Senate Republican COVID-19 Privacy Bill Excludes Employee Screening Data

May 08, 2020

GOP lawmakers introduced a COVID-19 tracking privacy bill that, unlike a prior draft, does not cover geolocation, proximity, or certain health data collected, processed, or transmitted for purposes of determining whether an employee is permitted to enter a workplace.

The bill, which is largely aimed at tech solutions such as Apple and Google's joint contact tracing venture, was revised to exclude “employee screening data"—i.e., geolocation, proximity, or certain health data that is collected, processed, or transferred for the purposes of determining whether an individual is permitted to enter a physical site of operation of the covered entity.  The exemption covers the data of employees, owners, directors, officers, staff members, trainees, vendors, visitors, interns, volunteers, or contractors.

“Service providers” not covered by bill:  The bill exempts as a covered entity service providers who process or transfer covered data for the purpose of performing one or more services or functions on behalf of, and at the direction of, a covered entity to which it is not related.

In addition to the above, the bill exempts individuals acting as “a full-time or part-time, paid or unpaid employee, owner, director, officer, staff member, trainee, vendor, visitor, intern, volunteer, or contractor of a covered entity permitted to enter a physical site of operation of the covered entity.”

A letter by HR Policy submitted to bill sponsor and Senate Commerce Committee Chairman Roger Wicker (R-MS) earlier this week noted that “the bill should, as other major federal consumer privacy legislative proposals have done, explicitly state that employment data is also out of scope.”  

The COVID-19 Consumer Data Protection Act would require companies to obtain affirmative express consent from and provide prior notice to individuals to collect, process, or transfer their personal health, geolocation, or proximity information for the purposes of tracking the spread of COVID-19.  It would also require covered entities to: 

  • Allow individuals to opt out of the collection, processing, or transfer of such information; 
  • Provide a public transparency report at least 30 days after the bill's enactment describing data collection activities related to COVID-19, and every 60 days thereafter;
  • Direct companies to disclose to individuals at the point of collection how their data will be handled, to whom it will be transferred, and how long it will be retained;
  • Take "reasonable measures" to ensure accuracy of data and provide an effective mechanism for individuals to report inaccuracies; 
  • Establish data minimization and data security requirements for any personally identifiable information collected by a covered entity; and
  • Require companies to delete or de-identify all personally identifiable information when it is no longer being used for the COVID-19 public health emergency. 

The measure preempts any state or local regulation of the covered data and is enforced by the Federal trade Commission and the state attorneys general.  There is no private right of action. 

Sen. Wicker was joined by Sens. John Thune (R-SD), Jerry Moran (R-KS), Marsha Blackburn (R-TN), and Deb Fisher (R-NE) in sponsoring the bill. 

Looking ahead: Senate Democrats will counter with their own bill creating privacy protections around COVID-19 tracking.  HR Policy will remain engaged in the debate as employers work to secure the safety of their stakeholders, including employees, in transitioning back to the workplace.