For years, the idea of a federal privacy law in the same vein as GDPR seemed to be a far-fetched dream. Then came the nightmare: coronavirus. As mobile device and other monitoring services are being considered for employers and retail, because of the COVID-19 pandemic, the U.S. Senate announced a bill, which would apply to the collection of American health, geolocation, and proximity information.
The COVID-19 Consumer Data Protection Act (the “Act”) aims to heighten protection for American’s data by imposing requirements on businesses similar to those seen in the GDPR and CCPA. Specifically, the Act is designed to protect information that constitutes “precise geolocation data, proximity data, and personal health information.” Any entity or person who “collects, processes, or transfers covered information” and is also subject to the Federal Trade Commission Act, is a common carrier subject to the Communications Act of 1934, or is a nonprofit organization would be subject to the law.
The Act protects information through “notice and consent” requirements, making it generally unlawful for any covered entity to “collect, process, or transfer the covered data of an individual” without prior notice and express consent. Specifically, covered entities would be required to disclose to consumers at the point of collection how their data will be handled, to whom it will be transferred, and how long it will be retained. The Act creates an exception for collection, processing, and transferring of covered data, without notice and consent, when necessary to comply with a legal obligation. In addition, state privacy laws that are more prescriptive than the federal protections will pre-empt the Act.
Covered entities will also need to provide a mechanism by which consumers may opt out of the collection, processing, or transfer of applicable data under the Act. Specifically, the Act also:
- includes clear definitions about what constitutes “aggregate” and “de-identified” data to ensure companies adopt certain technical and legal safeguards to protect consumer data from being re-identified;
- directs companies to publish transparency reports to the public describing their data collection activities related to COVID-19;
- requires companies to delete or de-identify all personally identifiable information when it is no longer being used for the COVID-19 public health emergency;
- authorizes state attorneys general to enforce the Act; and
- requires covered entities put in place cybersecurity protections, requiring them to “establish, implement, and maintain reasonable administrative, technical, and physical data security policies and practices to protect against risks to the confidentiality, security, and integrity” of the data covered by the law.
Whether it becomes law or not, the Act demonstrates a growing desire for guidance with respect to data collection. During the COVID-19 pandemic as businesses take employee temperatures and track illnesses, some companies have struggled for guidance absent a federal consumer privacy law. Businesses have had to speculate whether data uses relating to the pandemic fulfill existing privacy standards. The language within the Act serves as a reminder for data collection best practices. For example, companies collecting data related to COVID-19 should explicitly disclose to consumers what particular data is being collected, and when it will be deleted. In addition, pandemic-related data should be isolated from other information in order to better track and ultimately delete that information.
Although the proposed legislation applies only to health, proximity, and geolocation data during the COVID-19 pandemic, if enacted, the Act could pave the path toward a more permanent and comprehensive federal privacy law. Whether the Act will gain the necessary support to move forward remains to be seen, and will hinge on the perceived effectiveness of the law to address privacy concerns at issue. However, if previous attempts at federal privacy legislation are a guide, broad support is unlikely. Time will tell whether the specific circumstances of the pandemic make a difference.