As promised, Senate Republicans have introduced a data privacy bill targeted at cell phone data collection in the age of pandemic--when user data, including location, could be key to contract tracing to help combat the COVID-19 virus. But there were no Democrats identified as supporting the bill, which was not an encouraging sign of the bill's prospects beyond the Republican-controlled Senate, at least in its current form. A draft was circulated last month. 

The only apparent difference in the summaries of the bill's key points was the addition of "device" information to the data being protected.

COVID-19 Consumer Data Protection Act would provide more transparency, choice and control over users' personal health, device, geolocation, and proximity data, all key to contact tracing, as well as hold businesses "accountable" to consumers if they use that data to fight the virus, according to the backers, though at least one advocacy group sees it much differently. 

There have been bipartisan concerns that contact-tracing technology employed by companies including Apple and Google could wind up producing a surveillance state or put consumer data at risk for misuse or follow-on use by third parties. 

Related: Sen. Markey Pushes Back on White House Pandemic Database 

Introducing the bill were top Republicans on key committees: Sens. Roger Wicker (R-Miss.), chairman of the Senate Commerce Committee; John Thune (R-S.D.) chairman of the Communications Subcommittee; Deb Fischer (R-Neb.), chairman of the Transportation and Safety Subcommittee; Jerry Moran (R-Kan.), chairman of the Manufacturing, Trade, and Consumer Protection Subcommittee; and Marsha Blackburn (R-Tenn.). 

Related: Senators Seek Google Assurances on COVID-19-Related Aggregation 

“During the COVID-19 pandemic, many tech companies are using data to track the spread and help keep Americans healthy,” said Fischer. “I helped introduce this legislation which will allow companies to continue innovating while providing Americans with more transparency and safeguards for how their personal data are managed.” 

The bill would: 

  • "Require companies under the jurisdiction of the Federal Trade Commission to obtain affirmative express consent from individuals to collect, process, or transfer their personal health, device, geolocation, or proximity information for the purposes of tracking the spread of COVID-19. The "device" category is an addition from the draft summary of the bill.
  • "Direct companies to disclose to consumers at the point of collection how their data will be handled, to whom it will be transferred, and how long it will be retained.
  • "Establish clear definitions about what constitutes aggregate and de-identified data to ensure companies adopt certain technical and legal safeguards to protect consumer data from being re-identified. 
  • "Require companies to allow individuals to opt out of the collection, processing, or transfer of their personal health, geolocation, or proximity information. 
  • "Direct companies to provide transparency reports to the public describing their data collection activities related to COVID-19. 
  • "Establish data minimization and data security requirements for any personally identifiable information collected by a covered entity. 
  • "Require companies to delete or de-identify all personally identifiable information when it is no longer being used for the COVID-19 public health emergency. 
  • "Require companies to delete or de-identify all personally identifiable information when it is no longer being used for the COVID-19 public health emergency. 
  • "Authorize state attorneys general to enforce the Act." 

“This is an anti-privacy bill, not a privacy bill," said Fight for the Future Executive Director Evan Greer. "Congress has been dragging its feet for years on enacting meaningful federal data privacy legislation. This bill guts the FCC’s strong privacy limits on mobile carriers, while utterly failing to give the FTC the ability to respond to abuses." 

Related