The United States Senate, Committee on Commerce, Science, and Transportation, conducted a hearing on “Enlisting Big Data in the Fight Against Coronavirus.” On April 30, 2020, the Republicans on the committee, Wicker, Thune, Moran, and Blackburn, proposed legislation to protect the privacy of consumers’ personal health information, proximity data, device data, and geolocation data during the coronavirus public health crisis called “COVID-19 Consumer Data Protection Act of 2020.” On May 14, 2020, Democrats from both chambers of Congress proposed their own COVID-19 related privacy measure, the “Public Health Emergency Privacy Act.”
Despite the partisan divide, both proposals include explicit consent requirements from users before collecting, processing or transferring data for tracking efforts. Further, both proposals allow users to opt-out of data collection and require data minimization so that data should not be collected beyond what is necessary and proportionate to public health needs.
The Public Health Emergency Privacy Act (“the Democratic bill”) is broader in scope than the COVID-19 Consumer Data Protection Act of 2020 (“the Republican bill”). The Democratic bill would include both private and public entities as covered entities. The Republican bill exempts public entities. The Democratic bill covers more data, as well. For example, the Republican bill excludes COVID-19 data collected pursuant to an employer-employee relationship.
Two other notable distinctions include enforcement and preemption. The Democratic bill includes a private right of action, with tiered damages ranging from one hundred dollars to five thousand dollars. The Republican bill reserves consumers with Federal Trade Commission and State Attorneys General for enforcement. It is not at all surprising that the contentious issue of preemption manifests itself once again in the two competing proposals. As we have discussed in a general fashion, Congressional Republicans are generally in favor of preempting all state privacy laws in order to prevent the emergence of CCPA copy-cat bills, where Congressional Democrats are prone to favoring a state’s ability to go beyond any federal law in granting consumers rights and corporate obligations. The Republican bill would preempt all differing state laws, regulations and requirements while the Democratic bill would preserve them.
Both proposals require covered entities to obtain affirmative express consent from individuals to collect, process, or transfer their personal health, geolocation, or proximity information for the purposes of tracking the spread of COVID-19. They also add disclosure requirements at the point of collection indicating how their data will be handled, to whom it will be transferred, and how long it will be retained. The Democratic bill and Republican bill both allow individuals to opt out of the collection, processing, or transfer of their personal health, geolocation, or proximity information. Similarly, both proposals establish data minimization and data security requirements for any personally identifiable information collected by the respective covered entity.
The Democratic and Republican proposals reflect a growing anxiety about the access government and private entities will have to personal information in response to COVID-19. An Axios-Ipsos poll conducted between May 8 and 11 found that 66% of respondents said they would be not at all or not be very likely to use a contact tracing system made by major tech companies.