Senators Maria Cantwell (D-WA) and Bill Cassidy (R-LA) introduced bipartisan legislation this week to address privacy issues in the COVID-19 era.  The proposal, entitled the “Exposure Notification Privacy Act,” would regulate “automated exposure notification services” developed to respond to COVID-19.  This bipartisan legislation comes on the heels of dueling privacy proposals from both political parties.  We previously analyzed the Republican “COVID-19 Consumer Data Protection Act” proposal introduced by Senate Commerce Chairman Roger Wicker (R-MS) on this blog and the Democratic “Public Health Emergency Privacy Act” proposal on this blog.

Below are descriptions of the notable provisions in the Exposure Notification Privacy Act:

  • In contrast to the Wicker proposal and the proposal introduced by House and Senate Democrats, both of which would cover symptom tracking and other apps, this new bipartisan proposal would be narrower by only regulating operators of so-called “automated exposure notification services.”  This is defined as any website or mobile application designed for use or marketing to digitally notify “an individual who may have become exposed to an infectious disease.”  Operators can be both for-profit and non-profit entities.
  • However, the definition of covered personal data is broader than some earlier proposals that only covered certain categories of health and location data. The new proposal covers all data linked or reasonably linkable to any individual or device that is “collected, processed, or transferred in connection with an automated exposure notification service.”  This definition is broader than the Republican proposal, which defined covered data to include health information, geolocation data, and proximity data.  It is also broader than the Democratic proposal, which included the same data elements as the Republican proposal while also covering certain medical testing data and contact information.
  • Like the Democratic and Republican proposals, many of the bipartisan proposal’s key requirements are consistent with existing federal or state privacy requirements or norms, including obligations to post a clear and conspicuous privacy policy and to maintain reasonable data security policies and practices.  It also requires data minimization.
  • Under the bipartisan bill, operators may not enroll individuals in automated exposure notification services without their affirmative express consent, which is the same as both the Democratic and Republican proposals.
  • However, the new proposal could curtail the ability of technologies to collect, process, or share an actual, potential or presumptive positive diagnosis of an infectious disease except when such diagnosis is confirmed by a public health authority or a licensed health provider.
  • The proposal requires operators to “collaborate with a public health authority in the operation” of their notification service.
  • The bill includes certain transfer restrictions.  Covered data may only be transferred for certain enumerated purposes, such as to notify enrolled individuals of potential exposure to an infectious disease, or to public health authorities or contracted service providers.
  • The bill obligates operators to delete all covered data upon request of the individual, as well as within 30 days of the receipt of such data, on either a rolling basis or “at such times as is consistent with a standard published by a public health authority within an application jurisdiction.”  Such deletion requirements do not apply to data retention for public health research purposes.
  • The bill distinguishes between operators and service providers, and only a subset of obligations—such as data deletion requirements—apply to service providers.  Service providers with “actual knowledge” that an operator has failed to adhere to certain standards required under the proposal would be obligated to notify the operator of the potential violation.
  • Similar to the Democratic proposal, this bill makes it unlawful for “any person or entity” to discriminate on the basis of “covered data collected or processed through an automated exposure notification service” or their choice “to use or not use” such a service.
  • While the Democratic and Republican proposals imposed public reporting obligations on covered entities, this bipartisan proposal would require such an obligation on the federal Privacy and Civil Liberties Oversight Board.  Under the proposal, the Board would be required to issue a report within one year after enactment that assesses “the impact on privacy and civil liberties of Government activities in response to the public health emergency related to” COVID-19 and makes recommendations for the future.

As with both the Republic and Democratic proposals, the Exposure Notification Privacy Act enforcement provisions name both the Federal Trade Commission and state Attorneys General.  Notably, the Act preserves the right for individuals to bring claims arising under various state laws, including consumer protection laws, health privacy or infectious diseases laws, civil rights laws, state privacy and data breach notification laws, and under contract or tort law.