As the COVID-19 pandemic presses on, legislators and regulators continue to remind the public of the importance of data security and privacy protections. On April 30th, U.S. Senator Roger Wicker (R-Miss), Chairman of the Senate Committee on Commerce, Science, and Transportation, announced plans to introduce (jointly with several co-sponsors) the COVID-19 Consumer Data Protection Act. The bill aims to provide consumers with greater “transparency, choice, and control” over their health, geolocation and proximity data. Further, the bill would impose data privacy and security requirements on businesses that handle personal data related to COVID-19.

The text of the bill has not yet been released to the public, however according to Senator Wicker’s announcement, the COVID-19 Consumer Data Protection Act would:

  • Require companies under the jurisdiction of the Federal Trade Commission to obtain affirmative express consent from individuals to collect, process, or transfer their personal health, geolocation, or proximity information for the purposes of tracking the spread of COVID-19.
  • Direct companies to disclose to consumers at the point of collection how their data will be handled, to whom it will be transferred, and how long it will be retained.
  • Establish clear definitions about what constitutes aggregate and de-identified data to ensure companies adopt certain technical and legal safeguards to protect consumer data from being re-identified.
  • Require companies to allow individuals to opt out of the collection, processing, or transfer of their personal health, geolocation, or proximity information.
  • Direct companies to provide transparency reports to the public describing their data collection activities related to COVID-19.
  • Establish data minimization and data security requirements for any personally identifiable information collected by a covered entity.
  • Require companies to delete or de-identify all personally identifiable information when it is no longer being used for the COVID-19 public health emergency.
  • Authorize state attorneys general to enforce the Act.

Although the bill focuses exclusively on data related to the spread of COVID-19, its consumer protections are similar in kind to those provided for in the California Consumer Protection Act (CCPA), including, for example, notice requirements, a consumer’s right to opt out, data security obligations and more.

“While the severity of the COVID-19 health crisis cannot be overstated, individual privacy, even during times of crisis, remains critically important…This bill strikes the right balance between innovation – allowing technology companies to continue their work toward developing platforms that could trace the virus and help flatten the curve and stop the spread – and maintaining privacy protections for U.S. citizens,” stated Senator John Thune, a co-sponsor of the bill.

The bill is still in early stages of the legislative process, but may have greater success than some of the attempts at a federal consumer privacy law of late, given the urgency of the COVID-19 pandemic.

These are difficult times for many businesses, and while there has been significant flexibility from legislatures and regulators in certain areas of the law, the proposal of the COVID-19 Consumer Data Protection Act signals that data privacy and security protections continue to be a priority. Moreover, with the emergence of technologies such as contact tracing apps and social distancing wearables, increasingly used in the workplace to help limit the spread of COVID-19, collection of sensitive data related to the virus is almost inevitable. Organizations should be assessing and reviewing their data collection activities, and ensuring that a robust data protection program and written information security program (WISP) are in place.