Senators to introduce COVID-19 contact tracing privacy legislation

Lawmakers on Thursday announced new legislation aimed at protecting consumer privacy from contact tracing apps. Credit: Martin Falbisoner

The COVID-19 Consumer Data Protection Act would "provide all Americans with more transparency, choice, and control over the collection and use of their personal health, geolocation, and proximity data" during the coronavirus pandemic, Sens. Roger Wicker (MS), John Thune (SD), Jerry Moran (KS) and Marsha Blackburn (TN) said in a joint statement.

Though not specifically named, it's likely that the legislation would apply to the contact tracing framework that Apple and Google announced in April.

Specifically, companies would be required to obtain consumer consent before using data to track the spread of coronavirus and allow users to opt out at any time. It also compels companies to let users know how their data is being used, how long it might be stored, and with whom it might be shared. Additionally, companies would be required to delete or anonymize information after it's no longer needed.

Most of those requirements are already baked into the Apple-Google API. The tech giants' system relies on anonymized data stored in a decentralized manner, and both companies are requiring that app developers offer contact tracing on a strictly opt-in basis. Apple and Google have also pledged to dismantle the system after it's no longer needed.

Since the idea originated at Apple in March, the Cupertino tech giant worked with its in-house cryptographers to ensure that the system would protect consumer privacy and security at every level.

Some of those protections have caused Apple and Google to clash with other governments, like the U.K., that are opting for a system that stores information in a centralized database. France and Germany have also floated a centralized system, though Germany has since changed its stance and backed Apple and Google's methodology.

But some privacy advocates, like Sara Collins, policy counsel at watchdog group Public Knowledge, are raising their own concerns about the bill. Collins said that the legislation gives no new resources, enforcement powers or rule-making authority to the Federal Trade Commission, The Verge reports.

She claims it also preempts much stronger Federal Communications Commission privacy protections on mobile carriers, and also preempts states from "adopting or enforcing any stricter privacy protections in the absence of strong federal protections at the FTC."

She called the legislation "deregulation disguised as consumer protection" and says that it provides "little protection for Americans' privacy during the COVID-19 epidemic."

Apple and Google released beta versions of their exposure notification APIs to developers this week ahead of a wide launch in mid-May.