COVID-19 Consumer Data Protection Act Introduced
Two new privacy bills were introduced in Congress in an effort to help protect personal data collected by businesses during the COVID-19 emergency. Although the bills, one of which was introduced by Senate Democrats and the other submitted by Senate Republicans, have a number of key differences, they both share one major similarity, namely an explicit requirement under which data subjects must opt-in to the collection and use of any COVID-19-related data of a personal nature. If passed, this law could have a significant effect on the types of protections available to consumers across the nation, so if you have questions or concerns about the use of your own personal data for COVID-19-related tracking purposes, please call our office to speak with an experienced consumer law attorney to learn more.
The recently introduced bills were drafted in response to the development of an increasing number of websites, software applications, and digital tools whose purpose is to collect and use personal data related to COVID-19. Specifically, many of these programs were created to enable contact tracing, which is a process used to identify individuals with whom a person who tested positive for COVID-19, could have been in contact with while infected. While digital equipment, applications, and other tools have proven to be invaluable in helping identify contacts and notify users of the risk of exposure, the information collected by these groups, which is ostensibly only used for the screening and tracking of COVID-19, also poses a serious risk to consumer privacy.
In response to these concerns, members of the Senate drafted two bills, both of which require that data collection agencies implement certain measures to protect health information, geolocation, and proximity data. Specifically, if passed, the law would make it unlawful for companies to collect, process, or transfer covered data for the purpose of contact tracing without first providing notice to the parties involved and obtaining their consent. There would also, however, be a few exceptions to these laws. For instance, both bills exclude public health authorities as covered parties, stating that these entities are permitted to collect information as necessary to protect the public. Healthcare institutions also fall outside the purview of the new laws, as they are already covered by the Health Insurance Portability and Accountability Act (HIPAA).
An Opt-In Process
Both data protection bills require that qualifying organizations obtain the explicit consent of data subjects through an opt-in process before data can be used or even collected. This would represent a significant departure from current U.S. data privacy laws, which are still based on opt-out models. What constitutes personal information or data, however, has not yet been clarified, nor do the laws describe what would qualify as a reasonable data protection measure.
Set Up a Consultation with a Philadelphia Consumer Attorney
To speak with an experienced Philadelphia consumer lawyer about your own data protection rights, please contact Louis S. Schwartz at CONSUMERLAWPA.com today.