COVID-19 Consumer Data Protection Act introduced in the U.S. Senate

On May 7, 2020, in the face of the ongoing COVID-19 pandemic and as some states are “opening up”, U.S. Sens. Roger Wicker (R-Miss.), chairman of the Senate Committee on Commerce, Science, and Transportation; John Thune (R-S.D.), chairman of the Subcommittee on Communications, Technology, Innovation, and the Internet; Deb Fischer (R-Neb.),chairman of the Subcommittee on Transportation and Safety; Jerry Moran (R-Kan.), chairman of the Subcommittee on Manufacturing, Trade, and Consumer Protection; and Marsha Blackburn (R-Tenn.), introduced the COVID-19 Consumer Data Protection Act of 2020.

The bill would provide more “transparency, choice, and control” over the collection and use of personal health, device, geolocation, and proximity data. Such data can reveal sensitive and personal information of the individual whose data is collected. The bill, as currently drafted, is specifically intended to protect personal information related to contact tracing collected by companies that fall under the jurisdiction of the Federal Trade Commission (“FTC”) (which are generally, with some exceptions, companies who are engaged in interstate commerce )[1]. According to the Centers for Disease Control and Prevention (CDC), contact tracing is a disease control measure and key strategy for preventing further spread of COVID-19, by finding all contacts of a confirmed COVID-19 case in order to test or monitor those contacts for infection.

As the pandemic continues to affect the United States, businesses are taking steps to develop technological solutions to track and help contain COVID-19 by gathering data of consumers and employees. The bill would hold businesses accountable if they use personal data in violation of the Act.  The bill would also impose data privacy and security requirements on businesses that handle personal data related to COVID-19.

If passed, the Act would remain in effect while the public health emergency declared by the Secretary of Health and Human Services on January 31, 2020 remains in effect.

The COVID-19 Consumer Data Protection Act would:

  • Require companies under the jurisdiction of the FTC[2] to obtain affirmative express consent from individuals to collect, process, or transfer their personal health, device, geolocation, or proximity information for the purposes of tracking the spread of COVID-19. This includes employee screening data by employers subject to FTC jurisdiction.
  • Direct companies to disclose at the point of collection:
    • how individual data will be handled,
    • to whom it will be transferred, and
    • how long it will be retained.
  • Establish clear definitions about what constitutes aggregate and de-identified data to ensure companies adopt certain technical and legal safeguards to protect data from being re-identified.
  • Require companies to allow individuals to opt out of the collection, processing, or transfer of their personal health, geolocation, or proximity information.
  • Direct companies to provide transparency reports to the public describing their data collection activities related to COVID-19.
  • Establish data minimization and data security requirements for any personally identifiable information collected by a covered entity.
  • Require companies to publish a privacy policy with a general description of the data retention practices for covered data and their data security practices.
  • Require companies to delete or de-identify all personally identifiable information when it is no longer being used for the COVID-19 public health emergency.
  • Authorize state attorneys general to enforce the Act.

Currently, the proposed legislation remains just a bill. The introduction of the bill is only the beginning of a multi-step legislative process.[3] The next step is for the bill to be assigned to a committee where it will be debated within that committee.

These are uncertain times for many businesses, and while there has been significant flexibility from legislatures, regulators and courts in certain areas of the law, the introduction of the COVID-19 Consumer Data Protection Act of 2020 signals that data privacy and security protection continue to be a priority.

Even if the bill does not become law, it nevertheless contains several provisions that businesses may want to consider before deploying newly available technology to track COVID-19 infections. The bill likewise provides helpful guidance and potential best practices for employers that are planning to utilize new technology related to COVID-19 in the workplace.  Stay safe!


[1] The FTC is authorized “to gather and compile information concerning, and to investigate from time to time the organization, business, conduct, practices, and management of any person, partnership, or corporation engaged in or whose business affects commerce, excepting banks, savings and loan institutions . . . Federal credit unions . . . and common carriers . . .” 15 U.S.C. Sec. 46(a). “Commerce” is defined as “commerce among the several States or with foreign nations.” Id. at § 44.

[2] Id.

[3] For a light humored overview of the legislative process you can check out the Schoolhouse Rock- How a Bill Becomes a Law YouTube video.

This entry was posted in COVID-19, Data Protection, Government Regulations, Personal Information, Privacy.

Share this Article:

Leave a Reply

View Reply Form

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>