Monitoring the COVID-19 Consumer Data Protection Act

On April 30, 2020, the Senate Committee on Commerce, Science, and Transportation announced plans to introduce the COVID-19 Consumer Data Protection Act to regulate data collection and use during the COVID-19 pandemic. The proposed bill aims to provide data subjects with transparency, choice, and control over the collection and use of personal information including, health and geolocation-related data. Organizations would need to meet these obligations, as well as implement strong security practices around any personal information that is collected in relation to fighting the spread of the pandemic.

Scope and Purpose of the Bill

The bill is intended to target companies under the jurisdiction of the Federal Trade Commission (FTC) participating in the collection and use of personal health data, geolocation, and proximity data to track the spread of the pandemic for a “covered purpose”. The Senate Committee on Commerce, Science, and Transportation defines a “covered purpose” as any data collected for treatment or prevention of the virus, measurement of individual compliance to COVID-related laws, or contact tracing.

Although the bill may apply to organizations already under obligation to protect sensitive health-related information, such as healthcare organizations currently under the jurisdiction of the Health Insurance Portability and Accountability Act (“HIPAA”), or organizations under the scope of the EU’s General Data Protection Regulation (“GDPR”), by applying to all businesses under the jurisdiction of the FTC, the bill is broad in scope. If collected by organizations, information related to COVID-19 test status, as well as other potentially sensitive personal information such as geolocation and proximity to others, would be protected in a new range of contexts and industries. The legislation would give Americans increased control over the collection and use of their personal information as well as hold participating businesses accountable to individual data subjects if their personal information is used to track the COVID-19 pandemic.

Impact to Businesses

All businesses under the jurisdiction of the FTC need to consider their legal basis for any collection, use, and sharing of healthcare-related personal information, as well as the security practices they will employ to safeguard such sensitive information. Some organizations may not have previously considered such special protections if not within the jurisdiction of a privacy regulation such as HIPAA or GDPR. The proposed bill would authorize state attorneys general to enforce the following requirements for businesses under FTC jurisdiction:

  • To collect, process, or transfer personal information as defined by the bill, businesses must obtain affirmative express consent from impacted individuals;
  • At the point of collection, businesses must disclose to impacted individuals the details on how their data will be handled, transferred, and retained;
  • Businesses must clearly define aggregate and de-identified data, and adopt technical and legal safeguards to protect impacted data from being re-identified;
  • Businesses must provide individuals with the ability to opt-out of the collection and use of their personal health, geolocation, or proximity data;
  • Businesses must provide reports to the public describing company data collection activities related to the pandemic;
  • Data security and data minimization standards must be applied by businesses to any personally identifiable information collected; and
  • Businesses must securely dispose of all personally identifiable information when it is no longer used to track and combat the spread of the pandemic.

Key takeaways for businesses will be the need to enhance privacy notices and consent management practices, to ensure they are providing sufficient transparency and control over personal health, geolocation, and proximity information. Documenting and ensuring the legal basis of all data collection, processing activities, and data sharing with third parties that is done in relation to the pandemic will be key. As part of validating the information life cycle, businesses would also need to ensure appropriate technical controls and standards are in place to protective sensitive information, including an effective data security program and data minimization standards. Businesses should ensure they are collecting, processing, and retaining only the minimum data needed to accomplish clearly defined, documented, and legal purposes.

Potential Challenges for the Bill’s Passage

The federal government has run into many challenges in attempting to legislate data privacy on a national scale, despite pressures stemming from a variety of sources. The enactment of the GDPR in Europe and the passing of the California Consumer Privacy Act (“CCPA”) in the US have led a range of voices across industries to advocate for a common, unified approach to consumer rights, transparency, and data security in the US. Although Republicans and Democrats have previously reached consensus on the need for federal privacy laws, they frequently differ in their approaches to implementation and enforcement.

An interesting challenge for the bill in question relates to its enforcement: the Senate Committee  on Commerce, Science, and Transportation suggests enforcement would be left to the FTC and state attorneys general, whereas Democrats at the state level have pushed for private rights of action for similar bills in the past. The CCPA is a good example of this kind of approach – as a high-profile US privacy law recently passed, it provides a private right of action for instances of non-compliance, rather than being enforced by a state, federal, or industry authority. This may influence how new privacy regulations such as the COVID-19 Consumer Data Protection Act are enforced in the future.

Conclusion

Both the feasibility and future of the COVID-19 Consumer Data Protection Act appear uncertain. Regardless of the bill’s success, some experts suggest its introduction could not only sway attitudes in Congress towards a federal privacy regulation, but also provide organizations with an effective road map to develop new data privacy programs. Implementing the safeguards proposed by the bill will not be easy for many organizations, however, despite these new challenges, the benefits will allow sensitive personal information to be collected in a way that builds and maintains trust between organizations and individual data subjects. The proposed legislation will also provide an opportunity for impacted organizations to be presented with a strong business case to make enhancements to their data privacy and security programs, and may also even pave the way for future proposals on a federal privacy regulation, with an even broader scope beyond COVID-19 related data collection.