Federal Privacy Bill to Focus on COVID-19

This is the fourth alert in a series of Bradley installments on privacy and cybersecurity developments arising from the COVID-19 pandemic. Click to read the first, second, and third installments.

Four United States senators announced Thursday that they would soon introduce the COVID-19 Consumer Data Protection Act. The act aims to protect consumers whose data is used to fight the pandemic. The senators have not yet released a final version of the bill, so for now we rely on the April 30 press release from Sens. Wicker (R-Miss.), Thune (R.-S.D.), Moran (R-Kan.), and Blackburn (R-Tenn.). According to the release, the legislation would:

• Require companies under the jurisdiction of the Federal Trade Commission to obtain affirmative express consent from individuals to collect, process, or transfer their personal health, geolocation, or proximity information for the purposes of tracking the spread of COVID-19.
• Direct companies to disclose to consumers at the point of collection how their data will be handled, to whom it will be transferred, and how long it will be retained.
• Establish clear definitions about what constitutes aggregate and de-identified data to ensure companies adopt certain technical and legal safeguards to protect consumer data from being re-identified.
• Require companies to allow individuals to opt out of the collection, processing, or transfer of their personal health, geolocation, or proximity information.
• Direct companies to provide transparency reports to the public describing their data collection activities related to COVID-19.
• Establish data minimization and data security requirements for any personally identifiable information collected by a covered entity.
• Require companies to delete or de-identify all personally identifiable information when it is no longer being used for the COVID-19 public health emergency.
• Authorize state attorneys general to enforce the act.

Health, geolocation, and proximity data are the bill’s focus. Similar to other bills — such as the CCPA — the backbone of the protections will be the notice-and-consent provisions.

It remains to be seen whether the act will expressly preempt state privacy laws. The scope of any preemption would likely be controversial and may require resolution in the courts. The senators also have not yet indicated whether the act will create for consumers a private right of action — private-right-of-action clauses have been controversial in privacy laws at both the state and federal level.

Stay tuned for updates as we learn more about this federal privacy bill.