As they had previously announced their intent to do so, the leadership of several Senate Committees introduced the “COVID-19 Consumer Data Protection Act” on May 7, 2020.
The Act would:
- Require companies under FTC jurisdiction to obtain affirmative express consent from individuals to collect, process, or transfer their personal health, device, geolocation, or proximity information for the purposes of tracking the spread of COVID-19 (e.g., contact tracing).
- Direct companies to disclose at the point of collection how data will be handled, to whom it will be transferred, and how long it will be retained.
- Establish clear definitions about what constitutes aggregated and de-identified data to ensure sufficient technical and legal safeguards to protect consumer data from being re-identified.
- Require companies to allow individuals to opt out of the collection, processing, or transfer of their personal health, geolocation, or proximity information.
- Direct companies to provide public transparency reports describing data collection activities related to COVID-19.
- Establish data minimization and security requirements for any personally identifiable information collected by a covered entity.
- Require companies to delete or de-identify all personally identifiable information when it is no longer being used for the COVID-19 public health emergency.
- Authorize state attorneys general to enforce the Act.
To read the bill, click here.