The Exposure Notification Privacy Act (“ENPA”) was introduced in the Senate on June 1 in an effort to regulate the growth of contact tracing applications and similar automated notification tracking. The ENPA aims to regulate websites, apps and similar services that provide a form of automated digital notification to individuals who may have been exposed to an infectious disease and would be enforced by the FTC and State AGs. “Prior affirmative express consent” would be required to enroll an individual in any such service and the service would need to make available a Privacy Policy describing its data collection, processing and transfer practices.
The ENPA would also impose limitations on disclosure of data collected by such services, as well as minimum necessary requirements and specific data security practices, including (1) risk and vulnerability assessments; (2) corrective and preventive action to mitigate any identified risks and vulnerabilities which have been identified; and (3) breach notification. Notably, although research activities are carved out from the ENPA, activities or information subject to the Health Insurance Portability and Accountability Act (“HIPAA”) are not expressly excluded from the ENPA.
The ENPA is similar to the COVID-19 Consumer Data Protection Act (“CCDPA”), introduced previously in May. However, although both bills would regulate forms of contact tracing activities, there are key differences between the ENPA and the CCDPA:
- The ENPA focuses on confirmed diagnoses only (actual, positive or presumptive positive confirmed by public health authority or health care provider) of any infectious disease, while the CCDPA addresses not only contact tracing and the spread, signs or symptoms of COVID-19, but also compliance with social distancing and other requirements imposed by federal, state or local authorities.
- The ENPA would apply only to “automated exposure notification services” subject to the FTCA and to common carriers/certain non-profits. The CCDPA, however, would apply to any entities subject to the FTCA as well as common carriers and certain non-profits that conducted certain contact tracing activities.
- The CCDPA expressly excludes information which is subject to HIPAA, however, the ENPA does not expressly exclude such information.
- The ENPA would require collaboration, at minimum, by such services with public health authorities.
- The ENPA preserves the ability of States to enact their own contact tracing and related statutes and regulations. However, the proposed CCDPA would prohibit States from enacting their own statutes and regulations “related to” the “collection, processing, or transfer of covered data for a purpose covered by the CCDPA.”
Another bill introduced in May, the Public Health Emergency Privacy Act, although similar to the CCDPA and ENPA, would additionally provide a private right of action to individuals for violations of the proposed legislation.
The Senate isn’t the only one pushing for legislation to address contact tracing and notification services. New Jersey’s legislature has taken a somewhat different approach and introduced a data privacy bill for information collected specifically by public health agencies for COVID-19 contact tracing purposes. Public health entities and the third parties to whom they disclose information would be permitted to use the information only for contact tracing purposes. It would further require publication of the name of any third party entity to which a public health entity disclosed information for contact tracing purposes, as well as data deletion after 30 days.
