Law360 (June 2, 2020, 9:06 PM EDT) -- A bipartisan group of U.S. senators has introduced legislation that would limit how apps used as part of efforts to trace the spread of COVID-19 can sweep up users' data, including by mandating that people be able to consent to their information being collected and delete that data later.
The Exposure Notification Privacy Act, introduced late Monday by U.S. Sens. Maria Cantwell, D-Wash., and Bill Cassidy, R-La., would also require apps designed to alert users who come near someone who tested positive for the novel coronavirus to tell users and the U.S. Federal Trade Commission about data breaches "in the most expedient time possible, consistent with the legitimate needs of law enforcement."
The proposed law would bar any such app from being released to the public if it is not operated by or created in collaboration with public health authorities, as well as prohibit such apps from collecting data "for any commercial purpose," including targeted advertising. App makers would be required to only collect the "minimum amount [of data] necessary to implement an automated exposure notification service for public health purposes," according to the text of the bill.
Another provision would bar people from being prevented from entering a public place if they chose not to sign up for a COVID-19 exposure notification app.
The FTC would be tasked with enforcing the law and would be able to issue civil penalties for first-time violations, a power that the consumer protection agency currently does not have for most privacy matters that don't affect children under the age of 13. State attorneys general would also be able to enforce the bill.
The legislation, which is also co-sponsored by Sen. Amy Klobuchar, D-Minn., is an attempt to enact privacy safeguards around the various exposure notification apps that different U.S. states are building as part of efforts to trace the spread of COVID-19. Tech giants Apple and Google last month released software that allows governments to build such apps using Bluetooth technology on smartphones, and which the companies say already requires authorities to make participation voluntary.
But it remains unclear how many states plan to use the Apple/Google technology rather than create their own exposure notification software. State officials in Alabama, North Dakota and South Carolina have announced plans to use the Apple-Google software. But Utah, taking a different approach, has released a contact tracing app that unlike the Apple/Google software tracks users' GPS location data, in a move that sparked criticism from privacy watchdogs.
Apple and Google have argued that their focus on privacy will make the apps using its technology more effective by persuading more people to trust and use them. That approach has earned the companies measured praise from consumer advocates including at the American Civil Liberties Union, which wrote in a blog post that the the Apple/Google plan "offers a strong start" on the issue.
But the ACLU also raised concerns that the Bluetooth technology "proximity logs" that app users would generate under the plan would threaten the "promised anonymity" of the system, allowing individual users to be identified.
--Editing by Peter Rozovsky.
For a reprint of this article, please contact email@example.com.