We are continuing to monitor changes to data protection laws and required compliance activities throughout the COVID-19 pandemic. As a follow up to our previous posting Timeline for Selected Global Privacy Compliance Activities in Light of COVID-19 published on April 17, we note that the United States Sen. Roger Wicker, R-Miss., chairman of the Senate Committee on Commerce, Science, and Transportation, on April 30 announced his intention to introduce the “COVID-19 Consumer Data Protection Act”. The new bill will contain protections for the personal information that is particularly at issue given the COVID-19 pandemic, including health, geolocation, and proximity data with the ultimate goal of providing U.S. citizens with more transparency, choice, and control over the collection and use of their personal information holding businesses directly accountable to their consumers.
According to the bill’s accompanying press release, “the “COVID-19 Consumer Data Protection Act” would:
- Require companies under the jurisdiction of the Federal Trade Commission to obtain affirmative express consent from individuals to collect, process, or transfer their personal health, geolocation, or proximity information for the purposes of tracking the spread of COVID-19.
- Direct companies to disclose to consumers at the point of collection how their data will be handled, to whom it will be transferred, and how long it will be retained.
- Establish clear definitions about what constitutes aggregate and de-identified data to ensure companies adopt certain technical and legal safeguards to protect consumer data from being re-identified.
- Require companies to allow individuals to opt out of the collection, processing, or transfer of their personal health, geolocation, or proximity information.
- Direct companies to provide transparency reports to the public describing their data collection activities related to COVID-19.
- Establish data minimization and data security requirements for any personally identifiable information collected by a covered entity.
- Require companies to delete or de-identify all personally identifiable information when it is no longer being used for the COVID-19 public health emergency.
- Authorize state attorneys general to enforce the Act.”
The “COVID-19 Consumer Data Protection Act” comes on the heels of several attempts to enact a federal data privacy law and while it remains to be seen whether the bill will garner the necessary support to ultimately become law, it is clear that data privacy and consumer protections remain a critical issue for both lawmakers and consumers even in light of a worldwide pandemic.
As this bill makes its way through committee and House and Senate debate, we will continue to provide updates on our blog.