On April 30, 2020, Senator Roger Wicker (MS), Chairman of the Senate Commerce Committee, along with Senators John Thune (SD), Jerry Moran (KS) and Marsha Blackburn (TN), announced plans to introduce the COVID-19 Consumer Data Protection Act of 2020 (“the bill”), which would put temporary rules in place regarding the collection, processing and transfer of data used to combat the spread of the coronavirus. The bill would only apply during the course of the COVID-19 Public Health Emergency as declared by the Secretary of Health and Human Services, and would only apply to specific uses of certain personal data.

In particular, the bill would only apply to precise geolocation data, proximity data and personal health information used for the following purposes: (1) to track the spread, signs or symptoms of COVID-19; (2) to measure compliance with social distancing guidelines or other COVID-19-related requirements imposed by federal, state or local governments; or (3) to conduct contact tracing for COVID-19 cases. It would require that covered entities provide individuals with notice prior to the collection, processing and transfer of such data for those purposes, and that individuals give affirmative express consent for that collection, processing or transfer unless they are otherwise necessary to comply with a legal obligation.

Additionally, the bill would require the following of covered entities:

  • Make a privacy policy available to the public and publish a report every 30 days containing the aggregate number of individuals whose data has been collected, processed or transferred for a covered purpose, as well as the categories of data and specific purpose for which the data was collected, processed or transferred and to whom it was transferred;
  • Provide a mechanism for individuals who have given consent to revoke that consent or opt out;
  • Delete or deidentify all covered data when it is no longer being used for a purpose covered by the bill;
  • Limit collection, processing and transfer of data to what is reasonably necessary, proportionate and limited to carry out the covered purpose; and
  • Establish, implement and maintain reasonable data security policies and practices to protect against risks to confidentiality, security and integrity of the covered data.

The bill would be enforced by both the Federal Trade Commission and state attorneys general, and would prevent states from adopting or enforcing any laws or regulations related to the collection, processing or transfer of covered data used for purposes covered in the bill.