This is the fifth alert in a series of Bradley installments on privacy and cybersecurity developments arising from the COVID-19 pandemic. Click to read the first, second, third, and fourth installments.
On May 7, 2020, five United States senators introduced a bill aimed at protecting consumers whose data is used to track COVID-19. One week after an April 30 press release — which we reported last week — Sens. Wicker (R-Miss.), Thune (R-S.D.), Moran (R-Kan.), Blackburn (R-Tenn.), and Fischer (R-Neb.) introduced the COVID-19 Consumer Data Protection Act of 2020. The bill would impose data-privacy restrictions on companies using consumers’ data for tracking the spread of COVID-19, including for contact tracing.
Targeted at data being used to fight the pandemic, the bill covers geolocation, proximity, and health data being used for purposes related to COVID-19. Further, the bill is time limited: Its effect would end once Health and Human Services declares that the public health emergency has ended.
Notice and consent
As expected, the backbone of the protections is the notice-and-consent provisions. Without a consumer’s affirmative express consent, “covered entities” may not use “covered data” for “covered purposes;” the bill would not prohibit a company’s using such data for other purposes unrelated to the pandemic. Such a company would also need to publicly commit to not use the data for any other purpose. Consumers would have a right to opt out by revoking their consent later.
Covered entities, data, and purposes
Covered entities include all companies that are subject to the FTC Act. The FTC would be responsible both for enforcing the bill’s provisions and for promulgating the implementing regulations. Common carriers and nonprofit organizations also would be subject to the law. Expressly excepted from the bill are service providers to covered entities, with respect to the covered data. Service providers would not need a consumer’s consent in order to process data for a covered entity. It is not clear from the bill what obligations — for example, those flowing from the privacy policy or reporting requirements — must flow down to service providers.
Covered data includes only proximity data, precise geolocation data, personal health information, and “a persistent identifier” (e.g., a cookie, a static IP address, or a device’s serial number). Exclusions include types of data that have become commonplace in state privacy acts: aggregated data, de-identified data, business contact information, and publicly available information (each of which the bill attempts to define in detail). More interesting is the exclusion of “employee screening data.” This exclusion would allow a company to use its employees’ data to determine whether to allow an individual to enter the workplace based on their possible COVID-19 status. Not only employees could be screened, but also owners, officers, vendors, visitors, interns, volunteers, and contractors.
Consistent with the bill’s focus, the bill only covers data used for purposes related to the COVID-19 pandemic. Covered purposes include “collecting, processing, or transferring” data (1) to track the disease’s spread, signs, or symptoms; (2) to measure compliance with social-distancing guidelines; or (3) to conduct contact tracing.
Data minimization, protection, accuracy, and deletion
The earlier press release promised that the bill would establish data-minimization and data-security requirements. As introduced, the bill directs the FTC to issue guidelines for data minimization. Companies would be prohibited from any use beyond what is “reasonably necessary, proportionate, and limited” for a covered purpose. As for data security, each company must — for itself — establish reasonable data-security policies.
The bill would further require companies to take “reasonable measures” to ensure the accuracy of data. As with some state privacy laws, companies must provide consumers a mechanism to report inaccuracies. And once the company no longer needs the data for a covered purpose, it must “delete or de-identify” the covered data. That is a company need not delete the covered data, but may choose to merely de-identify it (presumably so that it meets the bill’s definition of “de-identified data” that is excluded from the bill’s coverage).
Transparency reports and privacy policies
The bill would require companies to publish a privacy policy — “clear and conspicuous” both at the point of collection and to the general public — that describes the company’s use, transfer, retention, and protection of the covered data. Finally, the bill also mandates a transparency report every 60 days. The transparency report must describe (1) the categories of data used; (2) the purposes for which it was used; (3) the number of individuals whose data was used; and (4) any transferees.
Preemption and enforcement
At least one controversial aspect of the bill is its express preemption of state privacy laws. The scope of the preemption is limited to laws relating to the use of covered data for a covered purpose. It remains to be seen how that may interact with state privacy laws of more general application, especially given that the bill would lose effect after the pandemic ends, which is a determination in the hands of the Department of Health and Human Services.
Another potential controversy is the lack of any private right of action. Enforcement would instead be in the hands of the FTC and state attorneys general.
Work in progress
It bears repeating that this bill has only just been introduced and does not yet have bipartisan support. If enacted at all, it could by then be dramatically altered from its current form. Moreover, the FTC would then still have the work of writing implementing regulations. And the courts would get their say on its interpretation. We will continue to update you as we learn more.
