It cannot be denied that the COVID-19 pandemic has led to many novel legal and regulatory issues. One topic of major concern both domestically and abroad is how to manage the massive amounts of consumer data being collected in the attempt to quell the spread of the virus. This issue is especially complicated to address in the United States, where a convoluted patchwork of state and federal laws interact to create a relentlessly fragmented data regulation system. Now, as state and local governments, along with tech giants like Apple and Google, continue to roll out contact tracing applications, the need for comprehensive data privacy regulation is more pressing than ever.
Within the last decade, data has surpassed oil as the world’s most valuable commodity. Earlier this year the Securities and Exchange Commission (SEC) released its observations made during audits that detailed the methods used by corporations to secure their data. This included the kinds of cybersecurity practices employed by companies as well as advice on how to better deal with sensitive data and protect against potential cyberattacks. The SEC’s observations coincide with a recent announcement from the National Security Agency (NSA) that showcases an increased concern surrounding cybersecurity in the corporate world.
On November 18th, 2019, Congress introduced the Stop Marketing and Revealing the Wearables and Trackers Consumer Health Data Act, known as the Smartwatch Data Act. The Smartwatch Data Act was introduced by Democratic Senator Jacky Rosen and Republican Senator Bill Cassidy, due to Google’s desire to acquire fitness tracker manufacturer Fitbit in 2020. Since notice of this acquisition, privacy advocates have raised concerns about how Google will use personal health data collected through Fitbit devices. Therefore, this legislation aims to ensure that health data collected through fitness trackers, smartwatches, and health apps, cannot be sold without consumer consent.
The Children’s Online Privacy Protection Act (“COPPA”) prohibits unfair or deceptive collection, use, and disclosure of the personal information of children on the internet. COPPA covers both website operators and app developers, and prevents collection of personal information without verified, written consent of parents. On February 27, 2019, the Federal Trade Commission (“FTC”) filed a complaint in U.S. District Court against TikTok, previously known as Music.ly. The complaint alleged that Music.ly knowingly violated COPPA when it collected data from children without written consent of parents. Music.ly settled for $5,700,000.00, the largest civil penalty obtained by the FTC for violations of COPPA.
On January 29, 2019, TechCrunch released an investigation finding that Facebook had been paying users as young as 13 for unlimited access to their data. Facebook marketed the application, not available through the iOS app store, to users aged 13-to-35 by offering to pay $20 per month plus referral fees for downloading and using a “Facebook Research” app. The app, once downloaded, provided Facebook with unrestricted access to all private data on the users iPhone including messages, photos and videos, and website usage. This was not the first app launched by Facebook to track user’s data, Apple removed a similar app called Onavo from the app store in 2018. This app is a clear violation of the 2011 consent decree Facebook signed with the Federal Trade Commission.
Section 702 of the Foreign Intelligence Surveillance Act (FISA) allows the United States government to obtain access to the communications (e.g. emails) of non-U.S. citizens without a warrant. The rationale behind the law is its potential for use in gathering intelligence on potential terrorists and potential terrorist activity. The law has become controversial because intelligence on U.S. citizens has incidentally occurred as well, as emails and phone calls from U.S. citizens have been contained in intelligence-storing databases. As the law expires at the end of 2017, Congress is considering changing the ways intelligence is collected pursuant to the collection procedures stipulated under the law.