Democratic COVID-19 Privacy Bill Includes Employment Data

May 15, 2020

Congressional Democrats introduced legislation regulating the collection, use, or disclosure of COVID-19 medical and tracking data that, in contrast to the Senate Republican measure, covers employment data, includes a private right of action, and does not preempt state laws. 

The Public Health Emergency Privacy Act would require companies to: 

  • Obtain affirmative express consent from individuals (including employees) whose emergency health data has been collected, used, or disclosed; 

  • Provide an effective mechanism for an individual to revoke consent after it is given;

  • Only collect, use, or disclose such data that is “necessary, proportionate, and limited for a good faith public health purpose,” including a service or feature to support such a purpose;

  • Take reasonable measures, where possible, to ensure the accuracy of emergency health data and provide an effective mechanism for an individual to correct inaccurate information;

  • Only disclose such data to a government entity when the disclosure is to a public health authority, and is made in solely for good faith public health purposes and in direct response to exigent circumstances;

  • Establish and implement reasonable data security policies, practices, and procedures;

  • Provide notice to an individual, prior to or at the point of collection of emergency health data;

  • Issue a public report at least once every 90 days, where a company collects, uses, or discloses covered data of more than 100,000 individuals; and

  • Destroy or “render not linkable” to an individual any emergency health data 60 days after collection. 

Broad definition of “emergency health data”: The bill defines the term as “data linked or reasonably linkable to an individual or device… that concerns the public COVID–19 health emergency.”  This includes healthcare data, biometric data, geolocation data, proximity data, data on an individual’s demographic characteristics, contact information, and “any other data collected from a personal device.” 

The bill, which does not preempt state laws, includes a sweeping private right of action, with damages for negligent violations of $100-$1,000 per violation and reckless, willful or intentional damages at $500-$5000 per violation. 

More to come:  Sens. Richard Blumenthal (D-CT) and Mark Warner (D-VA) sponsored the bill from the Senate side.  On the House side, Reps. Anna Eshoo (D-CA), Zoe Lofgren (D-CA), and Suzan DelBene (D-WA), all of whom have recently introduced comprehensive consumer data privacy bills, joined the effort.  While the sponsors include some of the leading Democratic voices on data privacy, other key legislators, including the Democratic leadership on the Commerce Committee, are conspicuously absent.