Recently, members of the Congress introduced two competing bills to regulate COVID-19 contact tracing apps that are intended to provide individuals with greater transparency, choice, and control over their personal data.

Contact tracing apps—mobile apps that digitally track users’ physical contacts with other individuals to identify potential exposures to COVID-19—are in the spotlight as a new way to slow the spread of the virus. While such apps could be a powerful tool in combating COVID-19, they also pose potentially serious privacy concerns. Recently, members of the Congress introduced two competing bills intended to provide users of such apps with greater transparency, choice, and control over their personal data.

What Are Contact Tracing Apps?

Contact-tracing apps generally refer to mobile apps that can be downloaded to a user’s smartphone, typically through the smartphone’s online app store, to digitally track the user’s physical contacts with other individuals. Contacts are logged based on a pre-determined proximity range (e.g., six feet or closer from the user) and time period (e.g., ten minutes or longer). Most contact tracing apps rely on the smartphone’s Bluetooth or geo-location technology. If a user of a contact tracing app is infected with COVID-19, he or she can upload that information to the app, and the app will then alert other users who were in proximity to the infected individual.

What Are Some of the Privacy Concerns Related to Contact Tracing Apps?

While contact tracing apps could be a boon in the fight against COVID-19, the technology also raises a number of privacy concerns. Contact tracing technology (and geo-location data in particular) can be invasive, especially when such data is maintained on a central database that can be accessed by others. Contact tracing apps also have the ability to collect more than the minimum information necessary to alert users of contact events with infected individuals. For example, some contact tracing apps collect biometric data and other sensitive personal data that could cause significant harm to the individual if the data is breached. Furthermore, even some of the most sophisticated contact tracing app technologies could permit the re-identification of infected individuals.

Congress Takes Aim

To address some of the privacy concerns implicated by contact tracing apps, the Congress recently introduced two competing bills to govern their use: the COVID-19 Consumer Data Protection Act (“CCDPA”) and the Public Health Emergency Privacy Act (“PHEPA”).

COVID-19 Consumer Data Protection Act (“CCDPA”)

The CCDPA was introduced on May 7, 2020 by Republican Senators Roger Wicker (R-Miss.), John Thune (R-S.D), Jerry Moran (R-Kan.), and Marsha Blackburn (R-Tenn.). According to the Act’s sponsors, the CCDPA “would provide all Americans with more transparency, choice, and control over the collection and use of their personal health, geolocation, and proximity data” and “hold businesses accountable to consumers if they use personal data to fight the COVID-19 pandemic.”

The CCDPA governs the collection, processing, and transfer of individuals’ “covered data” for the following purposes: to track the spread, signs, or symptoms of COVID–19; to measure compliance with social distancing guidelines or other similar requirements imposed by law; and to conduct contact tracing. The bill defines “covered data” generally to mean precise geolocation data, proximity data, a persistent identifier, and personal health information. However, “covered data” does not include aggregated or de-identified data, business contact information, employee screening data, or publicly available information. Additionally, the CCDPA exempts from the Act all data subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Family Educational Rights and Privacy Act of 1974 (FERPA).

In terms of who would be regulated, the CCDPA would apply broadly to any entity or person that is subject to the Federal Trade Commission Act; that is a common carrier subject to the Communications Act of 1934; or that qualifies as a non-profit (collectively “covered entities”).

The CCDPA requires covered entities to obtain individuals’ affirmative express consent before collecting, processing, or transferring individuals’ covered data and to provide individuals with prior notice of the covered entities’ purposes for doing so. Covered entities must also publish a privacy policy that describes, among other things, whether they will transfer covered data, and if so, to whom. Covered entities must also provide individuals with the opportunity to opt-out of the collection, processing, and transfer of their covered data.

Violations of the Act would be treated as a violation of the FTCA’s unfair or deceptive acts or practices and would be enforced by the FTC or state attorneys general as parens patriae. Notably, there is no private right of action under the CCDPA, and the Act would specifically preempt state law.

Public Health Emergency Privacy Act (“PHEPA”)

PHEPA was introduced on May 14, 2020 by Democratic Senators Richard Blumenthal (D-Conn.) and Mark Warner (D-Va.) and Representatives Jan Schakowsky (D-Ill.), Anna Eshoo (D-Cal.) and Suzan DelBene (D-Wash.). PHEPA has much in common with the CCDPA, but there are a few exceptions, most notably that PHEPA provides for a private right of action and does not preempt state law.

PHEPA governs the use, collection, and disclosure of “emergency health data,” which is generally defined as any data that is linked or reasonably linkable to an individual or device concerning the COVID–19 health emergency. “Emergency health data” includes geo-location data, proximity data, demographic data, and data derived from testing; however, the Act carves out certain exceptions for data collected for public health or scientific research purposes, and it specifically exempts HIPAA ‘‘covered entities’’ and ‘‘business associates.’’

The Act would regulate any person or entity (including a government entity) that collects, uses, or discloses emergency health data or that develops or operates a website or app responding to the COVID–19 pandemic (collectively, “covered organizations”). Covered organizations do not include, and the Act does not apply to: (i) health care providers; (ii) persons engaged in a de minimis collection or processing of emergency health data; (iii) service providers; (iv) persons acting in their individual or household capacity; and (v) public health authorities.

PHEPA requires covered organizations to obtain individuals’ affirmative express consent before collecting, using, or disclosing their emergency health data. Covered organizations must also provide a privacy policy that describes how and for what purposes the covered organization collects, uses, and discloses emergency health data. PHEPA specifically prohibits a covered organization from collecting, using, or disclosing emergency health data for commercial purposes or from using the emergency health data in a discriminatory manner. Covered organizations must provide individuals with the right to revoke their consent. And, unique to PHEPA, a covered organization that collects, uses, or discloses emergency health data of at least 100,000 individuals must issue a public report at least every ninety (90) days regarding its collection, use, and disclosure of emergency health data.

PHEPA would also be enforced by the Federal Trade Commission, and violations would be treated as an unfair or deceptive act or practice under the Federal Trade Commission Act. State attorneys general would also be able to bring a civil action on behalf of its residents as parens patriae. PHEPA would provide individuals a private right of action against covered organizations. Damages range from $100 to $1,000 for negligent violations and $500 to $5,000 for reckless, willful, or intentional violations, as well as reasonable attorney’s fees and any other relief that the court so determines. PHEPA explicitly does not preempt any other federal or state law or regulation.