There is no shortage of legislation to address the coronavirus (“COVID-19”) pandemic and the emerging contact tracing applications. In late April 2020, Republican senators introduced a bill called the COVID-19 Consumer Data Protection Act that aims to provide consumers more transparency, choice, and control over information collected in connection with COVID-19. Then, in May, Democrats introduced the Public Health Emergency Privacy Act to protect personal information collected in connection with COVID-19. Now, as of June 1, a bipartisan bill—the Exposure Notification Privacy Act (“ENPA”)—is pending in the Senate and aimed at regulating contact tracing apps utilized for disease tracing broadly.
The complete text of the ENPA is accessible here. In a press release describing the ENPA to the public, Senator Maria Cantwell (D-Wash.) said that the “bipartisan bill gives Americans control over their data [and] puts public health officials in the driver’s seat of exposure notification development[.]” Sen. Cantwell introduced the bill with Sen. Bill Cassidy (R-La.), and the bill is co-sponsored by Sen. Amy Klobuchar (D-Minn.).
Key Aspects of the ENPA
The ENPA primarily applies to operators of “automated exposure notification services,” or apps that will automatically notify users when they have been exposed to someone who has tested positive for COVID-19. Like many emerging data privacy laws, the ENPA focuses on expanded consumer rights (e.g., deletion rights, use limitations, data transfer, and service provider restrictions), increased transparency, data minimization, ensuring adequate safeguards to protected covered information, and breach notification requirements.
- contact information for the company;
- categories of data collected and limitations of allowable processing;
- data transfer practices and the justification for such transfers;
- description of data minimization practices and retention policies;
- description of the security practices; and
- methods for individuals to exercise any of their rights, including consent revocation.
Additionally, the ENPA would require operators to acquire express (opt-in) user consent. The opt-in must be clear and conspicuous, using plain language and prominent headings; it must also be separate from other options or general terms and conditions, and it must include a description of each act or practice for which consent is sought.
Enforcement under the ENPA
Section 5 enforcement under the FTC Act typically is carried out by the Federal Trade Commission using a consent decree. Under the ENPA, the FTC is expressly given the power to enforce the law; however, they are not limited to consent decrees and, instead, are given the authority to commence independent litigation. Additionally, the chief law enforcement officer of a state, including any official or agency designated by state law, will have authority to bring an action in the respective state, subject to providing prior written notice to the FTC so that the FTC may have the option to intervene. The bill specifically empowers state attorneys general “to bring a civil action in State or Federal district court to enforce [the ENPA]. Available remedies include injunctive relief, civil penalties, and other monetary relief.”
It remains to be seen whether the ENPA will garner enough support to be enacted, but its bipartisan support may give it stronger legs to stand, as opposed to the prior two bills aimed at contact tracing app developers. In the meantime, here are some privacy guidelines for developers to consider:
- Any entity that currently is providing services in connection with a contact tracing app should follow these developing laws closely as they will affect requirements of not only the provider themselves, but also the contracts between such entities and subsequent service providers.
- In addition to the current proposed laws regarding contact tracing apps, developers should look to the Fair Information Practice Principles to implement privacy by design when engineering COVID-19-related apps. For more information about existing privacy guidelines for COVID-19-related apps, read our primer on Law360.
- Developers should carefully review how consumer consent is being obtained (if at all) and whether consumers have the means to revoke such consent, if desired. For example, consent by means of a “pre-ticked” box, thereby requiring no clear affirmative action from users to indicate agreement to process their personal information, likely should be avoided.
For regular updates regarding the impact of COVID-19 and responses thereto, visit the Troutman Sanders/Pepper Hamilton COVID-19 Resource Center.