data is not misused. The “COVID-19 Consumer Data Protection Act,”  which contains protections for personal information, particularly health, geolocation, and proximity data, was announced April 30 and will be introduced by Sen. Roger Wicker, R-Miss., chairman of the Senate Committee on Commerce, Science, and Transportation. The bill’s cosponsors include Sens. John Thune, R-S.D., chairman of the Subcommittee on Communications, Technology, Innovation, and the Internet; Jerry Moran, R-Kan., chairman of the Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security; and Marsha Blackburn, R-Tenn. In a press release accompanying the release of the bill, Sen. Thune said “individual privacy, even during times of crisis, remains critically important.”

What information is covered under the bill?

Under the bill, covered information would include “precise geolocation data, proximity data, and personal health information.” Any entity or person who “collects, processes, or transfers covered data” and is also subject to the Federal Trade Commission Act, is a common carrier subject to the Communications Act of 1934, or is nonprofit organization would be subject to the law.

In general, information that is aggregated, deidentified or publicly available would not be considered “covered data” under the law. Moreover, information from education records that is already subject to the Family Educational Rights and Privacy Act, as well as health information already subject to the Health Insurance Portability and Accountability Act, would both be exempt from the regulation.

How would the bill protect information?

The COVID-19 Consumer Data Protection Act would rely mainly on the notice and consent paradigm to protect information, making it unlawful for a covered entity to “collect, process, or transfer the covered data of an individual” without prior notice and express consent unless necessary to comply with a legal obligation. This requirement applies to processing covered data to track the spread, signs, or symptoms of COVID-19; to measure compliance with social distancing guidelines or other COVID-19-related requirements imposed by federal, state or local governments; and to conduct contact tracing of cases of COVID-19.

Transparency

The bill would require entities that fall within its scope to publish a privacy policy that is transparent about the entity’s data transfer, data retention, and data security practices.

Covered entities would also be required to issue a “public report” at least once every 30 days. These reports would need to include: the aggregate number of individuals whose data the entity has collected, processed or transferred; the categories of data that were collected, processed or transferred; the purposes for which data was collected, processed or transferred; and those to whom it was transferred.

The right to opt-out

Covered entities must also provide individuals with the “right to opt-out,” or an effective mechanism that allows them to revoke their consent. Upon receiving an opt-out request, a covered entity would have 14 days to stop collecting, processing, or transferring the covered data, or to deidentify it.

Deletion, deidentification and data minimization

The bill also contains clauses on deletion, deidentification and minimization. Entities would be required to delete or deidentify covered information when it is no longer being used for the purpose for which it was initially collected, processed or transferred. Entities would also need to minimize their collection, processing and transfers of data to “what is reasonably necessary, proportionate, and limited” to the initial purpose. To aid covered entities in these endeavors, the bill calls upon the U.S. Federal Trade Commission to issue “guidelines recommending best practices” for data minimization.

Cybersecurity

One of its final provisions would mandate that covered entities put in place cybersecurity protections, requiring them to “establish, implement, and maintain reasonable administrative, technical, and physical data security policies and practices to protect against risks to the confidentiality, security, and integrity” of the data covered by the law.

Protections such as these are especially important, given the rise in the number of threats and scams around the coronavirus that have been reported to the FTC. As of April 2020, over 30,000 reports related to COVID-19 have been made to the FTC, with people reporting to have lost approximately $22 million to fraud.

Enforcement

Enforcement of the law would be carried out under the FTC Act regarding unfair or deceptive acts or practices. State attorneys general would also, as parens patriae, have the power to bring a civil action against covered entities that adversely affect the interest of residents of their state and are not subject to the enforcement authority of the FTC.

Preemption of state law

Last but not least, the bill also contains a preemption clause that would prevent states from adopting, enforcing, or continuing to maintain any law that is “related to the collection, processing, or transfer of covered data” as defined in the bill.

At least one consumer privacy group, Public Knowledge, has criticized the bill for its preemption clause. Sara Collins, policy counsel at Public Knowledge, described the bill as "truly a privacy 'cure' worse than the disease," a play on an infamous tweet from President Donald Trump.

Conclusion

It is too early to tell how much support the bill will gain in Congress, and whether its privacy protections would be sufficient in the face of a pandemic, and responses to it, that evolve with each passing day. Indeed, new privacy threats may emerge from the crisis that are yet unseen.

What seems clear is that privacy will continue to play a role in shaping the response to the coronavirus pandemic. As IAPP CEO J. Trevor Hughes, CIPP, tweeted following the bill’s announcement: “Wow. A privacy bill emerges in DC. In the middle of a pandemic. I guess privacy ain't dead after all.”

Photo by Andy Feliciotti on Unsplash