Republican members of the Senate Commerce, Science and Transportation Committee formally introduced legislation on May 7, 2020, to give Americans more control over and insight into how their personal health, proximity and geolocation data is used during the novel coronavirus, or COVID-19, pandemic. The bill's introduction reflects the growing number of privacy and surveillance concerns during the public health emergency as the industry develops their own standards for how they will conduct contact tracing and other efforts to slow the spread of the virus.

The measure, the COVID-19 Consumer Data Protection Act, is sponsored by Commerce Committee Chairman Roger Wicker (R-MS) and Sens. John Thune (R-SD), Deb Fischer (R-NE), Jerry Moran (R-KS) and Marsha Blackburn (R-TN).

The bill requires companies to obtain express consent in order to collect, process or transfer this type of data for the purposes of tracking the spread of COVID-19. It also allows individuals to opt out of the collection and use of this data, and directs companies to be transparent to the public by describing their data collection practices in relation to the pandemic. Further, companies must de-identify all personally identifiable information (PII) when it is no longer being used for the health emergency.

Under the measure, the Federal Trade Commission and state Attorneys General are given enforcement authority, and state and local laws and regulations are preempted under the Act. The bill would also mandate that companies establish "reasonable" data security practices and procedures security and requires data to be deleted after the pandemic.

While employee screening data is not covered by the bill, the original draft of the measure unveiled last week allowed employees to opt out of screening. The text has since been modified to exclude this data.

Chairman Wicker and Sen. Thune have underscored the need to include the measure in the next COVID-19 relief package, but the bill lacks support from key Senate Democrats, including Senate Commerce Committee Ranking Member Cantwell (D-WA). Senate Democrats have cautioned against a measure which preempts more stringent state laws such as the California Consumer Privacy Act (CCPA). Democrats have also reiterated the need to provide for a private right of action, which Chairman Wicker has previously dubbed as a "nonstarter" when broader privacy talks stalled earlier this year after the introduction of separate Republican and Democratic privacy proposals (see prior alert here).

Akin Gump's public law and policy practice continues to work with the cybersecurity, privacy and data protection practice to monitor real-time data privacy updates related to COVID-19. Our team apprises clients of any legislative or regulatory updates, as well as applicable industry action in the privacy arena.

Originally published May 8, 2020.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.