2019 Federal Privacy Legislation Update

2019 saw the introduction of a number of bills constituting federal privacy legislation. These bills were introduced with bipartisan support and seek to enhance consumer privacy and security protections. 2019 federal privacy legislation efforts are discussed below.

What Federal Privacy Legislation Has Been Introduced in 2019?

Several pieces of federal privacy legislation were introduced in 2019.

First Piece of Federal Privacy Legislation:The Protecting Personal Health Data Act

Proposed legislation known as the Protecting Personal Health Data Act was introduced in June of 2019 by Senator Amy Klobuchar (D-Minn.). This legislation, co-sponsored by Senator Lisa Murkowski (R-Alaska), would place privacy restrictions on wearable devices, health applications, and DNA testing kits.

Currently, there is limited government oversight of these devices and the PHI companies collect or use from the devices because HIPAA does not cover wearable health devices or health and wellness apps in any of its regulations, including the HIPAA Privacy Rule, and the HIPAA Security Rule. Furthermore, since the passage of HIPAA in 1996, no other federal laws designed to regulate these devices and their PHI have been passed.

Second Piece of Federal Privacy Legislation: The National Patient Identifier Repeal Act

When HIPAA was enacted in 1996, the law called for the development of a unique patient identifier (sometimes referred to as a “national patient identifier”). Almost immediately, privacy advocates began to lobby against this development, fearing a unique patient identifier – a Social Security Number for someone’s health information, in effect – could place patient privacy at risk. In 1999, Congress passed legislation prohibiting the Department of Health and Human Services from funding, implementing or developing a unique patient identifier system. This ban has been in place since then. Recent legislative activity in the US Senate seeks to preserve this status quo. 

Specifically, Senator Rand Paul of Kentucky, in September of 2019, introduced the National Patient Identifier Repeal Act to remove the language in HIPAA about development of a unique patient identifier. Senator Paul has stated that developing a unique patient identifier could raise significant privacy concerns, as a single number could be used to describe a patient, as well as provide voluminous information about that patient.

In introducing the legislation, Senator Paul noted how the physician-patient relationship relies upon privacy and trust, and how the doctor-patient relationship would, in his view, be thrown into jeopardy by a national patient ID.

Third Piece of Federal Privacy Legislation: The Smartwatch Data Act

In November of 2019, Congress introduced the Stop Marketing and Revealing the Wearables and Trackers Consumer Health Data Act, nicknamed the Smartwatch Data Act. The legislation, introduced by Democratic Senator Jacky Rosen and Republican Senator Bill Cassidy, aims to ensure that health data collected through fitness trackers, smartwatches, and health apps, cannot be sold without the consent of a consumer.

The bill is designed to fill in a regulatory gap left open by the HIPAA Privacy Rule. That rule bans the disclosure of protected health information (PHI) in certain instances (for example, disclosure of psychotherapy notes is generally not permitted). However, there is no prohibition on use, sharing, or selling health data that is collected, stored, and transmitted by fitness trackers, wearable devices, and health apps – the Privacy Rule has never been updated to encompass these technologies.  At present, consumers have no control over who can access this information. The Smartwatch Data Act aims to address this “gap” in privacy.

Fourth Piece of Federal Privacy Legislation: The Consumer Online Privacy Rights Act (COPRA)

On November 26, 2019, Democratic Senator Maria Cantwell introduced legislation known as the Consumer Online Privacy Rights Act 

Under this legislation, individual consumers themselves have enforcement powers. In other words, COPRA contains a private right of action allowing individuals to enforce its terms. Individuals who are subjected to COPRA violations may bring civil lawsuits, and may obtain damages, injunctive relief, and attorneys fees.

Notably, the law also bars companies from forcing consumers to submit to arbitration instead of litigation. Arbitration Is viewed as more company-friendly than litigation and generally results in a lower monetary award being given to consumers than is generated by litigation. 

Under COPRA, state Attorneys General and consumer protection officers may enforce the law. In addition, the law calls for the creation of an FTC-like bureau to enforce the law.  

Another consumer-friendly feature of COPRA is that under COPRA, state laws offering greater protection to consumers are not preempted – unless those state laws directly conflict with COPRA.

Fifth Piece of Federal Privacy Legislation: The United States Consumer Data Privacy Act (USCDPA)

On November 29, 2019, Republican Senator Roger Wicker introduced equivalent legislation to COPRA, known as the United States Consumer Data Privacy Act (USCDPA).Under the USCDPA, the FTC and State Attorneys General are given enforcement power. However, USCDPA, unlike COPRA, would preempt all state laws related to data privacy and security and would not provide for a private right of action.

Sixth Piece of Federal Privacy Legislation: Discussion Draft of New BIpartisan Data Privacy Bill

In December of 2019, a discussion draft of a new bipartisan data privacy bill, containing elements of both USCDPA and COPRA was introduced by the House Energy and Commerce Committee.

The bill calls for national standards for privacy and security and seeks to place restrictions on the collection, retention, and use of consumer data by businesses. The draft legislation calls for businesses to develop a privacy program and to publish a privacy policy, written in clear language. The privacy policy should explain what data will be collected, how it will be used, how long it will be retained, and with whom consumer information will be shared.

The bill also calls for implementation of specific data security measures, depending on the business’s size, and the nature and complexity of its data activities. The bill would require businesses to report to the Federal Trade Commission.In the event of a breach of consumer information, 

Under the bill, the Federal Trade Commission has been tasked with creating a Bureau of Privacy which would be responsible for developing rules, issuing guidance, and enforcing compliance. The FTC would also set a data retention time frame, and would create rules covering the disclosure of personal information to third parties. 

Under the bill, consumers would be given greater control over their personal data and how it can be used by businesses. Consumers would be able to view and correct their data; control who can access their personal information, and request that businesses delete their personal information.

To help consumers find out which businesses have their personal information, the draft legislation calls for the creation of a centralized repository of data brokers. Consumers could use that repository to find out who holds a copy of their data and find out how they can exercise their right to access that data, and make corrections to the data.