A Second Chance for the Public Health Emergency Privacy ActThis is the seventh alert in a series of Bradley installments on privacy and cybersecurity developments arising from the COVID-19 pandemic. Click to read the first, second, third, fourth, fifth, and sixth installments.

Sen. Mark Warner (D-Va.) has re-introduced a bill to create the Public Health Emergency Privacy Act (PHEPA). First introduced in May 2020, the bill died in committee. This time, Warner is joined by 11 cosponsors in the Senate and by 32 sponsors of a related bill in the House of Representatives.

This newly introduced bill is identical to the earlier version, which we reported on at the time. PHEPA would have the usual notice-and-consent backbone, requiring affirmative consent from a consumer before a covered organization could collect, use, or disclose his or her emergency health data. Organizations collecting the data would need to protect it with reasonable security and not use the data for any purposes beyond those expressly identified in a privacy policy.

No preemption

Two controversial aspects of PHEPA bear repeating. First, PHEPA would expressly not preempt state laws. That would effectively make PHEPA a floor that states could raise either by existing legislation or with new legislation. For organizations doing business in multiple states, this could result in having to comply with higher standards than created by the federal bill, at least in some states.

Private right of action

Second, PHEPA would provide a private right of action to consumers. In addition to enforcement by FTC and by states’ attorneys general, under PHEPA, affected consumers could sue directly for statutory damages of up to $5,000 per violation. Consumers could also recover attorneys’ fees and litigation costs.

Work in progress

When first introduced last year, the bill competed with a bill from Sen. Roger Wicker (R-Miss.) and others to create the “COVID-19 Consumer Data Protection Act of 2020.” The competing bill had fewer protections, express preemption, and no private right of action. Both bills died in committee.

The Wicker bill has not yet been reintroduced, and the Warner bill does not yet have bipartisan support. So, it remains to be seen when, how, and even if the federal government will create data privacy protections — either related to the COVID-19 pandemic or more generally. We will continue to update you as we learn more.