A Second Privacy Bill for COVID-19 Has Larger Scope, More Enforcement

Cybersecurity and Privacy Alert

Firm Alert

Author(s) ,

This is the sixth alert in a series of Bradley installments on privacy and cybersecurity developments arising from the COVID-19 pandemic. Click to read the first, second, third, fourth, and fifth installments.

Two United States senators have introduced a second bill aimed at protecting consumers whose data is used to track COVID-19. The bill to create the Public Health Emergency Privacy Act (PHEPA) will compete with an earlier bill — introduced by Sen. Wicker (R-Miss.) and others — which we reported last week.

This new bill from Sens. Blumenthal (D-Conn.) and Warner (D-Va.) shares with the Wicker bill an emphasis on health, geolocation, and proximity data and requires affirmative express consent from consumers from whom such data is collected. But the Blumenthal bill expands the scope and enforcement of the protections.

Targeted at COVID-19

PHEPA would have the usual notice-and-consent backbone. A covered organization would only be allowed to collect, use, or disclose consumer “emergency health data” with consumers’ affirmative express consent. The covered data would include health, geolocation, and proximity data. Also protected are demographic data, contact information, and “any other data collected from a personal device.” This covers more data than the Wicker bill would, and does not except aggregated, de-identified, or publicly available information from the protections.

For the required consent to be effective, a covered organization would need to provide adequate notice in the form of a “clear and conspicuous” privacy policy. The privacy policy should describe the categories of data collected and the purposes for which they are used. There must also be some mechanism for a consumer to revoke consent at any later time.

Covered organizations

PHEPA would also cover a broader class of organizations than the Wicker bill. Where the Wicker bill would apply only to private commercial entities, PHEPA would additionally apply to government entities. Only public health authorities would be exempt under the provisions of the bill. PHEPA would also exempt organizations engaged only in “de minimis” collection or processing. And PHEPA has a “service provider” exemption similar to that in the Wicker bill.

Data protections

As with the Wicker bill, covered organizations would be required to implement reasonable data-security practices and to take reasonable measures to ensure data accuracy (including allowing consumers to correct inaccuracies). Such measures include data minimization, deletion, and non-disclosure requirements. The emergency health data could not be used for advertising or other commercial purposes.

PHEPA also includes express protections of voting rights and other civil rights. Government entities would be prohibited from using emergency health data to restrict voting rights. The FTC, in consultation with the U.S. Commission on Civil Rights, would be directed to report to Congress on the “civil rights impact” of data collection related to the pandemic.

Public reports

In addition to their privacy policy, covered organizations would need to issue a public report if they handle the emergency health data of more than 100,000 individuals. The report would describe the categories of information collected, how it was used, and state the number of individuals involved. The report must be made every 90 days.

Preemption and enforcement

Two aspects of the PHEPA bill stand in stark contrast to the Wicker bill. First, PHEPA would expressly not preempt state law. That would effectively make PHEPA a floor that states could raise either by existing legislation or with new legislation. For organizations doing business in multiple states, this could result in their having to comply with higher standards than created by the federal bill, at least in some states.

Second, PHEPA would provide a private right of action to consumers. The Wicker bill would give enforcement authority only to the FTC and to states’ attorneys general. But, under PHEPA, consumers affected by violations could sue offending organizations directly for statutory damages of up to $5,000 per violation. Consumers could also recover attorneys’ fees and litigation costs.

Work in progress

It bears repeating — as we cautioned in our report on the Wicker bill — that this bill has only just been introduced and does not yet have bipartisan support. If enacted at all, it could be dramatically altered from its current form. Moreover, the FTC would then still have the work of writing and implementing regulations. And the courts would get their say on its interpretation. We will continue to update you as we learn more.