As if ediscovery practitioners and ESI (electronically stored information) compliance managers don’t already have enough data privacy concerns to contend with, say hello to the COVID-19 Consumer Data Protection Act. Coming on the heels of the California Consumer Privacy Act (which went live on January 1), the COVID-19 privacy legislation is designed to protect consumer privacy rights that might be impinged by business efforts to address COVID-19.
In particular, the bill is targeting personal health, geolocation, and proximity data that might be collected in efforts to track that nasty bug, with the goal of ensuring that “individual’s personal information is safe from misuse.” CCDPA, as the bill will likely be acronymed, gives Americans “more transparency, choice, and control over the collection and use” of such data, and “holds businesses accountable to consumers if they use personal data to fight the COVID-19 pandemic.”
As noted by the bill’s co-sponsor Sen. John Thune (R-S.D.), “While the severity of the COVID-19 health crisis cannot be overstated, individual privacy, even during times of crisis, remains critically important.” The subtext perhaps being that today’s technology allowing people to be tracked by geolocation and proximity is kind of creepy and we can’t let Orwell’s Big Brother, under the guise of big tech, gain too much traction due to a national emergency.
The Legislation in a Nutshell
Key provisions of the act include:
– Require companies to obtain affirmative express consent from individuals to collect, process, or transfer personal health, geolocation, or proximity information for the purposes of tracking the COVID-19’s spread.
– Allow for Individuals to opt out of data collection efforts.
– Inform consumers at the point of collection how their data will be handled or transferred, and how long it will be retained.
– Clearly define what constitutes aggregate and de-identified data to ensure companies adopt technical and legal safeguards to protect consumer data from being re-identified.
– Require transparency in describing data collection efforts.
– Establish data minimization standards and data security requirements for any personally identifiable information collected.
– Require deletion of de-identification of all personally identifiable information when no longer being used to address COVID-19.
– Authorize state attorney general enforcement of the act.
Will the New Bill Prove as Challenging as the CCPA?
California’s consumer privacy law, which reaches beyond the state to apply to anyone digitally interacting with a California entity, was already presenting ediscovery challenges and raising concerns about ESI compliance. The CCPA’s provision allowing for upon-request deletion of data raises the spectre that potential evidence in future cases will be lost due to lawful deletions of data. The act also presents challenges with data preservation, as it is unclear whether the CCPA expressly allows a litigation hold to override a request for deletion. While language in the act relating to “complying with a legal obligation” suggests that a litigation hold overrides CCPA compliance, legal experts believe clarification is needed.
Depending upon how it’s crafted, the COVID-19 privacy legislation could pose similar challenges. What will take precedence, an individual’s privacy or geolocation and proximity data that could be instrumental in resolving a legal case? Little doubt that such questions will be debated during Senate committee hearings, but, as evidenced in the wake of 9/11, privacy concerns can easily be usurped by national security concerns. National health concerns could prove equally limiting with regard to efforts to protect personal privacy.
While the bill, if passed, does present potential new challenges to ediscovery, today’s powerful ediscovery tools, including Now Discovery’s Lumix, can easily be configured to meet them.