By: Henry Rademacher
Last week, a group of republican senators introduce a new data privacy bill, the COVID-19 Consumer Data Protection Act. Governments’ increasing use of contact tracing technology to mitigate the spread of COVID-19 is already proving to be controversial. Consumers have serious questions about issues like privacy, transparency, and effectiveness. According to its sponsors, the COVID-19 Consumer Data Protection Act is meant to answer these questions by providing Americans with “transparency, choice, and control over the collection and use of their personal health, geolocation, and proximity data.”
The COVID-19 Consumer Data Protection Act would:
- Require companies under the jurisdiction of the Federal Trade Commission to obtain affirmative express consent from individuals to collect, process, or transfer their personal health, geolocation, or proximity information for the purposes of tracking the spread of COVID-19.
- Direct companies to disclose to consumers at the point of collection how their data will be handled, to whom it will be transferred, and how long it will be retained.
- Establish clear definitions about what constitutes aggregate and de-identified data to ensure companies adopt certain technical and legal safeguards to protect consumer data from being re-identified.
- Require companies to allow individuals to opt out of the collection, processing, or transfer of their personal health, geolocation, or proximity information.
- Direct companies to provide transparency reports to the public describing their data collection activities related to COVID-19.
- Establish data minimization and data security requirements for any personally identifiable information collected by a covered entity.
- Require companies to delete or de-identify all personally identifiable information when it is no longer being used for the COVID-19 public health emergency.
- Authorize state attorneys general to enforce the Act
The bill’s sponsors are Roger Wicker, R-Miss., John Thune, R-S.D, Jerry Moran, R-Kan, and Marsha Blackburn, R-Tenn., all of whom have been long-time advocates for comprehensive federal legislation to address data privacy.
Although Democrats and Republicans frequently cite data privacy as an issue that should be handled at the federal level, disagreement over how to handle it has resulted in Congress continuing to punt the football. The 116th Congress (2019-2020) has seen no fewer than eleven data privacy bills introduced, with none advancing beyond a referral.
The COVID-19 Consumer Data Protection Act excludes two controversial provisions that have torpedoed previous bills, federal preemption of state laws, and the “private right of action” allowing consumers to sue companies for privacy violations. While these exclusions may be viewed as a signal that Republicans are willing to negotiate in order to get legislation passed, Democrats are unlikely to support the COVID-19 Consumer Data Protection Act in its current state. Sources have indicated that Senate Democrats view the inclusion of a private right of action as non-negotiable in any federal bill on data privacy.
As states continue to pass their own laws on data privacy, businesses and consumers are becoming increasingly entangled in a patchwork system of differing laws and regulations. The confusion caused by these various laws, most famously the California Consumer Privacy Act (CCPA), is projected to result in companies paying astronomically high compliance costs. While the biggest companies can afford these types of payments, startups and small businesses are likely to struggle or go out of business entirely.
It remains to be seen if the COVID-19 Consumer Data Protection Act will result in Democrats and Republicans having a serious negotiation on privacy legislation. But, the COVID-19 crisis would be a good time for them to do so. Contact tracing raises legitimate concerns about privacy and the government’s ability to administer such a program responsibly. The federal government would be better positioned to address those concerns if comprehensive legislation addressing data privacy was in place at the federal level.
Photo credit: Gage Skidmore (flickr)