Newest Effort to Balance Law and Tech: COVID-19 Consumer Data Protection Act of 2020

CCDPA makes more sense when considered in the context of the development of technology for COVID-19 contact tracing or collecting, aggregating, and/or analyzing COVID-19-related diagnosis, treatment, and other data.[3]  Since CCDPA was made public twenty (20) days after Apple and Google announced their partnership[4] for the development of “Exposure Notification” application programming interfaces (APIs) and operating system-level technology,[5] we will provide a brief overview of the Apple-Google technology to help contextualize CCDPA’s provisions.

Specifically, Apple and Google teamed up to develop APIs that enable interoperability between Android and iOS devices for apps created by public health authorities, as well as operating system technology that “will work to enable a broader Bluetooth-based contact tracing platform by building this functionality into the underlying platforms” as a “more robust solution than an API [that] would allow more individuals to participate, if they choose to opt in, as well as enable interaction with a broader ecosystem of apps and government health authorities.” [6]

From, a user perspective, the exposure notification app operates like this:

1. A user downloads from the App Store or Google Play an exposure notification app developed by or on behalf of a public health authority.
2. The app syncs, on a daily basis, the last fourteen (14) days of the user’s location relative to other users as determined by Bluetooth signals exchanged with other mobile telephones when (a) in the initial phase, an exposure notification app is downloaded and the user has agreed to the app’s terms and conditions or (b) in the second phase, a user has opted in at the operating system level (i.e., no app is needed).
3. A user can choose to enter his or her COVID-19 positive test result into the exposure notification app.
4. Any other user who came into contact with a COVID-19 positive user during the prior 14 days receives a notification.[7]

Apple and Google provided this helpful graphic about use of an Exposure Notification app by Bob and Alice:

[8]

In the published FAQs about their partnership, Apple and Google pledged that “[p]rivacy, transparency, and consent are of utmost importance in this effort” and to “openly publish information about our work for others to analyze.” [9]   Google and Apple also specifically promised that:

• “Each user will have to make an explicit choice to turn on the technology.
• This system will not collect location data from a device and does not share the identities of other users to each other, Google or Apple. The user controls all data they want to share, and the decision to share it.
• Random Bluetooth identifiers rotate every 10-20 minutes, to help prevent tracking.
• Exposure notification is only done on device and under the user’s control. In addition, people who test positive are not identified by the system to other users, or to Apple or Google.
• The system is only used for contact tracing by public health authorities apps.
• Google and Apple will disable the exposure notification system on a regional basis when it is no longer needed.
• The choice to use this technology rests with the user, and he or she can turn it off at any time by uninstalling the contact tracing application or turning off exposure notification in Settings.” [10]

Turning back to CCDPA, the stated purpose of CCDPA is to “hold businesses accountable to consumers if they use personal data to fight the COVID-19 pandemic.” [11]  In its current form, CCDPA applies to a “covered entity”, which means a business subject to authority of the Federal Trade Commission (FTC)[12], a not-for-profit organization[13] or common carrier[14] that collects, processes or transfers “covered data”.

Covered data is defined as (i) “precise location data,” i.e., actual past or present physical location; (ii) “proximity data,” i.e., past or present physical location identified with “reasonable specificity”; and (iii) “personal health information,” which is information that identifies or is “reasonably linkable” to an individual and is “genetic information” or “information relating to the diagnosis or treatment of past, present or future physical, mental health or disability” of the individual.

The definition of personal health information has notable exclusions.  In addition to an exclusion for information subject to HIPAA[15], personal health information does not include:

• aggregated data, i.e., data that relates to a group or category and “does not identify and is not linked or reasonably linkable to any individual” [16]
• de-identified data, i.e., does not identify and is not “reasonably linkable” to any individual, does not “contain personal identifiers or other information that could be readily used to re-identify the individual” and is subject to a “public commitment” not to re-identify and is disclosed other pursuant to a contract that prohibits re-identification[17]
• publicly available information, i.e., lawfully available from government records or “widely available to the general public” [18]

