Senate and House Democrats Introduce COVID-19 Privacy Bill Targeting Contact Tracing Apps

As privacy concerns grow about the data collected through contact tracing apps to monitor the spread of the coronavirus, a group of Democratic lawmakers is introducing a bill Thursday that aims to ensure that the data collected is protected from over-surveillance and abuse, according to a copy of the legislation seen by Morning Consult.

The Public Health Emergency Privacy Act -- which is being introduced by Sens. Richard Blumenthal (Conn.) and Mark Warner (Va.), as well as Reps. Anna Eshoo (Calif.), Jan Schakowsky (Ill.) and Suzan DelBene (Wash.) -- would require that any data collected for public health purposes isn’t used for unrelated situations and is deleted by the companies within 60 days of the public health emergency ending.

The legislation also aims to keep government agencies that aren’t involved in public health from misusing the collected data, which often includes information about who has tested positive for COVID-19 and whom they have come into contact with recently. And the Federal Trade Commission will lead enforcement while consulting with the Department of Health and Human Services, with the states playing some role, as well.

“Legal safeguards protecting consumer privacy failed to keep pace with technology, and that lapse is costing us in the fight against COVID-19,” Blumenthal said in a statement, adding that the new bill promises to make sure that the information collected “will be used to stop the spread of this disease, and no more.” 

The Democratic effort appears to be a response to a bill introduced by Republican leaders of the Senate Commerce Committee last week, called the COVID-19 Consumer Data Protection Act, that requires all companies obtain affirmative consent from individuals before collecting, processing or transferring their personal health information to track the spread of the virus. Both bills require organizations to receive “affirmative express consent” before collecting, using or disclosing their health information and to allow users to opt-out of data collection. But the Democratic bill adds two new provisions requiring that any health information collected not be used to prevent people from voting based on their medical condition and mandating regular reports on the impact of such data collection tools on civil rights.

Both efforts bring the stalled, partisan debate in Washington about how to forge ahead with a federal privacy law into a new pandemic reality. And officials have started to draw attention to the need for a federal standard as Silicon Valley’s involvement in the government’s COVID-19 response grows stronger. Christine Wilson, a commissioner with the FTC, for instance, wrote a Wall Street Journal op-ed Wednesday calling for Congress to implement a new federal privacy law, saying that “the assumption that consumers have already given informed consent for quarantine-compliance monitoring is unsupportable.”

The Democratic effort is also endorsed by several privacy advocacy consumer groups and think tanks, including Consumer Reports, Public Citizen, Lawyers’ Committee for Civil Rights Under Law, Free Press, New America’s Open Technology Institute, Public Knowledge and the Electronic Privacy and Information Center.