Privacy Protection Acts Introduced in Connection with Contact Tracing

Written by Susan Kohn Ross and Timothy Carter

Across the globe, governments are harnessing surveillance-camera footage, mobile location data, and consumer purchase records to help track the recent movements of coronavirus patients, monitor those potentially exposed, and establish virus transmission chains. In China, for example, the government has installed surveillance cameras outside and inside quarantined individuals’ homes. A few thousand miles away, Israel’s internal security agency is primed to mine a cache of mobile phone location data, initially collected for counterterrorism operations, in order to pinpoint possible COVID-19 exposure among its citizens.

Even prior to the COVID-19 pandemic, surveillance technology has slowly crept its way into our daily lives. The best example of this subtle crossover is facial recognition, which now functions as a “convenience” feature, offering hands-free access to our mobile devices. Bluetooth trackers, long used by stores to measure and track crowd sizes, are being repurposed to enable contact tracing while maintaining some semblance of user privacy. As we have previously written, contact tracing works by identifying everyone a sick person may have potentially exposed, with the goal of identifying newly infected individuals before they become infectious to others. Even non-personally identifiable location data can provide a wealth of information to those collecting it, such as your age, profession, income level, and connections.

In light of these concerns, legislators on both sides of the political spectrum have introduced legislation to strengthen data security and privacy protection for the public. On April 30, 2020, Senator Roger Wicker (R-Miss), Chairman of the Senate Committee on Commerce, Science, and Transportation, and Sen. John Thune, (R-S.D.), Sen. Deb Fischer, (R-Neb.), Sen. Jerry Moran (R-Kan.), and Sen. Marsha Blackburn (R-Tenn.) jointly introduced As written, the COVID-19 Consumer Data Protection Act (“CCDPA”) would require companies under the jurisdiction of the Federal Trade Commission (“FTC”) to obtain the affirmative express consent from individuals prior to collecting, processing, or transferring their personal health, geolocation, or proximity information for the purposes of tracing the spread of COVID-19. Companies would also be responsible for disclosing at the point of collection how consumer data will be handled, transferred, and retained, while permitting individuals to opt out of the collection, processing, or transfer process. Companies subject to the CCDPA would also be responsible for deleting or de-identifying all personally identifiable information once it is no longer being used for COVID-19 purposes.

Not to be outdone, on May 14, 2020, House Representatives Anna G. Eshoo (CA-18), Jan Schakowsky (IL-09), Suzan DelBene (WA-01), and Senators Richard Blumenthal (D-CT), and Mark Warner (D-VA) introduced the (“PHEPA”), which, among other things, would protect personal data collected in connection with COVID-19 from being used for non-public health purposes. PHEPA provides for both public and private rights of action, permitting the FTC, state and public officials, and individuals alleging a violation of the Act to bring a civil action. Similar to the CCDPA, the PHEPA requires companies obtain the affirmative express (opt-in) consent from individuals prior to collecting, processing, or transferring their personal health, geolocation, or proximity information for the purposes of tracing the spread of COVID-19. In addition, companies would also be responsible for disclosing at the point of collection how consumer data will be handled, transferred, and retained; permitting individuals to opt out of the collection, processing, or transfer process; and destroying or deleting any data collected after the conclusion of the COVID-19 public health emergency. Finally, PHEPA also prohibits government entities from using any collected personal health information to deny, restrict, or interfere with an individual’s right to vote in a federal, state, or local election.

Both the CCDPA and PHEPA come at a time where bipartisan efforts to enact broader federal privacy protections have seemingly stalled. While it is unclear which (if any) of the proposed bills will be enacted, both the CCDPA and PHEPA provide a good start towards taking reasonable steps to ensure the public’s private health information is protected during the COVID-19 pandemic.