The COVID-19 Consumer Data Protection Act
On May 7, 2020, U.S. Senators Roger Wicker (R-Miss.), chairman of the Senate Committee on Commerce, Science, and Transportation; John Thune (R-S.D.), chairman of the Subcommittee on Communications, Technology, Innovation, and the Internet; Deb Fischer (R-Neb.),chairman of the Subcommittee on Transportation and Safety; Jerry Moran (R-Kan.), chairman of the Subcommittee on Manufacturing, Trade, and Consumer Protection; and Marsha Blackburn (R-Tenn.), introduced the COVID-19 Consumer Data Protection Act of 2020 (“CCDPA”).
The goal of the CCDPA is to provide more “transparency, choice, and control” over the collection and use of personal health, device, geolocation, and proximity data. As currently drafted, the bill is intended to protect personal information related to contact tracing collected by companies that fall under the jurisdiction of the Federal Trade Commission (“FTC”). Contact tracing, according the Centers for Disease Control and Prevention (“CDC”), is a disease control measure for preventing further spread of COVID-19 by tracking down all contacts of a confirmed COVID-19 case to test or monitor those contacts for infection.
The CCDPA would require companies under the jurisdiction of the FTC to obtain affirmative express consent from individuals to collect, process, or transfer their personal health, device, geolocation, or proximity information for the purposes of tracking the spread of COVID-19. This includes employee screening data by employers subject to FTC jurisdiction.
If passed, the CCDPA would remain in effect while the public health emergency declared by the Secretary of Health and Human Services on January 31, 2020 remains in effect.
What does the CCDPA Cover?
- A wide range of organizations, including businesses under the FTC’s jurisdiction as well as non-profits and common carriers
- A variety of types of data, including geolocation data, proximity data, persistent identifiers such as IP addresses or device IDs, and personal health information
- Certain purposes or use cases, including the collection, processing, or transfer of covered data to (1) track the spread, symptoms, or signs of COVID-19; (2) measure compliance with social distancing guidelines; and (3) conduct contact tracing
- It does not cover, among other things, data that is already protected by HIPAA and data collected by employers to determine whether employees may enter a physical location
What does the CCDPA Require?
The CCDPA makes it unlawful for a covered entity to collect, use, or transfer covered data for a covered purpose unless:
- Individuals receive notice prior to collection, use, or transfer of the data
- Individuals give affirmative express consent; and
- The covered entity publicly commits to not collect, use, or transfer the data for any purpose
The CCDPA also requires covered entities to:
- Update their privacy policies
- To use reasonable security to protect the covered data
- To use principles of data minimization
- To provide an opt-out mechanism for individuals who previously consented; and
- To delete the data when it is no longer needed for the covered purposes
Who Will Enforce the CCDPA?
The CCDPA does not include a private right of action and would be enforced by either the FTC or state attorney general.
The proposed legislation remains just a bill at present time. The next stage is for the bill to be assigned to a committee where it will be debated. The introduction of the CCDPA signals that data privacy and security protection continue to be a priority.