BillThis article appeared in Law360 on May 14, 2020.  A group of Republican senators have introduced a new privacy bill that would impose strict privacy obligations on contact tracing apps operated by entities not subject to the Health Insurance Portability and Accountability Act.

Most notably, the COVID-19 Consumer Data Protection Act would obligate such entities to obtain express affirmative consent from individual consumers before using their geolocation, proximity or personal health data.

Significantly, geolocation, proximity or personal health information collected for other purposes, including for marketing or other for-profit uses would not be regulated. This focus on certain uses of data could give rise to commercial speech concerns because it potentially could be seen as content and viewpoint discrimination.

Separate issues could arise from the bill’s broad attempt at federal preemption, which may raise federalism issues and prove to be sticking points in the bill’s progression.

Main Requirements

The COVID-19 Consumer Data Protection Act establishes potentially onerous obligations for companies attempting to fight the coronavirus using personal data. The bill’s provisions on consent, transparency, data deletion, data minimization and security are reminiscent of sweeping privacy regimes such as the EU’s General Data Protection Regulation and the California Consumer Privacy Act.

Significantly, the COVID-19 Consumer Data Protection Act would require those entities subject to this act to (also confusingly defined as “covered entities” as discussed below):

  • Provide prior notice to individuals of the reasons for collecting, processing, or transferring their geolocation, proximity or personal health information;
  • Obtain affirmative express consent from individuals before collecting, processing or transferring their information for specified COVID-19-related purposes;
  • Inform individuals, through a privacy policy provided before or at the time of data collection, of the purpose and categories of data collected, with whom data are shared, and how the data will be stored and handled;
  • Issue a public transparency report at least every 30 days describing the data collected and related activities;
  • Allow individuals to opt out of the collection, use or transfer of their geolocation, proximity or personal health information and stop such collection or de-identify the data upon receipt of an opt-out request;
  • Delete or de-identify an individual’s geolocation, proximity or personal health information when no longer being used for a specified COVID-19-related purpose;
  • Establish data minimization requirements to collect, process or transfer an individual’s geolocation, proximity or personal health information; and
  • Establish, implement and maintain reasonable administrative, technical and physical data security policies and practices to protect against security risks to the information collected.

Selective Coverage

Despite the bill’s broad requirements, its impact would focus mainly on technology companies outside of traditional health care. For example, tech companies working on contact tracing apps that employ individual geolocation data would be covered, but other organizations collecting similar information for advertising or other purposes would be excluded. The act defines those entities, as well as the data, covered by the act as follows:

Covered Entities

Significantly, the bill would apply only to personal health information not subject to HIPAA, meaning that HIPAA-covered entities would be excluded from its requirements. The act uses the term “covered entities” to apply to (1) any entity or person subject to Federal Trade Commission enforcement, (2) nonprofits, and (3) common carriers who collect, process or transfer precise geolocation data, proximity data or personal health information. Employers are not excluded.

Covered Data

Geolocation data includes any information capable of identifying an individual’s past or present location. Proximity data refers to information capable of reasonably identifying the past or present proximity of one individual to another. Personal health information includes an individual’s genetic information or “information relating to the diagnosis or treatment of past, present, or future physical, mental health, or disability of the individual,” if such information identifies or is reasonably linkable to an individual.

As noted above, the bill excludes personal health information already subject to HIPAA from its requirements. This means that covered entities under HIPAA likely would not be subject to the requirements of the COVID-19 Consumer Data Protection Act. For example, a COVID-19 diagnosis or test results disclosed by an individual’s health care provider would not constitute covered data under the act to the extent that such provider is subject to HIPAA.

In contrast, apps that rely on individual input of COVID-19-related health information such as self-diagnosis or data derived from another source not subject to HIPAA, would have to comply with the act.

Covered Purposes

The legislation is further limited in scope because it applies only to data collected, processed or transferred for three specific pandemic-related purposes. The COVID-19 Consumer Data Protection Act would apply to the collection, processing or transfer of an individual’s data to (1) track the spread, signs or symptoms of COVID-19, (2) measure compliance with social distancing guidelines or other legal requirements related to COVID-19, or (3) conduct contact tracing for COVID-19 cases.

