Yesterday, U.S. Senate Republican Committee Leaders introduced the COVID-19 Consumer Data Protection Act. While the legislation is a welcome effort, it falls short.
This new bill is primarily focused on protecting health data associated with COVID-19 response. It applies narrowly to identifiable geolocation, proximity, and health data, and device identifiers like IP addresses. It allows companies to collect data only for particular purposes related to COVID-19 response, and is time-limited, with protections ending when the Secretary of Health and Human Services (HHS) ends the public emergency. Importantly, it ensures that use of any COVID-19 response app is voluntary.
Unfortunately, the bill fails to 1) take into consideration that geolocation is insufficiently granular to provide any true COVID-19 response benefits, 2) provide robust protections around data minimization and security, and 3) provide protections for so-called “de-identified” data that is at serious risk of re-identification (particularly geolocation data). It also does not guarantee anti-discrimination protections for people who opt out of using apps, and broadly exempts employers. Finally, terminating protections when HHS ends the emergency is likely not a sufficient timeline, as we may still need to track the virus beyond that point.
You can read our review of the legislation here.
“We appreciate the Senate Republicans’ efforts in getting this conversation started,” said Eric Null, U.S. Policy Manager at Access Now. “COVID-19 response apps are already out there, and Congress should ensure those apps protect peoples’ privacy. This bill, however, needs improvements before it can truly provide those protections.”
As the U.S. Congress grapples with how to confront the public health crisis, Access Now will continue to call for the full protection of digital rights, including the right to data protection and privacy, for everyone.