May 08, 2020
GOP lawmakers introduced a COVID-19 tracking privacy bill that, unlike a prior draft, does not cover geolocation, proximity, or certain health data collected, processed, or transmitted for purposes of determining whether an employee is permitted to enter a workplace.
The bill, which is largely aimed at tech solutions such as Apple and Google's joint contact tracing venture, was revised to exclude “employee screening data"—i.e., geolocation, proximity, or certain health data that is collected, processed, or transferred for the purposes of determining whether an individual is permitted to enter a physical site of operation of the covered entity. The exemption covers the data of employees, owners, directors, officers, staff members, trainees, vendors, visitors, interns, volunteers, or contractors.
“Service providers” not covered by bill: The bill exempts as a covered entity service providers who process or transfer covered data for the purpose of performing one or more services or functions on behalf of, and at the direction of, a covered entity to which it is not related.
In addition to the above, the bill exempts individuals acting as “a full-time or part-time, paid or unpaid employee, owner, director, officer, staff member, trainee, vendor, visitor, intern, volunteer, or contractor of a covered entity permitted to enter a physical site of operation of the covered entity.”
A letter by HR Policy submitted to bill sponsor and Senate Commerce Committee Chairman Roger Wicker (R-MS) earlier this week noted that “the bill should, as other major federal consumer privacy legislative proposals have done, explicitly state that employment data is also out of scope.”
The COVID-19 Consumer Data Protection Act would require companies to obtain affirmative express consent from and provide prior notice to individuals to collect, process, or transfer their personal health, geolocation, or proximity information for the purposes of tracking the spread of COVID-19. It would also require covered entities to:
The measure preempts any state or local regulation of the covered data and is enforced by the Federal trade Commission and the state attorneys general. There is no private right of action.
Sen. Wicker was joined by Sens. John Thune (R-SD), Jerry Moran (R-KS), Marsha Blackburn (R-TN), and Deb Fisher (R-NE) in sponsoring the bill.
Looking ahead: Senate Democrats will counter with their own bill creating privacy protections around COVID-19 tracking. HR Policy will remain engaged in the debate as employers work to secure the safety of their stakeholders, including employees, in transitioning back to the workplace.