Data collection and analysis is becoming a key weapon in the fight against COVID-19 both here in the United States and around the globe. But as governments and tech companies roll out a variety of applications and contact tracing tools, legislators from both sides of the political aisle are questioning how to handle the data being collected, analyzed, and shared. The following is a short summary of two recently-proposed pieces of federal legislation.
The COVID-19 Consumer Data Protection Act
On May 7, 2020, a group of Republicans introduced the COVID–19 Consumer Data Protection Act of 2020 (“CCDPA”). Assigned to the Senate Committee on Commerce, Science, and Transportation, the CCDPA has several key features.
What The CCDPA Covers:
- It covers to a wide range of organizations, including businesses under the Federal Trade Commission’s jurisdiction as well as non-profits and common carriers (“covered entities”).
- It covers a variety of types of data, including geolocation data, proximity data, persistent identifiers such as IP addresses or device IDs, and personal health information (“covered data”).
- It covers certain purposes or use cases, including the collection, processing, or transfer of covered data to (1) track the spread, symptoms, or signs of COVID-19; (2) measure compliance with social distancing guidelines; and (3) conduct contact tracing (“covered purposes”).
- It does not cover, among other things, data that is already protected by HIPAA and data collected by employers to determine whether employees may enter a physical location.
What The CCDPA Requires:
It makes it unlawful for a covered entity to collect, use, or transfer covered data for a covered purpose unless three requirements are met:
- Individuals receive notice prior to collection, use, or transfer of the data;
- Individuals give affirmative express consent; and
- The covered entity publicly commits to not collect, use, or transfer the data for any purpose.
The CCDPA also requires covered entities to update their privacy policies, to use reasonable security to protect the covered data, to use principles of data minimization, to provide an opt-out mechanism for individuals who previously consented, and to delete the data when it is no longer needed for the covered purposes.
Who Enforces The CCDPA:
The CCDPA does not include a private right of action and would be enforced by either the Federal Trade Commission or state attorneys general.
The Public Health Emergency Privacy Act
On May 14, 2020, members of the House and Senate introduced the Public Health Emergency Privacy Act (“PHEPA”). PHEPA has been referred to the House Energy and Commerce Committee as well as the Senate Health, Education, Labor and Pensions Committee.
What The PHEPA Covers:
Generally speaking, PHEPA would apply to certain entities that collect “emergency health data” (“EHD”). Importantly, “EHD” means (in brief) data that concerns the public COVID-19 public health emergency, which means the “outbreak and public health response pertaining to [COVID-19], associated with the emergency declared” by HHS in January of 2020, and “any renewals” or “subsequent declarations…related to the coronavirus.”
What The PHEPA Requires:
The PHEPA imposes restrictions and compliance obligations similar to those set forth in CCDPA. It limits the permissible purposes for collecting, using, and disclosing EHD, including reasonable safeguards to prevent unlawful discrimination based on EHD; requires reasonable security to protect EHD; requires reasonable measures to ensure EHD accuracy and a mechanism to correct inaccuracies; requires certain privacy policy disclosures and, if an organization has collected data of at least 100,000 individuals, certain additional disclosures every 90 days; and requires deletion of EHD upon the occurrence of specified events. The PHEPA generally also requires affirmative express consent prior to the collection, use, or disclosure of EHD (subject to limited exceptions) and requires a mechanism for individuals to revoke consent.
Who Enforces the PHEPA:
PHEPA would not preempt or supersede any requirements or authorizations under applicable federal or state laws and contemplates rule making by the FTC regarding EHD collected prior to the law’s enactment. PHEPA expressly does not apply to a covered entity or business associate under HIPAA, though PHEPA directs HHS to promulgate guidance on the applicability of similar requirements.
In addition to rule making authority, the FTC would have the authority to enforce the law along with state attorneys general.
Unlike the CCDPA, the PHEPA provides a private right of action for violations that constitute a concrete and particularized injury in fact to the individual.
The PHEPA Applies To The Government, Not Just Private Entities
Unlike the CCDPA, the PHEPA is not limited to private entities and would also regulate some governmental use, collection, and disclosure of EHD.
PHEPA also includes provisions focused on protecting voters’ rights. It prohibits government entities from denying, restricting, or interfering with (or attempting to do so), or retaliating against someone for, voting in an election, on the basis of EHD, an individual’s medical condition, or participation or non-participation in a program to collect EHD. PHEPA also prohibits covered organizations from knowingly facilitating such activities.