Contact tracing has quickly emerged as the go-to method for tracking the spread of coronavirus among the general population, but crucial questions surround the most effective, ethical, and legal ways of doing so. New legislation introduced this week, the COVID-19 Consumer Data Protection Act (CDPA), seeks to enact legal guardrails around the collection and use of people’s data.
The emergence of such legislation is a sign of progress, but it also highlights how far we have to go. Privacy experts are concerned about some aspects of the CDPA, and the absence of Democrat co-sponsors indicates a lack of bipartisan support. The Democrats have actually contributed their own piece of legislation, called the Consumer Online Privacy Rights Act (COPRA), which was introduced in December. The two bills emerged from the same committee — the Senate Committee on Commerce, Science, and Transportation — so the lack of bipartisanship is especially notable.
The CDPA was introduced by Senators Roger Wicker (R-MS), John Thune (R-SD), Deb Fischer (R-NE), Jerry Moran (R-S), and Marsha Blackburn (R-TN). COPRA is sponsored by Senator Maria Cantwell (D-WA), along with Senators Brian Schatz (D-HI), Amy Klobuchar (D-MN), and Ed Markey (D-MA).
Despite the obvious partisan divide, the CDPA includes much that both sides can agree on. In an announcement about the bill, Republican senators said all the right things. For example, Senator Wicker’s statement reads, “As the coronavirus continues to take a heavy toll on our economy and American life, government officials and health care professionals have rightly turned to data to help fight this global pandemic. This data has great potential to help us contain the virus and limit future outbreaks, but we need to ensure that individuals’ personal information is safe from misuse.”
Per the announcement, the CDPA includes the following:
- Require companies under the jurisdiction of the Federal Trade Commission to obtain affirmative express consent from individuals to collect, process, or transfer their personal health, device, geolocation, or proximity information for the purposes of tracking the spread of COVID-19.
- Direct companies to disclose to consumers at the point of collection how their data will be handled, to whom it will be transferred, and how long it will be retained.
- Establish clear definitions about what constitutes aggregate and de-identified data to ensure companies adopt certain technical and legal safeguards to protect consumer data from being re-identified.
- Require companies to allow individuals to opt out of the collection, processing, or transfer of their personal health, geolocation, or proximity information.
- Direct companies to provide transparency reports to the public describing their data collection activities related to COVID-19.
- Establish data minimization and data security requirements for any personally identifiable information collected by a covered entity.
- Require companies to delete or de-identify all personally identifiable information when it is no longer being used for the COVID-19 public health emergency.
- Authorize state attorneys general to enforce the Act.
In a statement to VentureBeat, Liz O’Sullivan, cofounder of ArthurAI and technology director of STOP (Surveillance Technology Oversight Project), said the CDPA is a step in the right direction, but she’s concerned that it doesn’t go far enough. “There’s nothing stopping companies from using this data to profit after the crisis, and it won’t protect people in the event that ICE or other law enforcement agencies subpoena identifiable information while the crisis is ongoing,” she said.
In a way, the issues here are business as usual for data privacy. “All the usual concerns apply: This data is a great source of power in any hands, to be politicized or used for personal gain. If companies are left with a choice to ‘delete or de-identify,’ it’s pretty clear which one they will choose,” she said, adding that “It’s telling, in fact, that Palantir, a company typically associated with national security, has already won contracts to handle this data.”
She emphasized that the danger with any bill that fails to keep a divide between public and private data is the creation of the illusion of privacy while handing governments and “state-adjacent corporate entities” expanded surveillance capabilities.
Andrew Burt, chief legal officer at Immuta and managing partner at bnh.ai, said in a statement to VentureBeat that the CDPA reinforces how important data and data analytics are to combatting the pandemic. “There’s a reason, for example, that the most thorough plans to get Americans back to work pre-vaccine start with contact tracing and monitoring — knowing who might be a carrier of the virus and where they’ve gone and who they’ve been in close proximity to is the first step to getting us to a state of reasonable safety,” he said. “Data collection and data analytics will form the backbone of those efforts. So I see the CDPA as a very clear acknowledgment of that fact.”
But Burt also noted that much more needs to be discussed around data protection laws, such as what a bill like this says about the broader state of data protection laws, the current and future role of the FTC around privacy, what counts as “health data” in a world of ubiquitous data generation and collection, applying time limits to “new surveillance mechanisms” for COVID-19, and more.
The fact that legislators are moving forward with data privacy laws is a welcome sign of progress. But Republicans and Democrats will need to find more common ground, lest the U.S. end up with data laws that fail to strike the best balance between protecting the public from COVID-19 and protecting people from future privacy abuses.