Senate Commerce Committee Chairman Roger Wicker is working on draft legislation that would regulate the collection and use of health and location information in connection with efforts to track and limit the spread of COVID-19.   Some key highlights of the tentatively titled “COVID-19 Consumer Data Protection Act” include:

  • For the duration of the public health emergency, the bill would regulate companies that collect, process, or transfer certain health and location information for any of the following purposes: (1) to track the spread, signs, or symptoms of COVID-19; (2) to measure compliance with social distancing guidelines or other government-imposed requirements related to COVID-19; or (3) to conduct contact tracing for COVID-19 cases.
  • Many of the key requirements are consistent with existing federal or state privacy requirements or norms, including obligations to post a clear and conspicuous privacy policy, to obtain affirmative consent to collect the covered data elements, and to maintain reasonable data security policies and practices.
  • However, regulated companies would have certain new obligations. The most notable of these include the following:
    • An obligation to provide individuals the ability to revoke their consent to the collection, processing, or transfer of covered data for COVID-19 purposes. There are limited exemptions to this requirement.  For example, there is not an express exemption from opt-out obligations for medical information collected by or on behalf of employers in connection with efforts to maintain a safe workplace.  The U.S. Equal Employment Opportunity Commission issued guidance on March 18 stating that employers are allowed to conduct body temperature checks due to the pandemic and issued guidance on April 23 stating that employers may conduct diagnostic testing for COVID-19.
    • An obligation to delete covered data that is collected, processed, or transferred for COVID-19 purposes when it is no longer being used for such purpose. The draft does not expressly address a company’s obligations to delete covered data that is collected and processed for both COVID-19 and non-COVID-19 purposes.
    • An obligation to issue public reports every 30 days with certain information, including the aggregated number of individuals whose data has been processed for COVID-19 purposes.
    • Express data minimization requirements.
  • There are specific exemptions for aggregated, de-identified, and publicly available information. Otherwise covered health and location information is defined to include the following:
    • Personal health information, which is defined as either genetic information or information relating to the diagnosis or treatment of past, present, or future physical, mental, health, or disability of the individual that identifies or is reasonably linkable to an individual, but excluding information that is subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) or the Family Educational Rights and Privacy Act of 1974 (“FERPA”).
    • Precise geolocation data, which is defined as technologically derived information capable of determining with reasonable specificity the past or present actual physical location of an individual at a specific point in time.
    • Proximity data, which is defined as technologically derived information that identifies with reasonable specificity the past or present proximity of one individual to another.

The draft would rely on the Federal Trade Commission to enforce violations under Section 5 of the FTC Act, although common carriers and non-profit entities also would be regulated expressly even though they generally are not subject to Section 5 jurisdiction.  In addition, state attorneys general would have the right to enforce the obligations, including to obtain civil penalties.