January 27, 2022

Volume XII, Number 27


January 27, 2022

Subscribe to Latest Legal News and Analysis

January 26, 2022

Subscribe to Latest Legal News and Analysis

January 25, 2022

Subscribe to Latest Legal News and Analysis

January 24, 2022

Subscribe to Latest Legal News and Analysis

Next Up In The Senate Might Be The COVID-19 Consumer Data Protection Act Of 2020


  • The Senate is expected to take up the COVID-19 Consumer Data Protection Act of 2020, which proposes strict new restrictions on the collection and use of personal information
  • The bill would require notice and express consent prior to collection of personal information and give individuals opportunity to opt-out 
  • Companies implementing various procedures in response to COVID-19 should be watching for new developments

Aiming to ensure the protection of individual privacy and personal information during the time of the COVID-19 crisis, on April 30, 2020, a group of Republican senators – led by the chairman of the Senate Commerce Committee, Sen. Roger Wicker – announced plans to introduce the COVID-19 Consumer Data Protection Act of 2020. The proposed bill seeks to “protect the privacy of consumers’ personal health information, proximity data, and geolocation data during the coronavirus public health crisis.”

The COVID-19 Consumer Data Protection Act of 2020 would put rules in place regarding the collection, processing and transfer covered data used to combat the spread of the coronavirus. The law would only apply temporarily, during the “COVID–19 public health emergency,” and only to specific uses of individuals’ personal data.

While this bill has not yet been introduced, companies seeking to implement new procedures as a result of the COVID-19 pandemic, including activities like testing and temperature checks for employees, should be monitoring its developments as the bill’s language can change during this process. 

What is “Covered Data”?

According to the proposed bill, “covered data” would include “precise geolocation data, proximity data, and personal health information.” However data that is aggregated, de-identified or publicly (data that does not identify and is not reasonably linked to a particular individual) available would not be considered “covered data.” Note the scope of this covered data is broader than “protected health information” under the Health Insurance Portability and Accountability Act (HIPAA) and more in-line with new privacy laws like the California Consumer Privacy Act (CCPA).

Who Are “Covered Entities”?

The bill would broadly apply to any entity or person who “collects, processes, or transfers covered data.”

What Are the Obligations Under the Proposed Bill?

The bill would require that covered entities provide individuals with notice prior to the collection, processing and transfer of covered data. Such notice would describe how geolocation data, proximity data and personal health information are used to track the spread, signs or symptoms of COVID-19; measure compliance with social distancing guidelines or other COVID-19-related requirements imposed by federal, state or local governments; and conduct contact tracing for COVID-19 cases. 

The bill would also require covered entities obtain affirmative express consent from individuals to collect, process or transfer their personal health, geolocation or proximity information for the purposes of tracking the spread of COVID-19, unless the processing is otherwise necessary to comply with a legal obligation.

Covered entities would be required under the bill to issue a “public report” at least once every 30 days, to include: 

  • the aggregate number of individuals whose data the entity has collected, processed or transferred
  • the categories of data that were collected, processed or transferred
  • the purposes for which data was collected, processed or transferred
  • those to whom it was transferred

Additionally, the bill would require that covered entities:

  • provide individuals with the right to opt-out or a mechanism that permits them to revoke consent; upon receiving such a request, covered entities would be required to stop collecting, processing or transferring the covered data, or to de-identify it within 14 days
  • delete or de-identify all covered data when it is no longer being used for a for the purpose for which it was initially collected, processed or transferred
  • minimize collection, processing and transfer of covered data to “what is reasonably necessary, proportionate and limited” to carry out the covered purpose
  • “establish, implement, and maintain reasonable administrative, technical, and physical data security policies and practices to protect against risks to the confidentiality, security, and integrity” to protect against risks to confidentiality, security and integrity of the covered data

Other Provisions

The COVID-19 Consumer Data Protection Act would be enforced by the Federal Trade Commission pursuant to its powers under the FTC Act. State attorneys general would also have the power to bring civil actions against covered entities that adversely affect the interest of residents of their state, who are not subject to the enforcement authority of the Federal Trade Commission.

Importantly, the bill contains a preemption clause that would prevent states from adopting, enforcing or continuing to maintain any law that is “related to the collection, processing, or transfer of covered data” for purposes covered in the bill.

© 2022 BARNES & THORNBURG LLPNational Law Review, Volume X, Number 127

About this Author

Brian J. McGinnis, Barnes Thornburg Law Firm, Indianapolis, Intellectual Property Law Attorney

Brian J. McGinnis is an attorney with Barnes & Thornburg LLP where he is a member of the firm's Intellectual Property Department and the Internet and Technology and the Data Security and Privacy practice groups. He is resident in the firm’s Indianapolis office.

Brian's practice is focused at the intersection of the law and technology. He has developed a national practice advising clients ranging from multinational corporations to startups on the broad range of legal matters pertaining to technology, intellectual property protection and...

Michael Baumert Intellectual Property Lawyer

Michael Baumert is an associate in Barnes & Thornburg’s Chicago office. As a member of the Intellectual Property Department and Corporate Department, Michael focuses on technology-driven transactions, sourcing, cloud computing, and data privacy and security.

Michael frequently counsels clients on data privacy issues and the implementation of global data protection laws and regulations, including the EU General Data Protection Regulation (GDPR), the Telephone Consumer Protection Act (TCPA), and the Health Insurance Portability and Accountability Act (HIPAA), among others. He has...