COVID-19 Privacy Laws and Regulating Contact Tracing in the U.S.

Policymakers in the United States have introduced three privacy acts to regulate contact tracing solutions that track the spread of the coronavirus, fueling the nationwide debate over data privacy concerns. Digital tools are a key part of policymakers’ and public health officials’ plans to mitigate the impact of COVID-19, but they also raise concerns over privacy and civil liberties: How will health data be used? Who can access the information? Can individuals opt out?

Although each bill tackles the issue of privacy in a slightly different way – the primary differences lie in their stringency and prescriptiveness – all three aim to reshape the way we handle and share data. Below, learn more about the three potential COVID-19 privacy laws and how they could transform data privacy during and after the pandemic.

COVID-19 Consumer Data Protection Act

Bill introduced May 7, 2020

Key points:

  • Provides individuals with the option to opt in or out of data collection and would require their affirmative express consent.
  • Excludes employee health data collected or processed for workplace safety-related reasons.
  • Individuals must be kept informed on how their data will be handled, where it is transferred, and how long it will be retained.
  • Companies are required to maintain transparency when it comes to using collected data and would be required to provide reports describing their data collection activities.
  • Requires companies to delete or de-identify all personally identifiable information (PII) when it is no longer being used for the COVID-19 public health emergency.

Public Health Emergency Privacy Act

Bill introduced on May 14, 2020

Key points:

  • Includes explicit anti-discrimination provisions.
  • Requires companies that collect data for public health purposes to delete the information 60 days after the public health emergency ends.
  • Explicitly states the data may only be used for public health purposes and organizations are required to inform individuals what their data is being used for.
  • Provides individuals with a way to correct inaccuracies in the data.
  • Includes stipulation around data security policies, practices, and procedures in order to protect the data collected.
  • Requires affirmative express consent unless one of several narrow exceptions are met; also provides individuals with the ability to revoke that consent.
  • Requires organizations collecting over 100,000 individuals’ data to provide a public report every 90 days stating the number of individuals whose data has been collected and how it was used.

Exposure Notification Privacy Act

Bill introduced on June 1

Key points:

  • Aims to regulate exposure notification and contact tracing apps used to monitor and control the spread of COVID-19.
  • Applies to online services, defined as “automated exposure notification service,” that are specifically for “the purpose of digitally notifying, in an automated manner, an individual who may have been exposed to an infectious disease.” A narrower scope than the previous two.
  • Includes explicit anti-discrimination provisions.
  • Requires cooperation with public health officials regarding the operation of exposure notice services.
  • Requires the use of contact tracing apps to be voluntary; individuals can opt in or out.
  • Requires that all affected individuals be notified in the event of a data breach.