Bipartisan Bill Seeks to Regulate COVID-19 Exposure Notification Apps

Health Data
Written By Ryan Sulkin

Authors: Michael D. Stovsky, Katherine A. Smith

On June 1, 2020, U.S. Senators Maria Cantwell (D-WA) and Bill Cassidy (R-LA) introduced bipartisan legislation, or the Exposure Notification Privacy Act (“Act”), to the Senate.[1],[2]  The Act would regulate coronavirus contact-tracing and exposure-notification apps, which different U.S. states have been developing as part of efforts to track the spread of the virus and to notify individuals who may have been exposed to the virus.  Apple and Google have also released software that allows governments to build such apps using Bluetooth technology on smartphones.

The Act would require these apps to either be created in collaboration with or operated by public health authorities.  Additionally, it would put in place robust privacy safeguards to protect users’ privacy, prevent data misuse, and promote public health.  The proposed law would achieve these safeguards by mandating, among other things, that individuals be able to consent to their information being collected and being deleted at any time.  Further, any data collected could not be “for any commercial purpose” and would be the “minimum amount necessary to implement an automated exposure notification service for public health purposes.”  Apps would also be required to tell users and the Federal Trade Commission (“FTC”) about data breaches “in the most expedient time possible, consistent with the legitimate needs of law enforcement.”   

The FTC would be tasked with enforcement of this proposed law and would be able to issue civil penalties for first-time violators, a power that the consumer protection agency currently does not have for most privacy matters that do not affect children under the age of 13.  State attorneys general would also be able to enforce the Act. 

The Act makes clear that it would not preempt, displace, or supplant any State law, rule, regulation, or requirement as well as any Federal or State common law right or remedy, or any statute. 

A more detailed summary of the role of public health authorities, individual rights, data restrictions, and enforcement in the Act follows.

Role of Public Health Authorities

  • The Act will require that public health officials be involved with the deployment of any exposure notification systems. The Act will prohibit any automated exposure notification service not operated by or in collaboration with a public health authority. This would give users confidence that the technologies they are using are legitimate and not created by unqualified actors.

  • The Act will allow only medically-authorized diagnoses of infectious diseases to be submitted to exposure notification systems. This will guard against false reports.

Individuals Rights

  • The Act will require that participation be voluntary and based on affirmative, express consent. Further, consent could be withdrawn at any time.

  • The Act will allow participants to delete their data from an exposure notification system at any time.

  • The Act will make it unlawful to discriminate against, or otherwise make unavailable to an individual, any place of public accommodation based on data collected or processed through an automated exposure notification service. This will bar people from being prevented from entering a public place if they chose not to sign up for a coronavirus exposure notification app.

Data Restrictions to Preserve Privacy

  • The Act will limit the collection and use of data to that which is necessary for the purpose of the system and prohibit any commercial use of data.

  • The Act will prohibit operators of automated exposure notification services from collecting or using data beyond what is necessary to implement such services for public health purposes. Operators would be prohibited from collecting or processing data for any commercial purpose.

  • The Act will create strong cybersecurity and breach notification safeguards. In order to protect user data, the legislation creates comprehensive data security requirements and obligations to immediately notify individuals in the event of a security incident.

  • The Act will require recurring and ongoing data deletion obligations.

  • The Act will make allowances for public health research.

Enforcement

  • The Act will empower the FTC and State Attorneys General to pursue violators.

  • The Act will allow the FTC to pursue civil penalties for first-time violations.

  • The Act will protect state privacy rights, ensuring that consumer privacy and health laws remain in place.

For more information, please contact a member of the firm’s Intellectual Property/3iP Practice Group.

Michael D. Stovsky at mstovsky@beneschlaw.com or 216.363.4626.

Katherine E. Smith at ksmith@beneschlaw.com or 216.363.4488.

***

Please note that this information is current as of the date of this Client Alert, based on the available data. However, because COVID-19’s status and updates related to the same are ongoing, we recommend real-time review of guidance distributed by the CDC and local officials.

Ryan Sulkin
Previous

Revised Approach to Standard Contractual Clauses Creates Key Deadlines and Offers Long-Awaited Answers
Next

CCPA Compliance Is on the Horizon - What You Need to Know to Be Ready