Responding to widespread calls for uniform rules and restrictions regarding the collection and use of individuals’ COVID-19-related health information, Congressional Republicans and Democrats have each recently introduced their own versions of federal COVID-19 data privacy bills. Although both parties’ bills share the same big-picture goal of protecting individuals’ COVID-19 information, the Democrats and Republicans have each taken slightly different approaches, resulting in some crucial distinctions between the dueling bills.
Key Similarities
Both bills create new rights for individuals with respect to their COVID-19-related health information, and as a result the bills do share multiple overlapping features and concepts:
- Although the Republicans and Democrats diverge with respect to the scope of information that their bills protect (as further discussed in the first bullet-point in the “Key Differences” section below), both bills require that, unless otherwise required by applicable law, businesses obtain individuals’ affirmative consent before collecting and using COVID-19 information, and individuals must be permitted to later revoke that consent. Significantly, the bills both require covered businesses to disclose their COVID-19-related information collection practices in a public-facing privacy policy, and businesses must establish and implement reasonable data security practices to protect the security and confidentiality of the COVID-19-related information that the businesses collect and maintain.
- Both parties’ bills contain carve-outs for health care providers and personal health information covered by HIPAA, as well as for public health authorities. Crucially, both bills also exclude “service providers”, which are entities that process COVID-19 information solely in the course of performing services on another entity’s behalf. Since “service providers” would therefore not be directly subject to the compliance requirements of the law, businesses may need to ensure that they flow-down relevant compliance requirements in their vendor contracts.
- Republicans and Democrats have both included reporting requirements in their bills, whereby entities covered by the law are required to periodically issue public reports describing the aggregate total information the entity has collected, and the purposes for which the entity has used such information.
- The applicability of both bills is expressly limited to the duration of the COVID-19 public health emergency.
- Both the Republican and Democrat bills empower the Federal Trade Commission (“FTC”) to enforce the new laws, and both bills direct the FTC to treat violations as breaching Section 5 of the FTC Act regarding unfair or deceptive acts or practices. Both parties’ bills also empower the state attorneys general to bring suit on behalf of their state’s residents.
Key Differences
Unsurprisingly, the Republican and Democratic bills also contain some significant distinctions from one another which result in important differences in terms of both applicability and enforcement.
- As an initial matter, the Republican and Democratic bills diverge with respect to the scope of information protected. Under the Republicans’ bill, the definition of covered data means geolocation data, “proximity data” (defined as “technologically derived information that identifies the past or present proximity” of individuals to each other), a persistent identifier, and “personal health information” (which is broadly defined to include any physical or mental health status or disability, not just COVID-19 status). Meanwhile, the information protected by the Democrats’ bill is defined as data that is “still linked or reasonably linkable” to an individual “that concerns the public COVID-19 health emergency.”
- The consent requirements of the Republicans’ bill only applies to the collection, process, or transfer of COVID-19 information for a “covered purpose,” which is defined as “track[ing] the spread, signs, or symptoms of COVID-19[,]” . . . “measur[ing] compliance with social distancing guidelines” and other COVID-19-related legal restrictions, or “conduct[ing] contact tracing for COVID-19 cases.” The Democrats’ bill has a much wider scope, requiring affirmative consent for any collection, use, or disclosure of COVID-19 information.
- The Republicans’ bill only applies to businesses that are subject to the jurisdiction of the FTC, as well as common carriers or non-profits. The Democratic bill, on the other hand, applies more broadly to any organization that collects, uses, or discloses electronic COVID-19 information, and expressly includes any developer or operator of any website or web/mobile/smart device app that is intended to track, screen, monitor, contact trace, mitigate “or otherwise respond[]” to the COVID-19 emergency.
- The Republican bill expressly excludes “employee screening data” from the type of COVID-19 information that is covered by the law. “Employee screening data” includes COVID-19 information of a business’s employees, owners, officers, vendors, visitors, contractors, volunteers, and interns, so long as the business only uses such information “for the purposes of determining . . . whether the individual is permitted to enter a physical site of operation[.]” Accordingly, the Republican bill appears to essentially exempt information collected by businesses as part of COVID-19 entry-screening procedures (e.g. temperature checks at facility entrances), so long as the business’s use of that information is confined to the business’s decision to permit or deny entry to the individual whose information has been collected.
- The Democrat bill specifically prohibits COVID-19-related information for being used for any purpose that would restrict or interfere with individuals’ right to vote. The Democrats also require Congress to create a report examining “the civil rights impact of the collection, use, and disclosure of health information in response to the COVID-19 public health emergency.”
- The Republicans and Democrats take opposite approaches with respect to preemption. The Republican bill expressly prohibits the states from adopting or enforcing conflicting laws, while the Democrats’ bill cannot be interpreted to preempt or supersede any state law or regulation.
- Finally, the Democrat bill creates a private right of action, allowing individuals to bring civil actions and seek monetary penalties of $100 to $1000 per negligent violation, and $500 to $5000 per reckless or willful violation, as well as attorneys’ fees and litigation costs. And the bill confers standing by deeming any violation of the law with respect to an individual’s COVID-19 information a “concrete and particularized injury in fact[.]”
Current Status
Both the Republicans’ and Democrats’ bills are in the early stages of the legislative process. On May 7th, 2020, Republican Senators Wicker (R-Mississippi), Thune (R-South Dakota), Fischer (R-Nebraska), and Blackburn (R-Tennessee) introduced the COVID-19 Consumer Data Protection Act. And on May 14th, 2020, Democratic Senators Blumenthal (D-Connecticut) and Warner (D-Virginia), along with a group of Democratic Representatives in the House, simultaneously introduced the Democrats’ alternative bill, the Public Health Emergency Privacy Act.