In short, "contact tracing" is epidemiological sleuthing.1 The CDC and other health officials say contact tracing is a critical element to mitigating the spread of the coronavirus disease. Simply put, public health workers in the role of "contact tracer" will have the job of identifying COVID-19 positive individuals, tracking down the people the infected person came in contact with, and advising them to self-isolate for up to 14 days to see if they develop COVID-19 symptoms. With U.S. infections closing in on 1.5 million U.S. citizens, an army of healthcare workers and contact tracers will be needed to conduct diagnostic testing, tracing, and notifications. This need has led 36 members of the House of Representatives to propose the TRACE Act ("COVID-19 Testing, Reaching, and Contacting Everyone Act" H.R. 6666, May 1, 2020) which seeks $100 billion in 2020 to allow the Health and Human Services Secretary to award grants to "eligible entities" for mobile health units to conduct diagnostic testing for COVID-19 to trace and monitor the contacts of infected individuals, and to support the quarantine of such contacts while complying with the existing HIPAA health information privacy and security frameworks.

Technology businesses Apple and Google are also ramping up their contact tracing efforts.2 According to PC Magazine3, Google and Apple are working on a cross-platform contact-tracing system that can work across 3 billion smartphones using an application programming interface (API) for use by public health organizations to develop apps to collect data and send out alerts without identifying COVID-19 positive individuals or their geolocation data. Rather, tracing is done using beacons sent out by opt-in individuals' smartphones and generating random Bluetooth identifiers (a string of random numbers that are not tied to a user's identity) every 10 to 20 minutes. The question of whether contact-tracing apps will work depends in large part on U.S. citizens choosing to opt-in. 

One of the obvious elements of contact tracing is that it is only as effective as the amount and accuracy of the data it gathers. So, widespread use is one key to its successful use. For some, voluntarily disclosing their COVID-19 status is not a personal privacy concern. However, for others it may be. This tension and the competing interests of fighting this global pandemic and respecting individuals' desires to keep their personal information private has led four U.S. Senators (Roger Wicker, R-Miss., John Thune, R-S.D., Jerry Moran, R-Kan, and Marsha Blackburn, R-Tenn.) to announce plans to introduce the COVID-19 Consumer Data Protection Act (the "CCDPA") which purports to balance the innovative ideas being explored to operationalize contact tracing on a large scale with maintaining U.S. citizens' privacy protections.4

As CCDPA is currently written and if enacted, it will only apply for as long as Health and Human Services Secretary maintains the present COVID-19 public health emergency. The CCDPA applies to any person or entity that is both subject to regulation by the Federal Trade Commission ("FTC"), is a common carrier, or non-profit organization AND collects, transfers, or processes covered data for a covered purpose. While most of the existing comprehensive data privacy legislation, such as the GDPR and CCPA, broadly define "personal information," the CCDPA's definition of "covered data" is limited to precise geolocation data, proximity data, and personal health information when it is collected, processed or transferred for a "covered purpose."

The following activities as may be carried out by covered entities are the covered purposes and include the following:

  1. Collecting, processing, or transferring covered data of an individual to track the spread, signs, or symptoms of COVID-19;
  2. Collecting, processing, or transferring covered data of an individual to measure compliance with social distancing guidelines or other requirements related to COVID-19 that are imposed on individuals under a federal, state or local government order; or
  3. Collecting, processing, or transferring covered data of an individual to conduct contact tracing for COVID-19 cases.

While CCDPA is limited in its duration, scope and application, it shares the principles of consent and transparency that are the cornerstones of GDPR and similar legal privacy frameworks. That is, CCDPA requires covered entities engaged in regulated activities to give prior notice and receive express consent from the consumer for such collection, processing, or transfer. Additionally, all covered entities will also be required to (i) operationalize data management systems, including a published privacy policy, minimize types of data collected, establish reasonable technical and physical data security policies and practices, and data deletion/deidentification protocols; (ii) respect individuals' data rights to the extent an individual seeks to opt-out or revoke prior consent; and (iii) publish monthly reports of the aggregated data the covered entity collected, processed, and/or transferred.

The CCDPA is clearly directed at the sensitive personal information that will be needed to respond to the COVID-19 crisis in the form of contact tracing technology. Sen. Richard Blumenthal (D., Conn.) is quoted as saying, "This crisis has made urgently clear the need for strong, reliable protections for privacy and security of personal data. I share concerns about misuse and abuse of health and location data collected during this pandemic."

While some see CCDPA's focus as a critical component to public health initiatives driven by technology, critics see its protections as too limited, enforcement underfunded, and, unnecessarily, preemptive of states' abilities to enact stricter consumer privacy protections5.

On May 14, 2020, Congressional Democrats introduced an alternate piece of legislation designed to foster more public trust in contact tracing to encourage usage. The bill is entitled The Public Health Emergency Privacy Act ("PHEPA") and would mandate that all data collected through contact tracing apps (health status, geolocation, proximity, and demographic data) would be limited to public health use and prohibit the use of health data for any discriminatory, unrelated, or intrusive purposes (such restricting participants' and non-participants' right to vote), such as commercial advertising or efforts to bar access to employment, insurance, and other non-public health related usage. Similar to CCDPA, the PHEPA would require data collectors and processors to get participants' express consent and encourage transparent privacy and security practices. But unlike the CCDPA, PHEPA will not preempt states' rights to enact stricter legislation. It empowers FTC with rule making authority on the topic, and creates a private right of actions for U.S. citizens who are injured as a result of the negligent or reckless misuse of their personal data. It is unfortunate it has taken the coronavirus pandemic and the mitigation of contact tracing, for Congressional leaders to recognize the importance of a federal framework for personal data protections and that any such legislation will likely be short-lived. But it is an urgent dialogue that needs to be had on the road to a comprehensive U.S. approach to personal data protections.

The coronavirus epidemic and the economic and societal havoc it is creating in the U.S. is present reality. Also, it is clear that data, technology, and contact tracing will be essential tools in containing its spread. The CCDPA and PHEPA attempt to balance this technology need with personal information privacy concerns. We will continue to monitor the status of this pending legislation.