Keypoint: If passed, the bill would create a regulatory structure around the use of contact-tracing apps, including requiring operators of such services to obtain affirmative express consent, provide privacy disclosures, not transfer the data unless under certain circumstances, and delete the data on demand or within thirty days.

According to multiple sources, a bipartisan group of Senators plan to introduce a bill to regulate the use of contact-tracing and exposure notification apps. The bill, entitled the “Exposure Notification Privacy Act” is the latest in a series of bills that seek to regulate these new apps. Previous competing bills were submitted by Republican and Democrat Senators. The new bipartisan bill raises hopes that federal privacy legislation (albeit on a limited issue) may finally pass.

Below is a discussion of the Act’s relevant provisions.

Application

The Act would apply to “operators of an automated exposure notification service,” which phrase is defined as “any person or entity that operates an automated exposure notification service, other than a public health authority, and that is” subject to Federal Trade Commission (FTC) enforcement, a non-profit organization, or a common carrier subject to the Communications Act of 1934.

“Automated exposure notification service” (hereinafter, “Services”) is defined as “a website, online service, online application, mobile application, or mobile operating system that is offered in commerce in the United States and that is designed, in part or in full, specifically to be used for, or marketed for, the purpose of digitally notifying, in an automated manner, an individual who may have become exposed to an infectious disease (or the device of such individual, or a person or entity that reviews such disclosures).”

Affirmative Express Consent

Notably, the Act would mandate voluntary participation for the use of the Services. This could be a significant provision for employers seeking to require employees to use these Services.

Specifically, the Act provides that an “operator of an automated exposure notification service . . . may not enroll an individual in the automated exposure notification service without the individual’s prior affirmative consent.” Operators also would be required to “provide an individual with a clear and conspicuous means to withdraw affirmative express consent.”

The Act defines “affirmative express consent” as “an affirmative act by an individual that clearly communicates the individual’s authorization for an act or practice, in response to a specific request that (i) is provided to the individual in a clear and conspicuous disclosure that is separate from other options or acceptance of general terms; and (ii) includes a description of each act or practice for which the individual’s consent is sought and (I) is written concisely and in easy-to-understand language; and (II) includes a prominent heading that would enable a reasonable individual to identify and understand the act or practice.”

The Act also clarifies that express consent cannot be inferred from the inaction of an individual or the individual’s continued use of the Service and must be “freely given and nonconditioned.”

The Act further provides that an individual with an authorized diagnosis shall determine whether the diagnosis is processed as part of the Services.

Notice

Operators of the Services and platform operators (defined as operating system providers) would be required to provide privacy policies. Specifically, the Act would require them to “make publicly and persistently available, in a conspicuous and readily accessible manner, a privacy policy that provides a detailed and accurate representation of that person or entity’s covered data collection, processing, and transfer activities in connection with such person or entity’s automated exposure notification service or the facilitation of such service.”

The Act defines “covered data” broadly as “any information that is (A) linked or reasonably linkable to any individual or device linked or reasonably linkable to an individual; (B) not aggregate data; and (C) collected, processed, or transferred in connection with an automated exposure notification service.”

The privacy policy would be required to state:

• the identity and the contact information of the person or entity, including the contact information for the person or entity’s representative for privacy and covered data security inquiries;
• each category of covered data the person or entity collects and the limited allowable processing purposes for which such covered data is collected in accordance with [the Act’s data restrictions section discussed below];
• whether the person or entity transfers covered data for the limited allowable purposes in [the Act’s data restriction section discussed below] and, if so, a detailed description of the data transferred, the purpose of the transfer, and the identity of the recipient of the transfer
• a description of the person or entity’s covered data minimization and retention policies;
• how an individual can exercise the individual rights described in [the Act];
• a description of the person or entity’s covered data security policies; and
• the effective date of the privacy policy.

Data Restrictions

The Act would prohibit operators of Services from collecting or processing any covered data beyond the minimum amount necessary to implement the Service for public health purposes or for any commercial purpose.

Operators of Services also would be prohibited from transferring any covered data except to (1) provide notice of a potential exposure to an individual who has enrolled in the Service; (2) a public health authority for public health purposes; (3) a service provider to perform certain functions such as maintenance and detecting and responding to security incidents, and (4) comply with the establishment, exercise or defense of a legal claim.

Data Deletion

Individuals would have the right to request the deletion of their covered data. In addition, operators would be required to delete covered data within 30 days of receipt, on a rolling basis.

Data Security and Breach Notification

Operators of Services would be required to “establish, implement, and maintain data security practices to protect the confidentiality, integrity, availability, and accessibility of covered data.” This would include conducting risk assessments, taking actions to mitigate known risks, and notifying individuals in the event of a security breach involving covered data.

Other Provisions

In addition to above provisions, the Act would require operators of Services to:

• Collaborate with a public health authority in the operation of the Service.
• Not collect, process or transfer an actual, potential, or presumptive positive diagnosis of an infectious disease as part of the Services, unless such diagnosis is an authorized diagnosis (defined as “an actual, potential, or presumptive positive diagnosis of an infectious disease confirmed by a public health authority or a licensed health care provider”).
• Publish guidance for the public of the functionality of the Service and how to interpret the notifications, including any limitation with respect to the accuracy or reliability of the exposure risk and measures of the effectiveness of the service offered, including adoption rates.

Enforcement

Violations of the Act would be enforceable by the FTC and state Attorneys General. Notably, the Act would not preempt state law and would preserve the right for private litigants to bring suits pursuant to other state or federal laws.

Effective Date

The Act would become effective on the date of its enactment.