The bipartisan Exposure Notification Privacy Act has been introduced in the Senate, a bill that would protect consumer privacy in COVID-19 tracking apps and put public health agencies at the controls.
The bill would ensure that participation in commercial notification systems is voluntary, with "strong" controls over consumers' personal data and limits on the type collected and how it can be used, according to Cantwell's office.
Public health officials are exploring using exposure notification technologies to track and stem the spread of COVID-19.
The bill was introduced by Sens. Maria Cantwell (D-Wash.), ranking member of the Senate Commerce Committee and Bill Cassidy (R-La.). Sen. Amy Klobuchar (D-Minn.) will co-sponsor the bill.
“Public health needs to be in charge of any notification system so we protect people’s privacy and help them know when there is a warning that they might have been exposed to COVID-19,” said Cantwell.
The bill would:
1. "Require that public health officials be involved with the deployment of any exposure notification systems. In order to give consumers the confidence they need that the apps they are using are legitimate and not created by unqualified actors, public health officials would be involved in the deployment of any commercial apps used by consumers.
2. "Allow only medically-authorized diagnoses be submitted to exposure notification systems. In order to guard against false reports, exposure notification systems would only accept authorized medical diagnoses.
3. "Require that participation be voluntary and based on consumer consent. In order to protect consumer choice, participation in exposure notification systems would be voluntary and require affirmative, express user consent.
4. "Limit the collection and use of data to that which is necessary for the purpose of the system and prohibit any commercial use of data. In order to protect user rights and privacy, apps would be prohibited from collecting or using any data not absolutely necessary and would be strictly prohibited from using data for any commercial use.
5. "Allow participants to delete their data from an exposure notification system at any time. In order to protect consumer privacy and safeguard consumer rights, users would be able to delete their data from the systems at any time.
6. "Prohibit discrimination against an individual based on information provided to an exposure notification system. In order to safeguard users and promote participation, the legislation prohibits discrimination against any individual in places of public accommodation based on the information they provide to an exposure notification system, or based on their choice not to participate.
7. "Create strong data security safeguards. In order to protect user data, the legislation creates comprehensive data security requirements and obligations to immediately notify individuals in the event of a security incident.
8. "Create strict enforcement measures. In order to ensure consumer rights are protected, federal and state authorities would be empowered to prosecute violations and pursue strong penalties, and state laws and rights will be preserved."
"We need to regulate apps that provide COVID-19 exposure notification to protect a user’s privacy, prevent data misuse, and preserve our civil rights -- and this bill offers a roadmap for doing all three," said Public Knowledge policy counsel Sara Collins. "The bill marks a valuable first step in the long road ahead to protecting Americans’ data."
“The novel coronavirus pandemic presents one of the greatest national and personal security challenges in recent history," said National Urban League senior VP of policy and advocacy Clint Odom. "The times demand a contact tracing effort of historic human and technological proportions. The Exposure Notification Privacy Act can help us flatten the curve and perhaps get ahead of it. Contact tracing technology can only gain widespread adoption with the features of consumer choice, data protection, and limited duration."