On June 1, 2020, U.S. Senators Maria Cantwell (WA) and Bill Cassidy (LA) introduced the Exposure Notification Privacy Act (the “Act”), bipartisan legislation that would impose requirements and restrictions on operators of automated exposure notification services. The bill defines automated exposure notification service as “a website, online service, online application, mobile application, or mobile operating system that is offered in commerce in the U.S. and that is designed, in part or in full, specifically to be used for, or marketed for, the purpose of digitally notifying, in an automated manner, an individual who may have become exposed to an infectious disease (or the device of such individual, or a person or entity that reviews such disclosures).” These services are commonly referred to as “contact tracing technology” because they are designed to provide alerts when a user comes in near-contact with someone who tested positive for an infectious disease, such as COVID-19.
The legislation would provide a number of privacy protections for users of automated exposure notification services, including (1) requiring user consent for the collection of information; (2) data deletion rights and other data deletion requirements; and (3) requiring notice of data breaches to users and the Federal Trade Commission (“FTC”).
The Act would also prohibit exposure notification services from collecting data “for any commercial purpose,” including targeted advertising. It would also promote user choice by prohibiting people from being prevented from entering a public place if they choose not to sign up for an automated exposure notification service. Under the law, operators of automated exposure notification services would be prohibited from releasing a service to the public if the service is not operated by or created in collaboration with public health authorities.
The FTC would be tasked with enforcing the Act and would be able to issue civil penalties. State attorneys general would also be able to enforce the Act.