US lawmakers propose temporary covid-19 privacy law

Five Republican senators have introduced a bill that would regulate contact-tracing apps and similar projects geared towards tracking the spread of covid-19.

The Covid-19 Consumer Data Protection Act would require companies to obtain user consent before using health and location data related to the novel coronavirus, disclose how such data will be used, allow users to opt out, and delete or de-identify data when it is no longer used for coronavirus-related purposes. The bill would only be in effect while covid-19 is designated as a public health emergency in the US.

The bill is narrow in scope, but where it does apply the protections are stronger than those offered by state laws like the CCPA, according to Covington & Burling partner Libbie Canter in Washington, DC.

The bill would largely apply to private companies under the jurisdiction of the Federal Trade Commission, not to government agencies building their own covid-19 tracking apps. Canter raised questions about how the bill would apply to public-private partnerships, which are common when it comes to contact-tracing tech.

“The law probably isn’t as clear as it could be about the distinction between data controllers and data processors,” Canter said. “If a private company is building an app on behalf of a public entity, the public entity isn’t subject to the law, but there are questions about the tech company acting as a data processor – not making decisions about how the data is used.”

Many privacy-related bills have been introduced in Congress over the last few years, but Canter said this one has a more plausible path to becoming law. Canter said privacy advocates have speculated that the bill may be included in a larger coronavirus relief package.

The five Republican senators said the bill is crucial to protect consumers as stay-at-home orders are lifted and contact-tracing technology is deployed to aid the reopening of the US economy.

“While the severity of the covid-19 health crisis cannot be overstated, individual privacy, even during times of crisis, remains critically important,” said Senator John Thune. “This bill strikes the right balance between innovation – allowing technology companies to continue their work toward developing platforms that could trace the virus and help flatten the curve and stop the spread – and maintaining privacy protections for US citizens.”

However, the opt-in model proposed by the bill has been met with some criticism. Some favour an opt-out model because contact tracing apps require widespread adoption to be effective.

“Unfortunately, the Covid-19 Consumer Data Protection Act … would require any contact tracing apps made by the private sector to obtain ‘affirmative express consent’ from consumers before collecting, processing, or transferring data,” said the Washington, DC-based Information Technology & Innovation Foundation – a pro-industry group – in a statement released on Monday.

The statement continued: “Mandating that Americans use an app would raise immediate legal objections, but there is no reason to not enable them by default like so many other critical mobile phone updates.

“Tipping the scales in favour of participation would help such tools reach a critical mass.”

Get unlimited access to all Global Data Review content