A group of Republican Senators, led by Senate Commerce Committee Chairman Roger Wicker, introduced the COVID-19 Consumer Data Protection Act of 2020 (the Act) on May 7, 2020.¹ The Act would address privacy issues associated with certain entities’ collection, use, and disclosure of geolocation information and other data for the narrow purpose of identifying and tracking those who have COVID-19 or have been in close proximity to those who are likely infectious (contact tracing).

It would remain in force only until the Secretary of Health and Human Services rescinds the public health emergency he declared when the pandemic began. Although the Act is limited in scope and duration, it could influence future privacy legislation at the federal and state levels.

Overview of the Act

Among other things, the Act would require entities subject to the Federal Trade Commission Act (FTC Act), common carriers, and non-profit organizations (covered entities) to give notice and obtain opt-in consent before collecting, processing, and transferring limited types of information (covered data) from “individuals” for one of three purposes (covered purposes). The Act does not apply to “service providers,” which are entities that perform services on behalf of and at the direction of covered entities.

Obligations of Covered Entities

The Act would require covered entities to provide individuals notice at or before the time of collection and to obtain their opt-in consent before collecting, using, or disclosing covered information for one of three covered purposes:

1. To track the spread, signs, or symptoms of COVID-19;
2. To measure compliance with social distancing guidelines or other COVID-19-related requirements imposed by the government; or
3. To conduct contact tracing related to COVID-19.

Covered entities would be required to publicly commit not to use data for another purpose, except under limited circumstances, and they would be required to provide individuals with a mechanism to revoke consent and then to act on the revocation, either by ending the collection, processing, or transfer of the data, or by de-identifying the data.

In addition, the Act would require covered entities to take reasonable measures to ensure that the data they collect is accurate and to publish privacy policies and issue public reports every 60 days, after an initial report within 30 days of enactment, disclosing information about their data collection, use, and disclosure, including the categories of data collected and entities to whom such data was transferred.

Finally, the Act would impose both security and data minimization obligations on covered entities and direct the FTC to issue best practices regarding data minimization.

Information Covered

The Act would apply to just four types of information: (1) precise geolocation information, (2) proximity data, (3) a persistent identifier, and (4) personal health information.

• Precise geolocation information means “technologically derived information capable of determining with reasonable specificity the past or present actual physical location of an individual at a specific point in time.”

  The scope of this term is unclear: the Act does not require GPS-level precision and does not explain what “reasonable specificity” means. It therefore could include cell site location information (CSLI), which is data showing the location of the cell tower(s) to which a wireless device is connected at particular times and, with triangulation, approximating the location of a cell phone near the tower, within a few blocks at best and sometimes up to several square miles at worst.

  As such, CSLI generally does not reveal location with anything close to pinpoint accuracy the way that GPS data does (within five to 10 feet), but it has been deemed sufficiently revealing to deserve protection under the Fourth Amendment.² 

• Proximity data is similarly defined to include “technologically derived information that identifies the past or present proximity of one individual to another.” This definition, too, could include CSLI, as well as information derived from the Bluetooth technology used on individuals’ mobile devices.
• Persistent identifier means “a technologically derived identifier that identifies an individual, or is linked or reasonably linkable to an individual over time and across services and platforms,” including static IP addresses, device IDs, and customer identifiers stored in cookies.
• Personal health information means genetic information or other information related to the treatment or diagnosis of a health-related condition that is linked or linkable to the individual, unless such information is subject to the Family Educational Rights and Privacy Act or the Health Insurance Portability and Accountability Act (HIPAA).

The Act expressly excludes the following categories of data: aggregated data, de-identified data, publicly available information, “business contact information,” and “employee screening data.”³ The last category is defined broadly to include any covered data of an “employee, owner, director, officer, staff member trainee, vendor, visitor, intern, volunteer or contractor of a covered entity” that the covered entity processes to determine whether the individual could pose a COVID-19-related health threat by entering the premises. This exclusion gives businesses that would otherwise be “covered entities” under the Act greater flexibility to protect their workplaces.

In addition, the Act defines “individual” to exclude someone who is a “full-time or part-time, paid or unpaid employee, owner, director, officer, staff member, trainee, vendor, visitor, intern, volunteer, or contractor of a covered entity permitted to enter” that covered entity’s “physical site of operation.” This, too, could give entities that operate public venues – including restaurants, retail stores, and the like – leeway to collect and use covered data to protect their environments from the public health threat without having to adhere to the Act.

Interaction With Other Laws

The Act would preempt federal, state, and local laws, regulations, rules, standards, and requirements, but only “to the extent that” they are “related to” the collection, use, and disclosure of covered data for the COVID-19-related purposes described above. The Act expressly limits the Federal Communications Commission’s ability to enforce its privacy provisions and regulations against covered entities, with the exception of rules governing 911 calls and emergencies, but again, only to the extent that such laws and rules that the FCC enforces are related to covered data and covered purposes, and only when the communications providers regulated are acting as “covered entities” and not “service providers.”

Enforcement

The FTC would have exclusive authority to enforce the Act against covered entities, except that state attorneys general would be able to enforce the Act in coordination with, and with deference to, the FTC, to obtain, among other relief, “damages, civil penalties, restitution, or other compensation on behalf of the residents of the State.” These enforcement provisions effectively preclude private rights of action.

Takeaways

The Act appears to have been designed to address concerns regarding the contact tracing apps that have garnered much media attention since they were proposed by Google and Apple. The first draft of the Act was extremely broad and would have regulated a wide range of commercial entities that collected covered data for one of the covered purposes. The drafters have taken steps to carve out employers and proprietors of commercial establishments, allowing them greater flexibility to collect, use, and share covered data to protect the workplaces and public venues that they operate.

Moreover, unlike the earlier draft, the Act carves out “service providers” from the definition of “covered entities.” This exclusion should be a welcome change for ISPs and wireless carriers who could have been covered under the broad language of the previous draft and would have taken on significant compliance obligations with respect to precise geolocation information. ISPs and wireless carriers will have to be mindful, however, of whether they are acting as a “service provider” or as a “covered entity” when they engage in data collection, use, or transfer for one of the covered purposes. Depending on their role in a given scenario, they might be covered by the Act.

The Act could pose challenges for some likely use cases. For instance, unlike personal health information, neither precise geolocation information nor proximity data must be linked or linkable to a specific person. If obtaining opt-in consent from individuals is not feasible, the Act could preclude tracking general compliance with social distancing orders, even when the information is not used to identify a particular individual. Covered entities wishing to facilitate this kind of tracking would have to take steps to ensure that such information was de-identified, a task made difficult given the potential to use certain types of location information to identify specific individuals.

Finally, the Act could portend the new normal. Although the sunset provision ensures that the Act would not last longer than the state of emergency, we do not know when it might end. Moreover, it could be very hard to ratchet down restrictions on the collection, use, and disclosure of information once they have been established and implemented. We therefore should not be surprised if these provisions find their way into future federal omnibus privacy bills.

The facts, laws, and regulations regarding COVID-19 are developing rapidly. Since the date of publication, there may be new or additional information not referenced in this advisory. Please consult with your legal counsel for guidance.

FOOTNOTES

1  Democratic Senators are drafting their own bill to address these issues. We will analyze that bill in another client alert.
2  The U.S. Supreme Court held that law enforcement must obtain a warrant before seeking historical long-term CSLI because it can reveal much about where a person has been, for how long, when, and with whom. Carpenter v. U.S. 138 S. Ct. 2206 (2018).
3  The Act adopts a de-identification standard similar to the FTC’s three-part test.

[View source.]