The U.S. Senate Committee on Commerce, Science, and Transportation ('the Senate Committee') announced, on 30 April 2020, the plan of U.S. Senators Roger Wicker, John Thune, Jerry Moran, and Marsha Blackburn to introduce a bill for the COVID-19 Consumer Data Protection Act ('the Bill').
In particular, the Bill would, among other things, require companies under the jurisdiction of the Federal Trade Commission ('FTC') to obtain affirmative express consent from individuals to collect, process, or transfer their personal health, geolocation, or proximity information for the purposes of tracking the spread of COVID-19 ('Coronavirus').
How are companies currently handling health and geolocation data?
There has been different attempts to add greater regulation for companies who handle health and geolocation data, especially within the health sector, however at the time of publication, there is not significant legislation in place for organisations outside of the remit of the Health Insurance Portability and Accountability Act of 1996 ('HIPAA').
Rachel Marmor, Counsel at Davis Wright Tremaine LLP, told OneTrust DataGuidance that, "For entities not generally regulated by HIPAA, at the moment U.S. law does not recognise these categories of data as particularly sensitive, and therefore no special rules apply. Medical information is covered under some state data breach notification laws but not all; and a lot of companies that are now looking to collect health data were not doing it at all previously, so are unlikely to have a security program that covers health data. It should also be noted that what constitutes ‘geolocation data’ is unclear. Most proposed legislation has defined it as data revealing an individual’s precise longitude and latitude, or allowing location of in individual within a certain radius. The [Bill] appears to define it as information allowing location of an individual at a specific point in time with ‘reasonable specificity.’ This could be read to include IP addresses which every business with a website collects, or potentially city and state."
Does HIPAA provide enough coverage of health data for companies to adhere to?
At present HIPAA covers very specific definitions of information within the HIPAA regulations and covers entities which create, receive, maintain, or transmit protected health information. Moreover, the Bill is temporary in nature as it establishes a requirement to delete or de-identify information once the Coronavirus pandemic has passed. Furthermore, the Bill would require companies to disclose to consumers how their personal data will be collected and used, and to provide the option for consumers to opt-out of their data being collected, processed, and/or transfered.
Regarding whether or not HIPPA provides enough coverage of health data for companies to adhere to, Marmor notes, "Not really. Coronavirus has created situations in which companies across a number of industries which service customers in person are collecting health data in order to ensure that employees, customers, and guests are not infected. These companies are rarely covered by HIPAA, which applies only to certain entities, typically those engaged in the provision of healthcare services such as healthcare providers, health plans, and healthcare clearinghouses. Similarly, HIPAA does not regulate attempts by technology companies to do contact tracing based on geolocation data. Other than the California Consumer Privacy Act of 2018 ('CCPA')—which would not apply to protected health information of HIPAA covered entities and their business associates- there would be few existing constraints on collection and use, unless a sale is involved."
At present, there is much to be discussed with the Bill once it has been introduced to the U.S. Congress, especially with the likelihood that amendments will be put forward for provisions of the Bill. Moreover, there is also the potential that the Bill will follow many other failed attempts to have a more comprehensive federal privacy law, perhaps the Coronavirus emergency may bring about a change in attitude.
Marmor concludes that, "regardless of what happens with the [Bill], organisations looking to collect symptom data or attestations about an individual’s lack of symptoms in order to prevent potential infections need to think carefully about the data collection strategy. Disclosure obligations already exist under the [CCPA] and unfair and deceptive trade practice laws, as do obligations not to use the data in ways that are unexpected and/or harmful to consumers. Setting use controls and a retention schedule before you collect the data is critical."
The facts, laws, and regulations regarding COVID-19 are developing rapidly. Since the date of publication, there may be new or additional information not referenced in this advisory. Please consult with your legal counsel for guidance.
DWT will continue to provide up-to-date insights and virtual events regarding COVID-19 concerns. Our most recent insights, as well as information about recorded and upcoming virtual events, are available at www.dwt.com/COVID-19.