U.S. Senators to Introduce a Federal “COVID-19 Consumer Data Protection Act of 2020”

A group of Republican Senators, led by Senator Roger Wicker of Mississippi, plan to introduce a “COVID-19 Consumer Data Protection Act of 2020” during the week of May 4.  The bill comes as privacy concerns grow over the bulk collection of personal data to trace the spread of the coronavirus.

The bill would apply to collection, processing, and transfer of precise geolocation data, proximity data, and personal health information (“covered data”) for the specified “covered purposes” during the COVID-19 public health emergency.  The “covered data” would not include information subject to the HIPAA regulations, information from education records subject to the FERPA, aggregate and de-identified data, and publicly available information.

The “covered purposes” under the Act would include collecting, processing, and/or transferring the covered data to (1) track the spread, signs, and symptoms of COVID-19; (2) measure compliance with social distancing guidelines; and (3) conduct contact tracing for COVID-19 purposes.

The Act would require that individuals receive prior notice and give “affirmative express consent” prior to collection, processing, or transfer or their covered data.   The companies would be required to provide an “opt out” mechanism for consented individuals and comply with the opt-out requests within 14 days.

The companies engaged in the collection, processing, or transferring of the covered data would be required to disclose in their privacy policies whether they transfer covered data for the covered purposes and the categories of recipients to whom the data is transferred; the general description of the company’s data retention practices with respect to such data; as well as their data security practices.  The companies would also be required to issue monthly public reports disclosing in aggregate terms the number of individuals whose covered data they collected, processed, or transferred;  the categories of covered data collected, processed, or transferred; the specific purpose for which data was collected, processed, and transferred; and to whom such data was transferred.

The companies would also be required to delete or de-identify the covered data when it is no longer necessary for the covered purposes, to minimize data collection to what is reasonably necessary, proportionate, and limited to carry out the covered purposes, as well as to establish, implement, and maintain reasonable security policies and practices to protect the confidentiality, security, and integrity of such data.

The Federal Trade Commission would have the authority to enforce the Act under the Federal Trade Commission Act.  The State Attorney General would also be granted authority to bring actions for injunctive relief and damages on behalf of the state residents.

As we recently reported, the U.S. government has been in discussions with Facebook, Google, and other tech companies to use geolocation and smartphone movement data to combat the coronavirus pandemic.  Currently, there is no law in the United States that would directly regulate any privacy implications from the use of these surveillance activities.  Even though it appears highly unlikely that the Congress will take on a comprehensive privacy legislation any time soon, the COVID-19 Consumer Data Protection Act of 2020 might just be the federal privacy bill to pass this year.

Ask Clarip today how we can solve your biggest compliance pain points, Call Clarip at 1-888-252-5653