Exposure Notification Privacy Act: Bipartisan Bill Introduced to Regulate Covid-19 Contact Tracing Apps

As cities across the country begin to reopen, companies and public health officials look for ways to combat the spread of COVID-19. One such way is through contact tracing apps.  Of course, such apps come with it the collection and transmission of large amounts of consumer health data.  Lawmakers have responded by introducing legislation to address user privacy concerns.

On June 1, 2020, Senators Maria Cantwell (D-WA) and Bill Cassidy (R-LA) introduced a bipartisan bill titled Exposure Notification Privacy Act (“ENPA”), which seeks to regulate contact tracing apps. The goal of the legislation is to “give[] Americans control over their data [and] put[] public health officials in the driver’s seat of exposure notification development.”

Notably, this is the third such legislation that has been introduced to protect the privacy of consumers’ personal health information during the COVID-19 pandemic.  The first of which was introduced on April 30, 2020, by Republican Senators called the COVID-19 Consumer Data Protection Act. This was followed two weeks later with legislation introduced by Democratic representatives called the Public Health Emergency Privacy Act.  We wrote about these two bills here: Consumer COVID Consent Creates Crucial Congressional Consensus: Details Differ.

Scope of the ENPA

The ENPA applies to companies that operate “automated exposure notification services,” which is defined as “a website, online service, online application, mobile application, or mobile operating system that is offered in commerce in the U.S. and that is designed, in part or in full, specifically to be used for, or marketed for, the purpose of digitally notifying, in an automated manner, an individual who may have become exposed to an infectious disease (or the device of such individual, or a person or entity that reviews such disclosures).”

The focus of ENPA is having robust privacy safeguards in place, preventing data misuse, and giving users control over the collection, transmission, and deletion of their health data.

Obligations of automated exposure notification services

Under the bill, companies that qualify as “automated exposure notification services” must do the following:

• Collaborate with Public Health Officials – The automated exposure notification service must collaborate with Public Health Officials to operate the service. However, at this time, it is unclear what the scope of the collaboration entails. It also requires that any diagnosis processed by an automated exposure notification service to be an “authorized diagnosis,” meaning the diagnosis must be confirmed by a public health official or a health care provider.
• Obtain consent – The ENPA requires “affirmative express consent” from the user to be enrolled in the service. It also requires the automated exposure notification service to provide users with a “clear and conspicuous” means to withdraw that consent.
• Privacy Policy - The ENPA also requires the automated exposure notification service to provide a privacy policy in a “conspicuous and readily accessible manner,” that details how it collects, processes, and transfers data.
• Data restrictions – The automated exposure notification service may not collect or process data: (1) beyond the minimum amount necessary to implement an automated exposure notification service for public health purposes; or (2) for any commercial purpose.
• Data security – The automated exposure notification service must also establish, implement, and maintain data security practices to protect the data collected. The data security practices required should include, at a minimum, a risk and vulnerability assessment, corrective action to mitigate risks and vulnerabilities, and data breach notification.
• Data deletion – The automated exposure notification service must regularly delete the data every 30 days or at such time consistent with a standard published by a public health authority within an applicable jurisdiction. It also must provide a method to allow users to request their data to be deleted.

Enforcement

The Federal Trade Commission (FTC) and State Attorney Generals will have enforcement authority under the ENPA.

The FTC has the power to enforce the law and pursue civil penalties for first-time violators. State Attorney Generals or other official or agency designated by a state may bring a civil action to enforce this act.

The Act also explicitly preserves common law and state statutory causes of action.

What to Expect Next  

Given that there are currently three competing bills seeking to regulate contact tracing apps, it is unclear how the three bills will be resolved.  Ultimately, the ENPA’s bipartisan support may give it the boost it needs to pass.  The challenge will be balancing the need to collect data to combat the spread of infectious diseases with lawmakers and the public’s concerns regarding privacy and cybersecurity.

The text of the bill can be found here.