July 11, 2020

Volume X, Number 193

July 10, 2020

Subscribe to Latest Legal News and Analysis

July 09, 2020

Subscribe to Latest Legal News and Analysis

July 08, 2020

Subscribe to Latest Legal News and Analysis

Bipartisan Bill Provides Privacy Protections for Users of Contact Tracing Tech

On June 1, 2020, U.S. Senators Maria Cantwell (WA) and Bill Cassidy (LA) introduced the Exposure Notification Privacy Act (the “Act”), bipartisan legislation that would impose requirements and restrictions on operators of automated exposure notification services. The bill defines automated exposure notification service as “a website, online service, online application, mobile application, or mobile operating system that is offered in commerce in the U.S. and that is designed, in part or in full, specifically to be used for, or marketed for, the purpose of digitally notifying, in an automated manner, an individual who may have become exposed to an infectious disease (or the device of such individual, or a person or entity that reviews such disclosures).” These services are commonly referred to as “contact tracing technology” because they are designed to provide alerts when a user comes in near-contact with someone who tested positive for an infectious disease, such as COVID-19.

The legislation would provide a number of privacy protections for users of automated exposure notification services, including (1) requiring user consent for the collection of information; (2) data deletion rights and other data deletion requirements; and (3) requiring notice of data breaches to users and the Federal Trade Commission (“FTC”).

The Act would also prohibit exposure notification services from collecting data “for any commercial purpose,” including targeted advertising. It would also promote user choice by prohibiting people from being prevented from entering a public place if they choose not to sign up for an automated exposure notification service. Under the law, operators of automated exposure notification services would be prohibited from releasing a service to the public if the service is not operated by or created in collaboration with public health authorities.

The FTC would be tasked with enforcing the Act and would be able to issue civil penalties. State attorneys general would also be able to enforce the Act.

Copyright © 2020, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume X, Number 157


About this Author

In today’s digital economy, companies face unprecedented challenges in managing privacy and cybersecurity risks associated with the collection, use and disclosure of personal information about their customers and employees. The complex framework of global legal requirements impacting the collection, use and disclosure of personal information makes it imperative that modern businesses have a sophisticated understanding of the issues if they want to effectively compete in today’s economy.

Hunton Andrews Kurth LLP’s privacy and cybersecurity practice helps companies manage data and...

212 309 1223 direct