Congress To Closely Examine Privacy During COVID-19 Pandemic
Congress has been unable to come to agreement on comprehensive privacy legislation in the past few years, but it has a new set of privacy topics on the horizon: how to handle a range of privacy issues in the context of the COVID-19 pandemic. This week, the Senate will hold its first hearing on COVID-19 and privacy – a “paper hearing” – that will explore the use of aggregated geolocation data in tracking the spread of the disease. Congress will likely continue to remain engaged on this topic, and there are a number of privacy issues that it could tackle as it moves forward. Here are some highlights:
-
Geolocation data. On April 9, the Senate Committee on Commerce, Science, and Transportation will hold a “paper hearing” on “Enlisting Big Data in the Fight Against Coronavirus.” It will include an examination of “uses of aggregate and anonymized consumer data to identify potential hotspots of coronavirus transmission and to help accelerate the development of treatments.” Topics will include “how consumers’ privacy rights are being protected” and also how the government will handle COVID-related data going forward. Aggregated mobile phone data has provided key insights on how personal behavior has shifted in the wake of the coronavirus spread and local orders to facilitate social distancing, and one question is how much more extensive its use will be. As we’ve noted, individual mobile phone tracking is being used worldwide as a means of combating the spread of COVID-19, but would raise serious issues under U.S. privacy laws. How Congress assesses the costs versus benefits to COVID-19 tracking, particularly when compared to other countries, will be a debate worth watching.
-
The privacy of aggregated geolocation data will likely emerge as an issue outside of the context of mobile phones as well. For example, one health tech company whose CEO has been invited to testify as a witness this week touts that it can leverage the data it collects through its smart thermometer to help identify coronavirus hot spots days faster than the CDC. Meanwhile, some observers have suggested that the spread of the virus can be tracked through the use of data generated by social media accounts, while facial recognition firms may be able to contribute to efforts at contact tracing. Each of these use cases is likely to draw questions such as how collected data is anonymized, stored, secured, or destroyed.
-
Remote connections. “Stay at home” and business shutdown orders have resulted in substantial numbers of individuals working remotely from their homes – and connecting via apps and services that previously did not operate at the same scale. This has raised concerns about the privacy of communications over these services. Additionally, employers must also be concerned with cybersecurity of their systems with so many remote users. Given these unexpected demands, Congress might look at how agencies should respond and help facilitate data privacy and security in these unpredictable times.
-
Enforcement of CCPA. In recent weeks numerous trade associations have asked the California Attorney General to postpone the implementation of the California Consumer Privacy Act (CCPA), which is set to be enforced beginning on July 1st. In support of their push for delay, the trade groups have pointed to the financial costs associated with complying with the law – especially for small businesses already fearful of severe economic impacts created by COVID-19 – as well as the logistical challenges created by stay-at-home orders that have prevented companies from fully operationalizing CCPA’s mandates. Given that some of the co-leaders of the push to delay CCPA will be testifying at Thursday’s paper hearing, one should not be surprised if several Senators raise questions about the wisdom of enforcing CCPA in the midst of a pandemic.
-
Kids’ privacy. Remote connection services are also being used in innovative ways for educational purposes. At the same time, the Children’s Online Privacy Protection Act (COPPA) imposes requirements on many operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age. Congress may look more closely at COPPA compliance issues, and more generally at how children’s information is protected in a learning environment that has moved so quickly online.
-
Employment situations. As we covered in a recent webinar, dealing with coronavirus will require employers to deal with potentially sensitive health information in the workplace. As governments think about plans for employees to eventually return to work while still protecting public health, employers will need to navigate these concerns as well, and Congress may weigh in.
The COVID-19 pandemic and the government and industry response are moving quickly. But already, privacy concerns are surfacing that are going to be more closely explored by Congress and regulators. And while the Senate Commerce committee has shot out of the gates in examining these issues, we expect bicameral and bipartisan interest as policymakers grapple with how to sensibly think about the federal government’s role in crafting privacy policy. Even without passing comprehensive privacy legislation, Congress will have an opportunity through oversight and future COVID-19-related legislation to weigh in on a number of important privacy issues.