On June 1, 2020, U.S. Senators Maria Cantwell (D-WA) and Bill Cassidy (R-LA) introduced bipartisan legislation known as the Exposure Notification Privacy Act (Act), in the Senate., The Act would regulate the coronavirus contact-tracing and exposure-notification applications that different states have been developing as part of efforts to track the spread of the virus and to notify individuals who may have been exposed to the virus. Apple and Google have also released software that allows governments to build such applications using Bluetooth technology on smartphones.
The Act would require virus-tracking applications to either be created in collaboration with or operated by public health authorities. Additionally, it would put in place robust privacy safeguards to protect privacy, prevent data misuse, and promote public health. The proposed law would achieve these safeguards by mandating, among other things, that individuals be able to consent to their information being collected and being deleted at any time. Further, any data collected could not be “for any commercial purpose” and would be the “minimum amount necessary to implement an automated exposure notification service for public health purposes.” Applications would also be required to inform users and the Federal Trade Commission (FTC) about data breaches “in the most expedient time possible, consistent with the legitimate needs of law enforcement.”
The FTC would be tasked with enforcement of this proposed law and would be able to issue civil penalties for first-time violators, a power that the consumer protection agency currently does not have for most privacy matters that do not affect children under the age of 13. State Attorneys General would also be able to enforce the Act.
The Act makes clear that it would not preempt, displace, or supplant any state law, rule, regulation, or requirement as well as any federal or state common law right or remedy, or any statute.
Awareness of this legislation is particularly important for providers or commercial users of transportation, logistics, or warehousing services. Companies in these industries generally have a significant number of employees and contractors that they are actively tracking. To the extent that companies in these industries are adding or are considering contact-tracing and exposure-notification apps, they will need to make an assessment as to its usage and potentially its impact on their current practices.
A more detailed summary of the role of public health authorities, individual rights, data restrictions, and enforcement in the Act follows.
Role of Public Health Authorities
- The Act will require that public health officials be involved with the deployment of any exposure notification systems. The Act will prohibit any automated exposure notification service not operated by or in collaboration with a public health authority. This would give users confidence that the technologies they are using are legitimate and not created by unqualified actors.
- The Act will allow only medically authorized diagnoses of infectious diseases to be submitted to exposure notification systems. This will guard against false reports.
- The Act will require that participation be voluntary and based on affirmative, express consent. Further, consent could be withdrawn at any time.
- The Act will allow participants to delete their data from an exposure notification system at any time.
- The Act will make it unlawful to discriminate against, or otherwise make unavailable to an individual, any place of public accommodation based on data collected or processed through an automated exposure notification service. This will bar people from being prevented from entering a public place if they chose not to sign up for a coronavirus exposure notification app.
Data Restrictions to Preserve Privacy
- The Act will limit the collection and use of data to that which is necessary for the purpose of the system and prohibit any commercial use of data.
- The Act will prohibit operators of automated exposure notification services from collecting or using data beyond what is necessary to implement such services for public health purposes. Operators would be prohibited from collecting or processing data for any commercial purpose.
- The Act will create strong cybersecurity and breach notification safeguards. In order to protect user data, the legislation creates comprehensive data security requirements and obligations to immediately notify individuals in the event of a security incident.
- The Act will require recurring and ongoing data deletion obligations.
- The Act will make allowances for public health research.
- The Act will empower the FTC and state Attorneys General to pursue violators.
- The Act will allow the FTC to pursue civil penalties for first-time violations.
- The Act will protect state privacy rights, ensuring that consumer privacy and health laws remain in place.
 U.S. Senator Amy Klobuchar (D-MN) will be co-sponsoring the bill.
 Senate Bill No. 3861.