Following the Republican-sponsored COVID-19 Consumer Data Protection Act of 2019, Democratic legislators recently introduced the Public Health Emergency Privacy Act. Senators Richard Blumenthal and Mark Warner of Connecticut and Virginia, respectively, and a group of Democratic Representatives, including Jan Schakowsky of Illinois and Anna Eshoo of California, introduced the measure.
While both measures similarly require “affirmative express consent” prior to most processing of personal information for COVID-19 purposes, notice prior to using the data, reporting requirements, and destruction after data use, the bills vary in many other respects. Some differences between the Republican and Democratic bills include preemption, enforcement authority, and civil and voting rights protections.
Perhaps the most material distinctions focus on preemption and enforcement – a common theme in federal privacy legislation. These areas continue to be sticking points between the parties in discussions regarding privacy legislation. While both measures allow for FTC and state attorney general enforcement, the Democrats’ bill also provides for a private cause of action, which would allow for damages between $100 and $1000 per negligent violation, and $500 and $5000 per reckless, willful, or intentional violation. And while the Republican measure expressly preempts any similar state measure, the Democratic measure expressly does not.
The Democratic measure also addresses other concerns regarding using health data for COVID-19 purposes where the Republican bill is silent. Specifically, the Democrats’ bill expressly prohibits the use of emergency health data for advertising or discriminatory purposes. The bill also requires the Secretary of Health and Human Services to work with both the U.S. Commission on Civil Rights and the FTC to submit a report examining how the collection, use, and disclosure of COVID-19 health information impacts civil rights issues.
In addition, the Democrats’ bill prevents government entities from restricting the right to vote based on an individual’s: (1) participation or non-participation in a program to collect emergency health data; (2) medical condition; or (3) emergency health data itself.
As with Congress’s debate over comprehensive federal privacy legislation, COVID-19 privacy legislation may come down to similar disputes over enforcement and preemption. Whether the parties will be able to agree on these issues as they apply in a more limited capacity remains to be seen.