This means that organizations would still be free to use consumer geolocation or personal health information for other purposes, even if indirectly related to an individual’s infection status, because the draft bill’s restrictions apply only to uses specifically related to COVID-19. Nevertheless, the bill would not otherwise prohibit companies from selling geolocation, proximity or personal health information, or from using such information to make inferences about an individual’s health status or to use it for advertising purposes.

Supporters, Enforcement and Preemption

The COVID-19 Consumer Data Protection Act was introduced by U.S. Sens. Roger Wicker, R-Miss., chairman of the Senate Committee on Commerce, Science, and Transportation, John Thune, R-S.D, chairman of the Subcommittee on Communications, Technology, Innovation, and the Internet, Jerry Moran, R-Kan., chairman of the Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security, and Marsha Blackburn, R-Tenn.

The proposed bill would preempt any state law related to the collection, processing or transfer of covered information for the purposes specified in the act. This preemption provision may prove to be a contentious issue, as it may cut against the federalism/state prerogative concerns of other Republican senators and congressional representatives.

The FTC would be responsible for enforcement of the act under its powers regarding unfair or deceptive acts and practices. Additionally, the act authorizes state attorneys general to bring civil suits on behalf of their states’ residents to enforce the act’s provisions, enjoin practices that violate the act, and obtain damages or other appropriate relief.

Constitutional Concerns

As noted at the outset, the bill in its current form faces at least two legal hurdles.

First, its attempt to regulate only certain uses of data and only by certain entities may be unconstitutional content and viewpoint discrimination — albeit perhaps a real consequence of the absence of a baseline federal privacy law and the complexity of the boundaries of HIPAA.

Second, its preemption provision raises federalism issues involving an area of traditional state regulation.

First Amendment

The key to the First Amendment concerns flows from Sorrell v. IMS Health Inc.[1] In Sorrell, the U.S. Supreme Court struck down a Vermont law on grounds that it impermissibly restricted free speech based on the content of the speech and on the identity of the speaker. At issue was information about the prescribing practices of individual doctors.

Vermont’s law prohibited the sale, disclosure or use of such prescriber-identifying information by pharmacies, data mining companies and other regulated entities for marketing purposes — but not for other purposes — absent the prescriber’s consent. The court held that the law on its face discriminated against disfavored speech by disfavored speakers and was subject to heightened judicial scrutiny as a result.[2] Sorrell clearly recognized the regulation of even commercial data implicated First Amendment concerns.

Sorrell may well signal that same conclusion for the COVID-19 Consumer Data Protection Act. Because the proposed act would prohibit the use of proximity, health and geolocation information, absent consent, only for three specified COVID-related purposes — but not others — it is a content-based restriction. Furthermore, the bill’s exclusion of HIPAA-covered data and limited covered purposes appear to disfavor only certain speakers, namely tech companies and organizations focused on the development of contact tracing apps.

As in Sorrell, the bill still allows geolocation, proximity and health information to be “purchased or acquired by other speakers with diverse purposes and viewpoints,” amounting to viewpoint discrimination.[3] For example, a data mining company would be free to purchase and use the same information prohibited to contact tracing companies for advertising, or the government could use it to build profiles about certain segments of the population. Additionally, a content-based restriction need not also discriminate based on viewpoint in order to be subject to heightened judicial scrutiny.[4]

The Sorrell court noted that content and viewpoint restrictions are almost presumptively invalid, and, indeed, the court has rarely found any such restriction to pass constitutional muster. What heightened judicial scrutiny means is an interesting question, particularly given the court’s traditional deference to exceptional measures in the middle of national crises. Facing an argument that prescriber-identifying information constitutes only commercial speech, the Sorrell court applied intermediate scrutiny to the Vermont law and found it deficient.

A few years later in Reed v. Town of Gilbert, however, the court indicated that the more challenging strict scrutiny test applies to content-based restrictions. The COVID-19 Consumer Data Protection Act likely fails both tests, as was the case in Sorrell. And the changes in the Supreme Court in the past years have only increased its sensitivity to First Amendment concerns.

To survive intermediate scrutiny, the government must demonstrate that its content-based restriction “directly advances a substantial governmental interest and that the measure is drawn to achieve that interest.”[5] The bill’s stated interest is to “protect the privacy of consumers’ personal health information, proximity data, and geolocation data” during the pandemic. But the bill would protect the information only if used for certain limited purposes, and, as drafted, fails to protect the privacy of the same information used for other purposes, such as marketing, during the pandemic.

