A COVID-19 pandemic-related related privacy bill put forward by key Republican senators exempts “employee screening data” from its general requirement that companies must obtain individuals’ express consent before gathering data on geolocation, proximity, or health for purposes of determining whether an employee is permitted to enter a workplace.
An earlier draft of the measure would have required employers to obtain consent for, and allow individuals to opt out of, the collection, processing, or transfer of information for tracking the spread, signs, or symptoms of COVID-19.
The newly introduced bill, which is largely aimed at tech solutions such as Apple and Google's joint contact tracing venture, was revised to exclude the data of employees, owners, directors, officers, staff members, trainees, vendors, visitors, interns, volunteers, or contractors. The measure also exempts as a covered entity any service providers that process or transfer covered data for the purpose of performing one or more services or functions on behalf of, and at the direction of, a covered entity to which it is not related.
The revisions appear to respond to concerns voiced last week by the HR Policy Association (HRPA) that the draft bill language would have made it harder for employers to reopen their workplaces in a way that does not exacerbate the pandemic.
“While the draft bill’s protections requirements may be appropriate in a consumer context, they would prevent an employer from mandating broad workforce participation in COVID-19 protective measures right at the time companies are working to reopen workplaces and get the economy moving again,” HRPA President and CEO Tim Bartl said in a letter to bill sponsor and Senate Commerce Committee Chairman Roger Wicker (R-MS).
Outside of the employment context, the COVID-19 Consumer Data Protection Act would require companies to obtain affirmative express consent from and provide prior notice to individuals to collect, process, or transfer their personal health, geolocation, or proximity information for the purposes of tracking the spread of COVID-19. It would also require covered entities to:
The legislation preempts any state or local regulation of the covered data and includes no private right of action.
Republican supporters hope to win some support from Democrats for the bill and include it in a future coronavirus relief package, but the outlook is uncertain. Wicker and other lawmakers have tried to negotiate a broader bipartisan privacy bill that would set new federal safeguards for the collection and use of consumer data. That push has faltered over partisan differences over whether a national standard should override state laws or allow consumers to sue companies. The debate is set to heat up again, however, amid the drive to slow the pandemic and as employers strive to make their workplaces are as safe as possible as return-to-work efforts advance.