Authors:
Ethan Ostroff, Partner, Troutman Sanders
Sadia Mirza, Associate, Troutman Sanders
Alex Teixeira, Attorney, Troutman Sanders
Brett Dorman, Associate, Pepper Hamilton

There is no shortage of legislation to address the coronavirus (“COVID-19”) pandemic and the emerging contact tracing applications. In late April 2020, Republican senators introduced a bill called the COVID-19 Consumer Data Protection Act that aims to provide consumers more transparency, choice, and control over information collected in connection with COVID-19. Then, in May, Democrats introduced the Public Health Emergency Privacy Act to protect personal information collected in connection with COVID-19. Now, as of June 1, a bipartisan bill—the Exposure Notification Privacy Act (“ENPA”)—is pending in the Senate and aimed at regulating contact tracing apps utilized for disease tracing broadly.

The complete text of the ENPA is accessible here. In a press release describing the ENPA to the public, Senator Maria Cantwell (D-Wash.) said that the “bipartisan bill gives Americans control over their data [and] puts public health officials in the driver’s seat of exposure notification development[.]” Sen. Cantwell introduced the bill with Sen. Bill Cassidy (R-La.), and the bill is co-sponsored by Sen. Amy Klobuchar (D-Minn.).

Key Aspects of the ENPA

The ENPA primarily applies to operators of “automated exposure notification services,” or apps that will automatically notify users when they have been exposed to someone who has tested positive for COVID-19. Like many emerging data privacy laws, the ENPA focuses on expanded consumer rights (e.g., deletion rights, use limitations, data transfer, and service provider restrictions), increased transparency, data minimization, ensuring adequate safeguards to protected covered information, and breach notification requirements.

With respect to increased transparency, the bill requires operators to have a public facing privacy policy that is drafted with easy to understand language that includes, among other things:

  • contact information for the company;
  • categories of data collected and limitations of allowable processing;
  • data transfer practices and the justification for such transfers;
  • description of data minimization practices and retention policies;
  • description of the security practices; and
  • methods for individuals to exercise any of their rights, including consent revocation.

Additionally, the ENPA would require operators to acquire express (opt-in) user consent. The opt-in must be clear and conspicuous, using plain language and prominent headings; it must also be separate from other options or general terms and conditions, and it must include a description of each act or practice for which consent is sought.

Furthermore, the bill makes clear that violations of the ENPA—including deceptive or misleading statements in the privacy policy—will be treated as unfair or deceptive practices under Section 5 of the Federal Trade Commission Act (“FTC Act”).

Enforcement under the ENPA

Section 5 enforcement under the FTC Act typically is carried out by the Federal Trade Commission using a consent decree. Under the ENPA, the FTC is expressly given the power to enforce the law; however, they are not limited to consent decrees and, instead, are given the authority to commence independent litigation. Additionally, the chief law enforcement officer of a state, including any official or agency designated by state law, will have authority to bring an action in the respective state, subject to providing prior written notice to the FTC so that the FTC may have the option to intervene. The bill specifically empowers state attorneys general “to bring a civil action in State or Federal district court to enforce [the ENPA]. Available remedies include injunctive relief, civil penalties, and other monetary relief.”

Key Considerations

It remains to be seen whether the ENPA will garner enough support to be enacted, but its bipartisan support may give it stronger legs to stand, as opposed to the prior two bills aimed at contact tracing app developers. In the meantime, here are some privacy guidelines for developers to consider:

  • Any entity that currently is providing services in connection with a contact tracing app should follow these developing laws closely as they will affect requirements of not only the provider themselves, but also the contracts between such entities and subsequent service providers.
  • In addition to the current proposed laws regarding contact tracing apps, developers should look to the Fair Information Practice Principles to implement privacy by design when engineering COVID-19-related apps. For more information about existing privacy guidelines for COVID-19-related apps, read our primer on Law360.
  • Developers should carefully review how consumer consent is being obtained (if at all) and whether consumers have the means to revoke such consent, if desired. For example, consent by means of a “pre-ticked” box, thereby requiring no clear affirmative action from users to indicate agreement to process their personal information, likely should be avoided.
  • Statements within the privacy policy must be carefully reviewed to ensure that they accurately depict the current practices of the company. The heightened enforcement rights of the FTC and state enforcing officers, particularly attorneys general, during this climate of increased concerns with respect to data practices, makes this an area ripe for enforcement if the law is passed.

For regular updates regarding the impact of COVID-19 and responses thereto, visit the Troutman Sanders/Pepper Hamilton COVID-19 Resource Center.