The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls

Digital Guardian's Blog

New Data Protection Act Would Regulate COVID-19 Tracing Apps

by Chris Brook on Monday May 4, 2020

Contact Us
Free Demo

The act would require “affirmative express consent” for transferring any health, location and proximity data, and allow individuals to opt out of data collection.

A new data privacy bill, introduced last week in the Senate, would implement privacy requirements for COVID-19 tracking and put safeguards in place to keep contact tracing apps in check.

Many of the contact tracing apps being discussed as of late to help prevent COVID-19 rely on Bluetooth technology and alert users if they've been near someone who's tested positive for the virus. While countries have discussed deploying different, country-specific apps, most of the discussion in the U.S. has revolved around an app developed jointly by Google and Apple.

Contact tracing is just part of the solution to help combat COVID-19, of course. It will need to be paired with case investigation, contact follow-up, monitoring, testing, clinical services, and agile data management systems, as the Centers for Disease Control and Prevention points out.

If passed, the intent of the bill, the COVID-19 Consumer Data Protection Act, is to give more transparency to consumers over how their personal health, geolocation, and proximity data is used by businesses.

Introduced by four Senators, Roger Wicker, R-Miss, Jerry Moran, R-Kan., Marsha Blackburn, R-Tenn, and John Thune, R-S.D, the bill would reign in the requirements of companies as far as data collection goes.

The Senators, all who are members of the Senate Committee on Commerce, Science, and Transportation, emphasized the importance of privacy when announcing the bill last week.

“In the age of social distancing, we are leaning on technology more than ever to stay connected and obtain information,” Blackburn said, “It is paramount that as tech companies utilize data to track the spread of COVID-19, Americans’ privacy and security are not put at risk. Health and location data can reveal sensitive and personal information, and these companies must be transparent with their users.”

In addition to requiring companies to obtain express consent from individuals to collect, process, or transfer their personal health data for tracking COVID-19, companies would also have to agree to delete or de-identify any personally identifiable information  when it’s no longer being used for contacting tracing, release transparency reports to the public outlining their data collection activities, allow individuals to opt out of having their data collected.

Companies would also have to meet what can be assumed to be standard data minimization and security requirements for any PII it collects, and inform consumers of “how their data will be handled, to whom it will be transferred, and how long it will be retained,” and the point of the data collection in the first place.

Like a number of other important, federal regulatory laws of late, the COVID-10 Data Protection Act would be left to state attorneys general to enforce.

The legislation comes as Congress continues to work towards crafting a federal data privacy framework. While those efforts, which largely aim to reign in data-rich tech companies, are more or less on the backburner, the Senators are hoping a more targeted effort, like this one, will be able to better tamp down consumer privacy violations stemming from COVID-19.

Tags: Data Protection

Recommended Resources

  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • How to simplify the classification process
  • Why classification is important to your firm's security
  • How automation can expedite data classification

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.