Last month, we reported that the United States Senate, Committee on Commerce, Science, and Transportation, conducted a hearing on “Enlisting Big Data in the Fight Against Coronavirus.” Specifically, the Committee focused on “examin[ing] recent uses of aggregate and anonymized consumer data to identify potential hotspots of coronavirus transmission and to help accelerate the development of treatments.” We observed that big data can be a powerful force in the fight against COVID-19, but its use presents a significant privacy challenge that needs to be solved.
On April 30, 2020, Senate Commerce Committee Ranking Member Roger Wicker (R-MS), joined by Senators Thune (R-ND), Blackburn (R-TN), and Moran (R-KS), announced plans to introduce the “COVID-19 Consumer Data Protection Act of 2020” (the “bill”). The bill seeks to provide transparency, choice, and control to individuals over the collection and use of their personal health, geolocation, and proximity data for COVID-19 related purposes, and regulates how organizations may collect, transfer, and process that data for such “covered purposes.”
In the press release announcing the bill, Senator Thune was quoted, “While the severity of the COVID-19 health crisis cannot be overstated, individual privacy, even during times of crisis, remains critically important. This bill strikes the right balance between innovation – allowing technology companies to continue their work toward developing platforms that could trace the virus and help flatten the curve and stop the spread – and maintaining privacy protections for U.S. citizens.”
The bill would apply to any person or entity that is: (1) covered by the FTC Act or is a common carrier or nonprofit organization; and (2) collects, transfers, or processes covered data for a “covered purpose.” Notably, it would apply only during the COVID–19 public health emergency, with an end date specified as the date upon which the Secretary of Health and Human Services declares the public health emergency over.
The bill would apply to precise geolocation data, proximity data, and personal health information when collected, processed, or transferred for a “covered purpose.".
Covered Purposes Regulated by The Bill:
Covered entities would be required to comply with the bill when engaged in any of the following activities:
- Collecting, processing, or transferring covered data of an individual to track the spread, signs, or symptoms of COVID–19;
- Collecting, processing, or transferring covered data of an individual to measure compliance with social distancing guidelines or other requirements related to COVID–19 that are imposed on individuals under a Federal, State, or local government order; or
- Collecting, processing, or transferring covered data of an individual to conduct contact tracing for COVID–19 cases.
Requirements for Regulated Activities:
Whenever covered entities use covered data while engaged in the any of the COVID-19-related activities regulated by the bill, they would be required to:
- Provide the individual with prior notice of the purpose for such collection, processing, and transfer; and
- Obtain affirmative express consent from the individual for such collection, processing, or transfer.
The bill also contains these additional requirements of covered entities:
- Reporting –publish a public report at least once every thirty (30) days that contains (a) the aggregate number of individuals whose covered data the entity has collected, processed, or transferred; and (b) describes the categories of covered data collected, processed, or transferred, the specific purposes for collection, processing and transfer, and to whom such data was transferred;
- Opt-Out – provide a mechanism for individuals to revoke consent;
- Deletion – delete or de-identify covered data when it is no longer being used for a purpose covered by the bill;
- Data Minimization – limit collection, processing and transfer of covered data to what is reasonably necessary, proportionate and limited to carry out the covered purpose; and
- Data Security - establish, implement, and maintain reasonable administrative, technical, and physical data security policies and practices.
The FTC would enforce the bill under the FTC Act regarding unfair or deceptive acts or practices. In addition, State attorneys general may bring parens patriae actions for violations affecting their State’s residents.
The bill would prevent states from adopting or enforcing any law that is related to the collection, processing, or transfer of covered data for a covered purpose.