Contact tracing is recognized by health systems and governments as an effective method to identify individuals an infected person may have exposed to disease in order to notify those individuals and take action to prevent further spread of illness. Traditionally, the accuracy of contact tracing has been dependent upon an individual’s memory of (and willingness to disclose) where they have been and with whom they have been in contact in order to track down other people who may have been infected. Connected devices with geolocation capabilities allow for digital tracking of individuals, but also carries significant privacy issues.

On April 30, 2020, four senators (R. Wicker, R-MS; J. Thune, R-SD; J. Moran, R-KS; M. Blackburn, R-TN) announced their plan to introduce the “COVID-19 Consumer Data Protection Act of 2020.” The legislation’s goal is to regulate what geolocation and personal health information is collected, and how it may be used during the COVID-19 Public Health Emergency announced by Secretary of Health and Human Services (HHS) Alex Azar on January 31, 2020.

The proposed legislation would only be effective while there is a declared Public Health Emergency in place and apply only to data collected, processed or transferred for COVID-19 purposes. It would apply to covered entities defined as those subject to the Federal Trade Commission’s (FTC) jurisdiction as well as common carriers or nonprofits, who generally are not subject to the FTC’s jurisdiction. Covered data is defined as precise geolocation data, proximity data as well as personal health information.

Covered entities would be required to publish a privacy policy that is disclosed to individuals prior to or at the point of collection of the covered data that describes the intended transfers of the data, the category of data recipients and a general description of the data. Individuals would be required to provide affirmative, express consent before their covered data can be collected, processed or transferred unless such collection, processing or transfer is necessary to comply with a legal obligation.

The covered entity would also be required to provide an effective opt-out mechanism for individuals to revoke their consent for the collection and transfer of such data. In addition, covered entities would be required to issue a public report once every 30 days stating the aggregate number of individuals whose covered data has been collected, processed or transferred and describing the categories of covered data collected and transferred, the purpose for each data category and the recipients of transferred data. Covered entities would be prohibited from collecting more data than is necessary and the FTC will issue best practice data minimization guidelines. Covered entities would be required to have adequate data security.

This bill pulls elements from other privacy laws with respect to requiring affirmative express consent before collecting, processing or transferring sensitive information as the notice requirement before collecting personal data.

The FTC and the state attorneys general would be empowered to enforce the law.