Democratic Senators Richard Blumenthal and Mark Warner have introduced the Public Health Emergency Privacy Act in response to the bill of the same subject released by Senate Republicans (the COVID-19 Consumer Data Protection Act) at the end of last month. As with the CCDPA, the PHEPA regulates the collection of emergency health data. While the respective bills differ in many ways, the most glaring distinctions focus (not surprisingly) on enforcement, preemption, and certain uses of data.
While both measures provide for enforcement by the FTC and state attorneys general, the Democratic bill also provides for a private right of action and damages of between $100 and $1000 for each negligent violation and $500 and $5000 for each violation that is reckless, willful, or intentional. Moreover, it would invalidate any pre-dispute arbitration agreements and joint action waivers that would otherwise affect such causes of action.
In further contrast to the Republican bill, the PHEPA expressly provides that the law does not preempt any state law or regulation.
The Democratic bill also provides for the Secretary of Health and Human Services to consult with the U.S. Commission on Civil Rights and the FTC to examine and report on how the collection, use, and disclosure of health information related to COVID-19 impacts civil rights issues.
Whether either of the bills can muster the support necessary for passage remains to be seen, and even in connection with an agreed-upon need, the stark contrast in the parties’ view on policy considerations appropriately addressed is brought into sharp relief.