As the federal, state, and local governments and industry grapple with how to respond to and prevent the spread of COVID-19, a group of senior Republican senators recently announced consumer privacy legislation designed to protect personal “covered data” collected from consumers relating to personal health, geolocation, and proximity. The proposed legislation is a response to contact tracing solutions aimed at tracking the virus and those who may have been exposed to it.

The COVID-19 Consumer Data Protection Act of 2020

Senate Commerce Committee Chairman Roger Wicker (R-MS), Communications, Technology, Innovation, and the Internet Subcommittee Chairman John Thune (R-SD), Consumer Protection, Product Safety, Insurance, and Data Security Subcommittee Chairman Jerry Moran (R-KS), and Senator Marsha Blackburn (R-TN), who sits on both the Commerce and Judiciary Committees, introduced the COVID-19 Consumer Data Protection Act of 2020 (the “Act”) on May 7. According to the sponsors, the legislation is intended to provide consumers more transparency, choice, and control over the collection and use of their personal data, and to hold businesses accountable to consumers if these businesses use personal COVID-19-related data for purposes unrelated to the pandemic. As Subcommittee Chairman Moran stated, “while many businesses have taken well-intentioned steps to develop technological solutions to tracking, containing and ending the COVID-19 pandemic, Congress must address potentially harmful practices that could stem from these innovations if not held accountable.”

Key Areas Covered (and Not Covered)

As outlined in the bill, the Act would require all companies subject to Federal Trade Commission (“FTC”) jurisdiction to give individuals prior notice of the purpose of collecting covered data, and obtain an affirmative express consent (“opt-in”) prior to collecting, processing, or transferring an individual’s covered data for the purposes of tracking the spread of COVID-19. The bill’s main focus will be to address consumer privacy by directing companies to disclose to consumers, at the point of collection, how their data will be handled, to whom it will be transferred, and for how long it will be retained.

Notably, employees are expressly excluded from coverage under the proposed legislation, as is “employee screening data” – a term defined to mean “data [that] is only collected, processed, or transferred by the covered entity for the purpose of determining, for purposes related to the COVID–19 public health emergency, whether the individual is permitted to enter a physical site of operation of the covered entity.”  The presence of this “employee screening data” exclusion is curious when juxtaposed against the exclusion for employees generally.  That is, with employees already being excluded from coverage, the additional exclusion for employee screening data seems superfluous, leaving businesses to wonder if there is some other purpose for the “double coverage” that is not immediately obvious.  However, it is possible this apparent conflict will be resolved through additional explanation in accompanying regulations or commentary.

The Act also requires each covered entity, within 14 days after the enactment of the Act, to publish or update its privacy policy to disclose the purpose for the collection of covered data and a general description of its data security practices. No later than 30 days after the enactment of the Act, and no less frequently than every 60 days, the covered entity must issue a public report describing aggregate statistics concerning the number of individuals that opted-in, as well as the categories of data collected, processed or transferred, the specific purpose of such collection, and if transferred, to whom such data was transferred. Additionally, the proposed legislation would require deletion or de-identification of all personally identifiable information (PII) once it is no longer being used for the purposes of the COVID-19 public health emergency. It defines aggregate and de-identified data to ensure consumer data cannot be re-identified. In addition, companies would be required to provide public transparency reports describing their data collection practices as they relate to COVID-19.

Opt-in Implications

The “opt-in” approach to a covered entity’s access to and use of an individual’s covered data, while supportive of an individual’s privacy rights, may be detrimental to the underlying purpose of such collection efforts in the first place.  Companies such as Apple and Google are currently developing contact-tracing technologies that would identify COVID-19 positive individuals and notify others who may have been exposed, so those individuals can take appropriate responsive measures.  For such contact-tracing to be effective, it has to have a high adoption rate. A recent Wall Street Journal article quoted a senior researcher at Oxford University that a country would need approximately 60% of its population to use the location tracker for it to be effective. Singapore, which released TraceTogether, an opt-in contact tracing app, found that, by mid-April, only about 20% of its residents have downloaded and used the app.  And if opt-in rates are similarly low in the U.S. (which may well be the case), it will be more challenging to collect and use the information to ultimately contain or slow the spread of COVID-19, and to prevent a resurgence in COVID-19 cases once state-imposed quarantine measures are lifted.

Enforcement

The bill would provide enforcement authority to the FTC and state attorneys general.  The FTC would enforce the Act through its existing authority, and state attorneys general would be barred from pursuing any action in which the FTC has initiated an action.  In addition, the Act would preempt state laws to the extent they are subject to the covered data contained in the Act.

Potential Obstacles

Many of the concepts contained in the Act have been in other privacy legislation introduced during this Congress.  While some of these concepts have enjoyed bipartisan support (transparency, consumer choice and greater control over their data), others have essentially stalled Congressional efforts to adopt a national privacy framework (preemption, FTC rulemaking authority, and private right of action).  One of the main areas of contention has been enforcement authority, and it remains to be seen whether the balance struck in this legislation will be able to overcome the differences between the parties on what the proper role is for the FTC and state attorneys general.  It is, however, worth noting that the legislation does not have a Democratic co-sponsor.  Another area that could attract negative attention is the employee exclusion discussed above.  As the economy reopens and employees return to work, the workplace will become a frontline for COVID-19 containment efforts.  A law that sidesteps critical employee privacy considerations in conducting these efforts may encounter significant resistance from privacy advocates.

Next Steps

The Senate returned on May 4 with committees resuming regular activities. Chairman Wicker may attempt to move this legislation through his Committee in order to include it in a forthcoming COVID-19 stimulus bill. However, due to continued partisan disagreement over the right balance of any consumer privacy legislation, it is highly unlikely there will be bicameral support to advance this particular legislation in its current form.  The success of this or any other bill will require more thoughtful consideration (and probably much partisan debate) over the appropriate balance between the critically important principles of attempting to advance COVID-19 containment efforts through contact-tracing, on the one hand, and protecting the privacy rights of individuals, on the other.

Further, in response to the Act, the Democrats have introduced a bicameral bill of their own to address contact tracing and privacy issues relating to the pandemic.  On May 14, Senators Richard Blumenthal (CT) and Mark Warner (VA, along with Representatives Anna Eshoo (CA) and Jan Schakowsky (IL)) introduced the Public Health Emergency Privacy Act.  Stay tuned for our follow-up article outlining the provisions of this new bill and how it compares to the Act later this week.

McGuireWoods has published additional thought leadership related to how companies across various industries can address crucial coronavirus-related business and legal issues.