Skip to main content

New Data Protection Act Would Regulate COVID-19 Tracing Apps

by Chris Brook on Monday May 4, 2020

Contact Us
Free Demo

The act would require “affirmative express consent” for transferring any health, location and proximity data, and allow individuals to opt out of data collection.

A new data privacy bill, introduced last week in the Senate, would implement privacy requirements for COVID-19 tracking and put safeguards in place to keep contact tracing apps in check.

Many of the contact tracing apps being discussed as of late to help prevent COVID-19 rely on Bluetooth technology and alert users if they've been near someone who's tested positive for the virus. While countries have discussed deploying different, country-specific apps, most of the discussion in the U.S. has revolved around an app developed jointly by Google and Apple.

Contact tracing is just part of the solution to help combat COVID-19, of course. It will need to be paired with case investigation, contact follow-up, monitoring, testing, clinical services, and agile data management systems, as the Centers for Disease Control and Prevention points out.

If passed, the intent of the bill, the COVID-19 Consumer Data Protection Act, is to give more transparency to consumers over how their personal health, geolocation, and proximity data is used by businesses.

Introduced by four Senators, Roger Wicker, R-Miss, Jerry Moran, R-Kan., Marsha Blackburn, R-Tenn, and John Thune, R-S.D, the bill would reign in the requirements of companies as far as data collection goes.

The Senators, all who are members of the Senate Committee on Commerce, Science, and Transportation, emphasized the importance of privacy when announcing the bill last week.

“In the age of social distancing, we are leaning on technology more than ever to stay connected and obtain information,” Blackburn said, “It is paramount that as tech companies utilize data to track the spread of COVID-19, Americans’ privacy and security are not put at risk. Health and location data can reveal sensitive and personal information, and these companies must be transparent with their users.”

In addition to requiring companies to obtain express consent from individuals to collect, process, or transfer their personal health data for tracking COVID-19, companies would also have to agree to delete or de-identify any personally identifiable information  when it’s no longer being used for contacting tracing, release transparency reports to the public outlining their data collection activities, allow individuals to opt out of having their data collected.

Companies would also have to meet what can be assumed to be standard data minimization and security requirements for any PII it collects, and inform consumers of “how their data will be handled, to whom it will be transferred, and how long it will be retained,” and the point of the data collection in the first place.

Like a number of other important, federal regulatory laws of late, the COVID-10 Data Protection Act would be left to state attorneys general to enforce.

The legislation comes as Congress continues to work towards crafting a federal data privacy framework. While those efforts, which largely aim to reign in data-rich tech companies, are more or less on the backburner, the Senators are hoping a more targeted effort, like this one, will be able to better tamp down consumer privacy violations stemming from COVID-19.

Tags:  Data Protection

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.