Two competing bills have been introduced in Congress to protect personal data collected by businesses in response to the COVID-19 crisis. The bills, one introduced by Senate Democrats (The Public Health Emergency Privacy Act), the other by Senate Republicans (The COVID-19 Consumer Data Protection Act of 2020), have several key differences, but share one significant similarity: an explicit opt-in requirement by data subjects for the collection and use of COVID-19-related personal data.
The proposed legislation is in response to an increasing number of software applications, websites, and other digital tools developed for the collection and use of novel coronavirus-related personal data, including possible COVID-19 symptoms. Such data would be used for screening, tracking, and tracing as states and localities emerge from the Great Pause and resume onsite operations and activities. Both bills place an emphasis on protecting the privacy of personal information and would require entities collecting such data to implement “reasonable” data protection measures. Further, by requiring organizations to obtain the explicit consent of data subjects through opt-in processes before the collection and use of such data, each bill would depart significantly from most U.S. data privacy laws, which are based on “opt-out” models. The bills do not define personal information or data; nor do they enumerate on what “reasonable” data protection measures means.
The bills differ in several aspects. The COVID-19 Consumer Data Protection Act of 2020 does not subject employee screening by employers for COVID-19 symptoms to the privacy measures and protections of the bills, including opt-in requirements. The Public Health Emergency Privacy Act places greater emphasis on civil rights and would require a report determining the extent to which any civil rights may be impacted by the collection of novel coronavirus-related personal data. The Democrat bill also would extend collection prohibitions and restrictions to governmental agencies, whereas the Republican bill solely addresses data collection by private organizations. Both bills exclude, as a covered party, public health authorities, which are free to collect the information described in the bill as is necessary and reasonable to protect the public. The bills also exclude healthcare institutions, which already are covered by the Health Insurance Portability and Accountability Act (HIPAA).
We will continue to track the progress of this legislation.