May 15, 2020
Congressional Democrats introduced legislation regulating the collection, use, or disclosure of COVID-19 medical and tracking data that, in contrast to the Senate Republican measure, covers employment data, includes a private right of action, and does not preempt state laws.
The Public Health Emergency Privacy Act would require companies to:
Broad definition of “emergency health data”: The bill defines the term as “data linked or reasonably linkable to an individual or device… that concerns the public COVID–19 health emergency.” This includes healthcare data, biometric data, geolocation data, proximity data, data on an individual’s demographic characteristics, contact information, and “any other data collected from a personal device.”
The bill, which does not preempt state laws, includes a sweeping private right of action, with damages for negligent violations of $100-$1,000 per violation and reckless, willful or intentional damages at $500-$5000 per violation.
More to come: Sens. Richard Blumenthal (D-CT) and Mark Warner (D-VA) sponsored the bill from the Senate side. On the House side, Reps. Anna Eshoo (D-CA), Zoe Lofgren (D-CA), and Suzan DelBene (D-WA), all of whom have recently introduced comprehensive consumer data privacy bills, joined the effort. While the sponsors include some of the leading Democratic voices on data privacy, other key legislators, including the Democratic leadership on the Commerce Committee, are conspicuously absent.