Two Diverging Federal COVID-19 Privacy Bills Proposed


May.18.2020

In recent days, Congress has introduced two divergent “emergency” bills to address privacy issues arising during the COVID-19 crisis. While both bills aim to protect personal data collected for the purposes of contact tracing and containing the spread of the illness, the bills – one led by Republicans, the other by Democrats – offer different approaches in key areas, including the scope of entities covered, preemption of state law, and whether to provide a private right of action. Given these differences, it is unlikely either bill will pass in its current form, barring significant concessions from each side of the aisle.

Here is a high-level summary of the key points addressed in each bill:

COVID-19 Consumer Data
Protection Act of 2020

S.3663 (bill text here)

Public Health Emergency
Privacy Act

S.3749 (bill text here)

Bill Sponsor(s) Sen. Wicker (R-Miss.)
Sen. Thune (R-S.D.)
Sen. Moran (R-Kan.)
Sen. Blackburn (R-Tenn.)
Sen. Fischer (R-NE.)
Sen. Blumenthal (D-Conn.)
Sen. Warner (D-Va.)
Rep. Eshoo (D-Calif.)
Rep. Schakowsky (D-Ill.)
Rep. DelBene (D-Wash.)
Current Status Currently sitting in the Senate Commerce Committee.

The bill is not scheduled for a hearing; however, Senator Wicker, the Committee’s Chairman, could bring the bill up for hearing on short notice.
The bill has been referred to the Senate Committee on Health.
Key Points Addressed
Covered Entities

Covered Entities:

  • Private sector entities that collect, process, or transfer “covered data,” or determine the means and purposes for the collection, processing, or transfer of covered data.
  • Excluded:   Service providers.

Covered Organizations:

  • Defined broadly to include private and public sector entities that collect or process “emergency health data” electronically, or that develop or operate a website, mobile application, or smart device application for the purposes of tracking, monitoring, contact tracing, or otherwise responding to the COVID-19 public health emergency.
  • However, the bill does not apply to as-defined public health authorities, service providers, health care providers, people acting in their individual or household capacities, or people engaged in de minimis collection or processing of emergency health data.
Covered Data

Covered Data:

  • Precise geolocation data, proximity data, a persistent identifier, and personal health information.
  • Excluded: Aggregated data, business contact information, de-identified data, employee screening data, and publicly available information.

Emergency Health Data:

  • Data linked or reasonably linkable to an individual or device, including data inferred or derived about the individual or device from other collected data provided such data is still linked or reasonably linkable to the individual or device, that concerns the public COVID-19 health emergency.
  • Emergency health data would include health-related data, such as test result data, genetic data, and biometric data.  This would also include contact-tracing related data, geolocation data, or any other data collected from a personal device.
Obligations

Covered Entities would generally be required, among other things, to:

  • Provide an individual with prior notice of the purpose for collection, processing, or transfer of covered data.
  • Obtain affirmative express consent for such collection, processing, or transfer, and provide an effective mechanism for an individual to later revoke such consent.
  • Publicly commit not to collect, process, or transfer covered data other than for the following Covered Purposes (subject to exception):
  • To track the spread, signs, or symptoms of COVID-19;
  • To measure compliance with social distancing guidelines or other requirements related to COVID-19; and
  • To conduct contact tracing for COVID-19 cases.
Transparency
  • Provide to an individual prior to or at the point of collection a privacy policy describing the Covered Entity’s practices regarding covered data.
Reporting
  • Issue a public report every 60 days providing certain aggregate data points and describing its covered data practices.
Reasonable Security
  • Establish, implement, and maintain reasonable administrative, technical, and physical data security policies and practices to protect against risks to the confidentiality, security, and integrity of covered data.
Data Deletion
  • Delete or de-identify all covered data when no longer being used for a covered purpose and no longer necessary to comply with legal obligations or the establishment, exercise, or defense of a legal claim.

Covered Organizations would generally be required, among other things, to:

  • Only collect, use, or disclose emergency health data that is necessary, proportionate, and limited for a good faith public health purpose.
  • Obtain affirmative express consent for the collection, use, or disclosure of emergency health data, as well as provide an effective mechanism for an individual to later revoke such consent.
  • Not collect, use, or disclose emergency health data for certain commercial purposes, such as commercial advertising, or for purposes of discriminating in any place of public accommodations.
Transparency
  • Provide to an individual prior to or at the point of collection a privacy policy describing the covered organization’s practices regarding emergency health data.
Reporting
  • Covered organizations that collect, use, or disclose emergency health data of at least 100,000 individuals would be required to issue a public report every 90 days providing certain aggregate data points and describing its emergency health data practices.
Reasonable Security
  • Establish and implement reasonable data security policies, practices, and procedures to protect the security and confidentiality of emergency health data.
Data Destruction
  • Destroy emergency health data within 60 days of the termination of HHS’ declared public health emergency, and within 30 days after an individual revokes consent.
Preemption Does preempt state privacy laws. Does not preempt state privacy laws.
Enforcement FTC and state attorneys general would enforce. FTC and state attorneys general would enforce.
Private Right of Action Does not provide for a private right of action. Does provide for a private right of action, with varied levels of statutory damages depending on whether the violation is negligent ($100-$1,000), or reckless, willful, or intentional ($500-$5,000).

Key Takeaway: While these two bills overlap in some respects, they differ significantly in others. Orrick will continue to track these two diverging bills as they are pushed through the legislative process. We will also continue to monitor the COVID-19 privacy legislation landscape generally.  Please reach out with questions to a member of Orrick’s Cyber, Privacy & Data Innovation team.