Senate Commerce Committee Chairman Roger Wicker is working on draft legislation that would regulate the collection and use of health and location information in connection with efforts to track and limit the spread of COVID-19.   Some key highlights of the tentatively titled “COVID-19 Consumer Data Protection Act” include:

  • For the duration of the public health emergency, the bill would regulate companies that collect, process, or transfer certain health and location information for any of the following purposes: (1) to track the spread, signs, or symptoms of COVID-19; (2) to measure compliance with social distancing guidelines or other government-imposed requirements related to COVID-19; or (3) to conduct contact tracing for COVID-19 cases.
  • Many of the key requirements are consistent with existing federal or state privacy requirements or norms, including obligations to post a clear and conspicuous privacy policy, to obtain affirmative consent to collect the covered data elements, and to maintain reasonable data security policies and practices.
  • However, regulated companies would have certain new obligations. The most notable of these include the following:
    • An obligation to provide individuals the ability to revoke their consent to the collection, processing, or transfer of covered data for COVID-19 purposes. There are limited exemptions to this requirement.  For example, there is not an express exemption from opt-out obligations for medical information collected by or on behalf of employers in connection with efforts to maintain a safe workplace.  The U.S. Equal Employment Opportunity Commission issued guidance on March 18 stating that employers are allowed to conduct body temperature checks due to the pandemic and issued guidance on April 23 stating that employers may conduct diagnostic testing for COVID-19.
    • An obligation to delete covered data that is collected, processed, or transferred for COVID-19 purposes when it is no longer being used for such purpose. The draft does not expressly address a company’s obligations to delete covered data that is collected and processed for both COVID-19 and non-COVID-19 purposes.
    • An obligation to issue public reports every 30 days with certain information, including the aggregated number of individuals whose data has been processed for COVID-19 purposes.
    • Express data minimization requirements.
  • There are specific exemptions for aggregated, de-identified, and publicly available information. Otherwise covered health and location information is defined to include the following:
    • Personal health information, which is defined as either genetic information or information relating to the diagnosis or treatment of past, present, or future physical, mental, health, or disability of the individual that identifies or is reasonably linkable to an individual, but excluding information that is subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) or the Family Educational Rights and Privacy Act of 1974 (“FERPA”).
    • Precise geolocation data, which is defined as technologically derived information capable of determining with reasonable specificity the past or present actual physical location of an individual at a specific point in time.
    • Proximity data, which is defined as technologically derived information that identifies with reasonable specificity the past or present proximity of one individual to another.

The draft would rely on the Federal Trade Commission to enforce violations under Section 5 of the FTC Act, although common carriers and non-profit entities also would be regulated expressly even though they generally are not subject to Section 5 jurisdiction.  In addition, state attorneys general would have the right to enforce the obligations, including to obtain civil penalties.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

As part of her practice, she also regularly represents clients in strategic transactions involving personal data and cybersecurity risk. She advises companies from all sectors on compliance with laws governing the handling of health-related data. Libbie is recognized as an Up and Coming lawyer in Chambers USA, Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”