Recently, four U.S. Senators introduced the COVID-19 Consumer Data Protection Act to provide “transparency, choice, and control” over the collection and use of American’s data. Without a nationwide federal privacy law, companies have been left to speculate how to handle COVID-19 data. FTC commissioner Christine Wilson urged companies that collect COVID-19 data to clearly disclose what particular data is being collected, and when it will be deleted. However, there is no official FTC guidance or law requiring such actions.
Enter, the COVID-19 Consumer Data Protection Act of 2020. According to the drafters, the act seeks to “strike the right balance between innovation—allowing technology companies to continue their work toward developing platforms that could trace the virus and help flatten the curve and stop the spread—and maintaining privacy protections for U.S. citizens.”
The Act would apply to any person or entity that is:
- covered by the Federal Trade Commission Act; or
- a common carrier, or
- a nonprofit organization;
- collects, transfers, or processes covered data
What kind of data would the COVID-19 Consumer Data Protection Act cover?
The Act would only apply to personal health information, proximity data, and geolocation data used to track the spread, signs, or symptoms of COVID-19; to measure compliance with social distancing guidelines or other government-imposed COVID-19 requirements; or to conduct COVID-19 contact tracing.
What would the COVID-19 Consumer Data Protection Act do?
The Act contains a multitude of obligations for companies across all sectors of the US. Specifically, the Act would:
- Require companies to obtain affirmative express consent from individuals to collect, process, or transfer their personal health, geolocation, or proximity information for the purposes of tracking the spread of COVID-19.
- Direct companies to disclose to consumers at the point of collection how their data will be handled, to whom it will be transferred, and how long it will be retained.
- Establish clear definitions about what constitutes aggregate and de-identified data to ensure companies adopt appropriate safeguards to protect re-identification of consumer data.
- Require companies to adopt opt-out policies for individuals relating to the collection, processing, or transfer of their personal health, geolocation, or proximity information.
- Direct companies to provide transparency reports to the public describing their data collection activities related to COVID-19.
- Establish data minimization requirements for any personally identifiable information collected by a covered entity.
- Require companies to delete or de-identify all personally identifiable information when it is no longer being used for COVID-19 purposes.
Similar to other federal privacy regulations, the bill contains a provision that would preempt of state privacy laws to the extent that they conflict with these new federal protections. However, unlike other privacy regulations, the Act is designed to be temporary. It would only apply during the COVID-19 Public Health Emergency as declared by the Secretary of Health and Human Services. The Act would be enforced by both the FTC and state Attorneys General.
Is it likely to pass?
It is too early to tell. With the attention of legislatures focused on the hotly contested Heroes Act and Paycheck Protection Flexibility Act, this bill is likely to take a back seat in the immediate future. Adding to that, the bill was introduced without bi-partisan support. Therefore, it would likely have to undergo significant negotiations and revisions before any vote even takes place.
Update: The bill has seen no activity since its introduction over one year ago, and can safely be assumed dead.