Oddly, the data could be used to sell pick-up trucks, but not track disease. Failing to prohibit uses for other purposes does not advance the government’s interest in privacy; rather, it works against it. As the court found in Sorrell, the bill’s purported protections present a contrived choice to consumers: Consent, and have personal geolocation, proximity and health information shared broadly with anyone, or refuse consent, and still have personal information shared for other purposes.

The choice here, however, is perhaps more perverse. Choosing to withhold consent would potentially hinder the development of contact tracing apps and other technology that could help stem the crisis. Arguably more nefarious purposes, however, such as targeted advertising and profiling, could proceed unfettered.

Because the bill likely would not pass intermediate scrutiny, it also necessarily fails a more stringent strict scrutiny review. Strict scrutiny requires the government “to prove that the restriction furthers a compelling interest and is narrowly tailored to achieve that interest.”[6] An underinclusive law that “leaves appreciable damage to that supposedly vital interest unprohibited” is not narrowly tailored and fails the test.[7]

Because the COVID-19 bill fails to protect the privacy of consumer’s geolocation, proximity and personal health data in contexts beyond three COVID-19 related purposes, it is underinclusive and likely cannot survive strict scrutiny.

The outcome of Barr v. American Association of Political Consultants, currently before the court this term, is of particular interest to the constitutionality of the proposed bill. The case will decide the fate of the government-debt exception to the Telephone Consumer Protection Act of 1991’s automated-call restriction.

According to the challengers, the exemption is a content-based restriction that favors government debt collectors over others and fails to meet strict scrutiny. The government has argued that the exemption is narrowly tailored and content-neutral in any case.

How the court decides whether the exemption is a content-based restriction and the level of scrutiny it chooses to apply will be of great consequence to the constitutional validity of the COVID-19 Consumer Data Protection Act.

Federalism

The bill’s broad federal preemption provision strikes at the heart of federalism issues. The provision contemplates federal preemption in an area traditionally left to regulation by state police powers, public health. How information can be used to fight a public health crisis, or how individual information should be protected from misuse during a public health crisis, then, fits within an area generally reserved to state authority by the 10th Amendment.

The bill’s provision preempts any state legislation related to personal health, geolocation or proximity data for one of the specified purposes — a potentially broad sweep. In cases involving similar provisions, the Supreme Court has suggested that a state law relates to a specified matter federal concern when it is connected with or references the federal matter.[8]

State laws attempting to impose stricter requirements for personal information during the crisis may be subject to preemption by the bill. However, the scope of express preemption may be limited significantly because the bill provides that state law related to covered data is preempted only to the extent that it is used for one of the three covered purposes.[9]

An express preemption provision does not preclude a further implied preemption analysis. If the bill is found to occupy the entire field of uses for geolocation, proximity and health information during the pandemic, its sweep could be broader than contemplated under an express preemption analysis. This outcome would infringe on states’ traditional regulatory powers and lead to strange outcomes.

For example, it may prevent states from prescribing more privacy-protective measures for personal information used in other contexts during the pandemic, even while leaving personal information exposed to privacy harms. This result works against the bill’s stated purpose to protect consumer privacy during the coronavirus crisis. The possibility of such far-reaching preemption could prevent the bill from obtaining the support it needs for enactment.

[1] Sorrell v. IMS Health Inc. , 564 U.S. 552 (2011).

[2] Sorrell, 564 U.S. at 564.

[3] Id.

[4] See e.g., Reed v. Town of Gilbert , 135 S. Ct. 2218, 2230 (2015); Cincinnati v. Discovery Network, Inc. , 507 U.S. 410 (1993).

[5] Sorrell, 564 U.S. at 572.

[6] Reed, 135 S. Ct. at 2231.

[7] Id. at 2232.

[8] See, e.g., Rowe v. N.H. Motor Transport Ass’n , 552 U.S. 364, 370 (2008); Morales v. Trans World Airlines, Inc. , 504 U.S. 374, 383 (1992); Shaw v. Delta Air Lines, Inc.  463 U.S. 85, 96 (1983).

[9] See Dan’s City Used Cars, Inc. v. Pelkey, 569 U.S. 251, 261 (2013).