Republican Senate Bill Would Prohibit Employers from Mandating COVID-19 Tracking

May 01, 2020

Draft legislation by Senate Republicans would require employers to obtain consent for, and allow individuals to opt out of, the collection, processing, or transfer of information for tracking the spread, signs, or symptoms of COVID-19.

The restrictions would not just apply to electronic data gathered by new contact tracing apps, such as those being developed by Apple and Google.  Covered information gathered by more traditional means, such as interviewing or screening questionnaires, would be regulated as well.   

There is no carve out in the new bill for data gathered in the employment context. 

The COVID-19 Consumer Data Protection Act would require companies to obtain affirmative express consent from individuals to collect, process, or transfer their personal health, geolocation, or proximity information for the purposes of tracking the spread of COVID-19.  It would also: 

  • Require companies to allow individuals (including employees) to opt out of the collection, processing, or transfer of such information;

  • Direct companies to disclose to consumers at the point of collection how their data will be handled, to whom it will be transferred, and how long it will be retained;

  • Establish clear definitions about what constitutes aggregate and de-identified data to ensure companies adopt certain technical and legal safeguards to protect data from being re-identified;

  • Direct companies to provide transparency reports to the public describing their data collection activities related to COVID-19;

  • Establish data minimization and data security requirements for any personally identifiable information collected by a covered entity; and

  • Require companies to delete or de-identify all personally identifiable information when it is no longer being used for the COVID-19 public health emergency.

The new requirements would be enforced by the FTC, and where violations not subject to the FTC’s authority occur, by state attorneys general.  No mention is made of the size or scope of potential fines. 

“While many businesses have taken well-intentioned steps to develop technological solutions to tracking, containing, and ending the COVID-19 pandemic, Congress must address potentially harmful practices that could stem from these innovations if not held accountable," said Sen. Moran in a statement. 

The bill's requirements would expire once the Secretary of Health and Human Services determines the current public health emergency is over. 

The effort is sponsored by Chairman of the Senate Committee on Commerce, Science, and Transportation Roger Wicker (R-MS), Sen.  John Thune (R-SD), Sen. Jerry Moran (R-KS), and Sen. Marsha Blackburn (R-TN).  The Senate Commerce Committee had taken the lead on consumer data privacy legislation before the pandemic redirected legislative efforts. 

The bottom line:  Even before COVID-19, data privacy legislation was a bipartisan priority in Congress.  However, the debate had been put on hold in the midst of the current crisis.  That pause is officially over.  This is the first salvo in what is sure to be a protracted debate over privacy in the context of the pandemic.  In the meantime, employers are striving to ensure that their workplaces are as safe as possible as in many cases they prepare for a return to the workplace.