Two weeks ago we wrote about proposed legislation, The COVID-19 Consumer Data Protection Act of 2020 (“CCDPA”), introduced by a group of senior Republican senators, which was designed to address privacy issues arising in the wake of the COVID-19 pandemic. In response, senior Democratic members of the Senate and House of Representatives introduced their own framework for protecting the privacy of individuals in light of the development of tools for tracking and containing the spread of the virus.
The Public Health Emergency Privacy Act
Senators Richard Blumenthal (D-CT) (Ranking Member of the Senate Commerce Committee’s Manufacturing, Trade and Consumer Protection Subcommittee) and Mark Warner (D-VA) (Vice Chairman of the Senate Intelligence Committee) lead a bicameral group of 10 lawmakers on a Democratic version of federal consumer privacy legislation as it relates to the coronavirus pandemic. The Public Health Emergency Privacy Act (the “PHEPA”), introduced on May 14, seeks to give individuals protection and control over their covered health data by adopting an express affirmative consent regime, along with enumerated requirements for businesses. For a helpful summary of the key similarities and differences between the PHEPA and the CCDPA, please see the Chamber Technology Engagement Center’s (C_TEC) COVID-19 Privacy Bill Comparison Chart.
Key Areas Covered
Covered Data
Generally, the PHEPA applies to a broader range of covered data and contains more comprehensive privacy protections than the CCDPA does. The CCDPA applies to geolocation data, proximity data, a persistent identifier and personal health information, and specifically excludes from coverage aggregated and de-identified data, employee screening data, business contact information and publicly available information. In contrast, the PHEPA applies to all CCDPA covered data, as well as emergency health data linked or reasonably linked to an individual or device that concerns the public COVID-19 health emergency, such as demographic data, individuals’ contact information, and other data collected from a personal device. In addition, the PHEPA applies to governmental entities seeking to collect, use and disclose covered data. Governmental entities were not included in the CCDPA.
Moreover, unlike the CCDPA, the PHEPA does not provide an exemption for covered data gathered by employers on their employees. The PHEPA’s coverage of the employer-employee relationship significantly expands the impact of the bill’s requirements and restrictions as compared to the CCDPA. As we wrote in our previous alert, the workplace will become a frontline for COVID-19 containment efforts, with many companies seeking to control the virus’s spread through employee temperature screening, social distancing monitoring and other measures. All the data collected, used and disclosed in connection with these containment efforts would be considered covered data under the PHEPA, but not under the CCDPA. Further, companies that use geolocation and proximity data to track the whereabouts of their employees, such as parcel, warehouse, common carrier and delivery services, would be required to obtain informed consent from their employees to continue such programs if such data is “collected in conjunction with other emergency health data.” Thus, companies should not simply tack COVID-19 health tracking systems or apps on to existing geolocation programs without first obtaining employee consent.
Data Collection, Use and Disclosure; Reporting
Similar to the CCDPA, the PHEPA would require all companies subject to Federal Trade Commission (“FTC”) jurisdiction, as well as common carriers and non-profit organizations, to give individuals prior notice of the purpose of collecting covered data, and obtain an affirmative express consent (“opt-in”) prior to collecting, using, or disclosing an individual’s covered data for the purposes of tracking the spread of COVID-19. In contrast to the CCDPA, however, the PHEPA includes a minimalist approach regarding the extent to which entities covered by the PHEPA can collect, use or disclose data. Specifically, the PHEPA requires covered entities to ensure their efforts are “necessary, proportionate, and limited for a good faith public health purpose.” Additionally, entities are directed to take reasonable measures to ensure the accuracy of the information and to provide individuals a mechanism for correction of inaccurate information. Also, within 30 days of an individual’s revocation of his or her consent under the PHEPA, the covered organization must destroy or render not linkable, that person’s emergency health data. Both proposed bills include public reporting and data destruction requirements during the health emergency, with CCDPA requiring a covered entity to issue a public report not later than 30 days after the enactment of the CCDPA, and at least once every 60 days thereafter, while the PHEPA requires issuance of a public report at least once every 90 days if a covered entity collects data on 100,000 or more individuals. Finally, under the PHEPA, to the extent the entity discloses the information to a governmental entity, such disclosure can only be to a public health authority and made for a good faith public health purpose.
Other Prohibitions; Anti-Discrimination
Unlike the CCDPA, the PHEPA would expressly prohibit the use of emergency health data covered by the legislation to deny (or attempt to deny), restrict or interfere with the right to vote in elections, and would also prohibit using such data for commercial purposes or in any manner that discriminates against an individual on the basis of such data. Further, the PHEPA would require the Secretary of Health and Human Services to report on the civil rights impact of the collection, use and disclosure of covered information in response to the COVID-19 public health emergency.
Opt-in Implications
The implications of requiring affirmative opt-in consent of participants, which is contained in both bills, is the same with respect to the impact of such legislation on the government’s ability to contain and prevent the spread of COVID-19. Briefly, as discussed in our previous alert, the success of contact tracing technologies depends heavily on the participation of large numbers of individuals. Oxford University estimates that a country would need approximately 60% of its population to use the monitoring technology for it to be effective. However, according to a Washington Post-University of Maryland poll, nearly three in five Americans say they would be either unable or unwilling to use the infection-alert system under development by Google and Apple. If opt-in rates are as low in the U.S. as this poll suggests, it would be very challenging, under either the CCDPA or the PHEPA, to collect and use covered data for the purposes of containing the spread of COVID-19 as state-imposed quarantine measures are slowly being lifted.
Enforcement
As with the CCDPA, the PHEPA would provide enforcement authority to the FTC and state attorneys general (note that the PHEPA adds rulemaking authority to the FTC as well). The FTC would enforce the PHEPA through its existing authority, and state attorneys general would be barred from pursuing any action in which the FTC has initiated an action. However, unlike the CCDPA, the PHEPA provides a private right of action for individuals, and enumerates specific damages ($100-$1,000 for negligent conduct; $500-$5,000 for willful or intentional conduct, per violation), as well as attorneys’ fees and injunctive relief, for statutory violations. Further, contrary to the CCDPA, the PHEPA would not preempt state laws to the extent they also regulate the covered data contained in the PHEPA.
Next Steps
As we noted in our previous alert, many of the concepts contained in the PHEPA have been in other privacy legislation introduced during this Congress. As we see with the introduction of the Democratic legislation, the parties remain far apart on critical concepts like preemption, private right of action, the types of entities and data covered, and other consumer protections. This gap in the two bills is not likely to be closed in time for COVID-specific privacy legislation to be included in Congressional efforts to provide additional relief and economic stimulus. If legislation is not adopted, it may well fall on the FTC and each state’s attorney general to balance individuals’ privacy interests against the interests of utilizing technology to aid in tracing and containing the spread of the virus.
McGuireWoods has published additional thought leadership related to how companies across various industries can address crucial coronavirus-related business and legal issues.