A COVID-19 pandemic-related related privacy bill put forward by four Republican senators is drawing objections from watchdogs, who say the proposed legislation is too weak.
The COVID-19 Consumer Data Protection Act, introduced Thursday would generally require companies to obtain people's express consent before gathering data health, device, geolocation, or proximity, in order to trace the contacts of people diagnosed with the virus.
The measure, first floated late last month, was officially introduced Thursday by Republican Senators Roger Wicker (Mississippi), John Thune (South Dakota), Jerry Moran (Kansas) and Marsha Blackburn (Tennessee).
The bill also would require companies to either delete or “de-identify” all personally identifiable information when it is no longer being used for the COVID-19 outbreak.
Sponsors say the measure “would provide all Americans with more transparency, choice, and control over the collection and use of their personal health, device, geolocation, and proximity data,” and “hold businesses accountable to consumers if they use personal data to fight the COVID-19 pandemic.”
But critics say the proposed legislation has some broad exceptions that could undermine people's privacy. One of the biggest, according to advocacy group Free Press, is that the measure exempts employers from its mandates.
That exception “raises serious practical and equity concerns,” Free Press senior policy counsel Gaurav Laroia stated.
“Digital contact-tracing tools may well make workplaces safer, but the technology must be regulated,” Laroia stated. “It would be grossly unfair for people who work in unsafe conditions to then be tracked by unregulated technologies at home.”
Laroia added that the bill also exempts visitors to businesses. “If grocery stores deploy this technology to digitally screen customers, then the bill covers practically no one. These exemptions absolutely swallow the rules,” he stated.
The Open Technology Institute at New America, which is calling for “major enhancements” to the bill, says it lacks good definitions for the terms “geolocation” and “proximity.”
The organization says the failure to define those terms creates a risk that GPS location data and cell site location information won't be subject to the bill's restrictions.
“In addition,” the group states, “the bill is missing critical safeguards that would restrict any government use of information to public health authorities, and prohibit secondary uses by other government entities including law enforcement.”
When the bill was first floated, the group Public Knowledge argued that it doesn't go far enough for several reasons, including that it only applies to data collected for COVID-19-related purposes.