A COVID-19 pandemic-related related privacy bill
put forward by four Republican senators is drawing objections from watchdogs, who say the proposed legislation is too weak.
The COVID-19 Consumer Data Protection Act, introduced Thursday would
generally require companies to obtain people's express consent before gathering data health, device, geolocation, or proximity, in order to trace the contacts of people diagnosed with the virus.
The measure, first floated late last month, was officially introduced Thursday by Republican Senators Roger Wicker (Mississippi), John Thune (South Dakota), Jerry Moran (Kansas) and Marsha
Blackburn (Tennessee).
The bill also would require companies to either delete or “de-identify” all personally identifiable information when it is no longer being used for the
COVID-19 outbreak.
Sponsors say the measure “would provide all Americans with more
transparency, choice, and control over the collection and use of their personal health, device, geolocation, and proximity data,” and “hold businesses accountable to consumers if they use
personal data to fight the COVID-19 pandemic.”
But critics say the proposed legislation has some broad exceptions that could undermine people's privacy. One of the biggest, according to
advocacy group Free Press, is that the measure exempts employers from its mandates.
That exception “raises serious practical and equity concerns,” Free Press senior policy counsel
Gaurav Laroia stated.
“Digital contact-tracing tools may well make workplaces safer, but the technology must be regulated,” Laroia stated. “It would be grossly unfair for
people who work in unsafe conditions to then be tracked by unregulated technologies at home.”
Laroia added that the bill also exempts visitors to businesses. “If grocery stores
deploy this technology to digitally screen customers, then the bill covers practically no one. These exemptions absolutely swallow the rules,” he stated.
The Open Technology Institute at
New America, which is calling for “major enhancements” to the bill, says it lacks good definitions for the terms “geolocation” and “proximity.”
The
organization says the failure to define those terms creates a risk that GPS location data and cell site location information won't be subject to the bill's restrictions.
“In
addition,” the group states, “the bill is missing critical safeguards that would restrict any government use of information to public health authorities, and prohibit secondary uses by
other government entities including law enforcement.”
When the bill was first floated, the group Public Knowledge argued that it doesn't go far enough for several reasons, including that it
only applies to data collected for COVID-19-related purposes.