The CCPDA requires that a covered entity follow a notice and consent procedure for covered data[19] during the U.S. COVID-19 public health emergency.[20]   That is, a covered entity must provide notice to and obtain “affirmative express consent” from an individual before collecting, processing or transferring his or her covered data for any of these “covered purposes”: “to track the spread, signs or symptoms of COVID-19”, to measure compliance with “social distancing guidelines” issued by a government or to conduct contact tracing (like the Google-Apple Exposure Notification API described above).[21]

Other noteworthy provisions in CCDPA are:

• The covered entity must have a privacy policy that is disclosed to the individual prior to or at point of collection and is made available publicly, that describes the categories of recipients, data retention practices and security practices, which is consistent with current laws (aka transparency).[22]
• The individual has the right to “opt-out,” which means that, within 14 days of receipt of an opt-out request, the covered entity must stop all collection and use of the personal health information collected from the individual for a covered purpose or “de-identify” the personal health information already collected.[23]  
• Covered entities must publicly report every 30 days regarding the number of individuals whose covered data it has “collected, processed or transferred” for a covered purpose, the categories of covered data, specific purposes of processing, and, if applicable, to whom it was transferred.[24]
• Covered entities also are expected to collect only covered data that is “reasonably necessary” for the covered purpose (aka data minimization), delete covered data when it is no longer necessary for a covered purpose[25] and to use reasonable data security policies to protect covered data.[26]

CCDPA is enforced by the Federal Trade Commission and state attorneys general and does not offer a private right of action.

CCDPA has some similarities to non-binding guidance issued by European regulators pursuant to the General Data Protection Regulation about best practices for protecting privacy in contact tracing, including notice and consent requirements, honoring opt-out requests, data minimization, and data deletion.[27]  CCDPA is however by no means as strict as EU requirements and much narrower than the California Consumer Privacy Act of 2020[28], the landmark California privacy law currently viewed as the strictest of the U.S. state privacy laws.

We will see if the sponsoring senators formally introduce CCDPA to their colleagues and if so, monitor how it progresses through the Senate.

[1]  COVID-19 Consumer Data Protection Act, S. ___, 116th Cong. (2020). (“CCDPA”)

[2] See “Wicker Leads Fight for Online Privacy” (May 6, 2019).

[3] See, e.g., Jennifer Valentino-DeVries, Natasha Singer and Aaron Krolik, “A Scramble for Virus Apps That Do No Harm” (April 29, 2020); “COVID-19 tracing apps might not be optional at work,” (April 30, 2020); Hardas Gold, “UK starts testing coronavirus contact tracing app” (May 4, 2020).

[4] See, e.g., here and here.

[5] See “Apple and Google partner on COVID-19 contact tracing technology” (April 10, 2020).

[6] Id.

[7] “Exposure Notification Frequently Asked Questions,” V1.1 (May 2020).

[8] Exposure Notification API FAQs, FAQ 4.

[9] Id.

[10] Exposure Notification API FAQs, FAQ 5.

[11] See note 2, supra.

[12] CCDPA § 2.

[13] Id.

[14] Common carrier means “any person engaged as a common carrier for hire, in interstate or foreign communication by wire or radio or interstate or foreign radio transmission of energy, except where reference is made to common carriers not subject to this chapter; but a person engaged in radio broadcasting shall not, insofar as such person is so engaged, be deemed a common carrier.” 47 U.S.C.A. § 153 (West).

[15] See Health Insurance Portability and Accountability Act (Pub. L. 104–191), HIPAA Security Rule,  45 CFR §164.306 (2013).

[16] CCDPA § 2(1).

[17] CCDPA § 2(1).

[18] CCDPA § 2(8).

[19] CCDPA § 2(15).

[20] See here.

[21] CCDPA § 3(b).

[22] CCDPA § 3(c)(1).

[23] CCDPA § 3(d).

[24] CCDPA § 3(c)(2).

[25] CCDPA § 3(f).

[26] CCDPA § 3(f), (g).

[27] See, e.g., European Data Protection Board, “Guidelines 04/2020 on the use of location data and contact tracing tools in the context of the COVID-19 outbreak” (April 21, 2020); “Guidance on Apps supporting the fight against COVID 19 pandemic in relation to data protection” (April 17, 2020).

[28] Cal. Civ. Code §1798.100 et seq.