Contact tracing has quickly emerged as the go-to method of tracking the spread of the coronavirus among the general population, but there have been crucial questions around the most effective, ethical, and legal ways of doing so. New legislation introduced this week, the COVID-19 Consumer Data Protection Act (CDPA), seeks to enact legal guardrails around the collection and use of people’s data.
It’s a sign of progress that legislation is emerging around this issue, but it also highlights that there’s a way to go yet. The CDPA has some issues that privacy experts are concerned about, and the lack of any Democrat co-sponsors indicates a lack of bipartisan support. The Dems actually have their own version of this type of legislation, called the Consumer Online Privacy Rights Act (COPRA), which was introduced in December. Both bills emerged from the same committee — the Senate Committee on Commerce, Science, and Transportation — and so the lack of bipartisanship is especially notable.
The CDPA was introduced by Senators Roger Wicker (R-MS), John Thune (R-SD), Deb Fischer (R-NE), Jerry Moran (R-S), and Marsha Blackburn (R-TN). COPRA is sponsored by Senators Maria Cantwell (D-WA), along with Brian Schatz (D-HI), Amy Klobuchar (D-MN), and Ed Markey (D-MA).
Despite the partisanship, the CDPA includes much that all sides can agree on. And in an announcement about the bill, the Republican Senators said all the right things. For example, Senator Wicker’s statement reads, “As the coronavirus continues to take a heavy toll on our economy and American life, government officials and health-care professionals have rightly turned to data to help fight this global pandemic. This data has great potential to help us contain the virus and limit future outbreaks, but we need to ensure that individuals’ personal information is safe from misuse.”
Per the announcement, the CDPA includes the following:
- Require companies under the jurisdiction of the Federal Trade Commission to obtain affirmative express consent from individuals to collect, process, or transfer their personal health, device, geolocation, or proximity information for the purposes of tracking the spread of COVID-19.
- Direct companies to disclose to consumers at the point of collection how their data will be handled, to whom it will be transferred, and how long it will be retained.
- Establish clear definitions about what constitutes aggregate and de-identified data to ensure companies adopt certain technical and legal safeguards to protect consumer data from being re-identified.
- Require companies to allow individuals to opt out of the collection, processing, or transfer of their personal health, geolocation, or proximity information.
- Direct companies to provide transparency reports to the public describing their data collection activities related to COVID-19.
- Establish data minimization and data security requirements for any personally identifiable information collected by a covered entity.
- Require companies to delete or de-identify all personally identifiable information when it is no longer being used for the COVID-19 public health emergency.
- Authorize state attorneys general to enforce the Act.
In a statement to VentureBeat, Liz O’Sullivan, cofounder of ArthurAI and technology director of STOP (Surveillance Technology Oversight Project), said that the CDPA is a step in the right direction, but she’s concerned that it doesn’t go far enough. “There’s nothing stopping companies from using this data to profit after the crisis, and it won’t protect people in the event that ICE or other law enforcement agencies subpoena identifiable information while the crisis is ongoing,” she said.
In a way, the issues here are business as usual for data privacy. “All the usual concerns apply: This data is a great source of power in any hands, to be politicized or used for personal gain. If companies are left with a choice to ‘delete or de-identify,’ it’s pretty clear which one they will choose,” she said, adding that “It’s telling, in fact, that Palantir, a company typically associated with national security, has already won contracts to handle this data.”
She emphasized that the danger with any bill that fails to keep a divide between public and private data is the creation of the illusion of privacy while handing governments, and “state-adjacent corporate entities,” expanded surveillance capabilities.
Andrew Burt, chief legal officer at Immuta and managing partner at bnh.ai, said in a statement to VentureBeat that the CDPA does serve to reinforce how important data and data analytics are to combatting the pandemic. “There’s a reason, for example, that the most thorough plans to get Americans back to work pre-vaccine start with contact tracing and monitoring — knowing who might be a carrier of the virus, and where they’ve gone and who they’ve been in close proximity to, is the first step to getting us to a state of reasonable safety,” he said. “Data collection and data analytics will form the backbone of those efforts. So I see the CDPA as a very clear acknowledgement of that fact.”
But Burt also noted that there is much more that needs to be discussed around data protection laws, such as what a bill like this says about the broader state of data protection laws, the current and future role of the FTC around privacy, what counts as “health data” in a world of ubiquitous data generation and collection, applying time limits to “new surveillance mechanisms” for COVID-19, and more.
The fact that legislators are moving forward with data privacy laws is a welcome sign of progress. But Republicans and Democrats will need to do more to come to consensus lest the U.S. ends up with data laws that fail to strike the best balance between protecting people from the coronavirus and protecting people from future abuses.