July 13, 2020

Volume X, Number 195

July 13, 2020

Subscribe to Latest Legal News and Analysis

July 10, 2020

Subscribe to Latest Legal News and Analysis

COVID-19 Consumer Data Protection Act of 2020 Seeks to Regulate Collection, Use of Geolocation, Personal Health Information

Contact tracing is recognized by health systems and governments as an effective method to identify individuals an infected person may have exposed to disease in order to notify those individuals and take action to prevent further spread of illness. Traditionally, the accuracy of contact tracing has been dependent upon an individual’s memory of (and willingness to disclose) where they have been and with whom they have been in contact in order to track down other people who may have been infected. Connected devices with geolocation capabilities allow for digital tracking of individuals, but also carry significant privacy issues.

On April 30, 2020, four senators (R. Wicker, R-MS; J. Thune, R-SD; J. Moran, R-KS; M. Blackburn, R-TN) announced their plan to introduce the “COVID-19 Consumer Data Protection Act of 2020.” The legislation’s goal is to regulate what geolocation and personal health information is collected, and how it may be used during the COVID-19 Public Health Emergency announced by Secretary of Health and Human Services (HHS) Alex Azar on January 31, 2020.

The proposed legislation would only be effective while there is a declared Public Health Emergency in place and apply only to data collected, processed or transferred for COVID-19 purposes. It would apply to covered entities defined as those subject to the Federal Trade Commission’s (FTC) jurisdiction as well as common carriers or nonprofits, who generally are not subject to the FTC’s jurisdiction. Covered data is defined as precise geolocation data, proximity data as well as personal health information.

Covered entities would be required to publish a privacy policy that is disclosed to individuals prior to or at the point of collection of the covered data that describes the intended transfers of the data, the category of data recipients and a general description of the data. Individuals would be required to provide affirmative, express consent before their covered data can be collected, processed or transferred unless such collection, processing or transfer is necessary to comply with a legal obligation.

The covered entity would also be required to provide an effective opt-out mechanism for individuals to revoke their consent for the collection and transfer of such data. In addition, covered entities would be required to issue a public report once every 30 days stating the aggregate number of individuals whose covered data has been collected, processed or transferred and describing the categories of covered data collected and transferred, the purpose for each data category and the recipients of transferred data. Covered entities would be prohibited from collecting more data than is necessary and the FTC will issue best practice data minimization guidelines. Covered entities would be required to have adequate data security.

This bill pulls elements from other privacy laws with respect to requiring affirmative express consent before collecting, processing or transferring sensitive information as the notice requirement before collecting personal data.

The FTC and the state attorneys general would be empowered to enforce the law.

© 2020 Faegre Drinker Biddle & Reath LLP. All Rights Reserved.National Law Review, Volume X, Number 127


About this Author

Josephine Cicchetti Partner Drinker Biddle DC Corporate and Securities, Insurance, Privacy and Cybersecurity, Emerging Securities

Josephine Cicchetti is a corporate and securities lawyer who works extensively within the insurance industry. In addition, for the past several years, Jo’s focus has included emerging securities, privacy, cybersecurity, and insurance regulatory issues. She has represented insurance companies, producers, third-party administrators, investment managers, broker-dealers, and other insurance market participants.

Jo has extensive experience counseling clients in their development and distribution of fixed and variable insurance products. She has more than 20 years of...

Katherine Armstrong, Drinker Biddle Law Firm, Washington DC, Data Privacy Attorney

Katherine E. Armstrong is counsel in the firm’s Government & Regulatory Affairs Practice Group where she focuses her practice on data privacy issues, including law enforcement investigations, and research and analysis of big data information practices including data broker issues.

Katherine has more than 30 years of consumer protection experience at the Federal Trade Commission (FTC), where she served in a variety of roles, including most recently as a Senior Attorney in the Division of Privacy and Identity Protection.  In the Division of Privacy and Identity Protection, Katherine lead Fair Credit Reporting Act (FCRA) initiatives, including law enforcement investigations, consent negotiations, rulemakings, and other interpretive policy initiatives.  During Katherine’s tenure at the Commission, she served as an Attorney Advisor to Chairman Janet Steiger and Commissioner Sheila Anthony and was responsible for counseling on matters of consumer protection policy and enforcement.