This article appeared in Cybersecurity Law & Strategy, an ALM publication for privacy and security professionals, Chief Information Security Officers, Chief Information Officers, Chief Technology Officers, Corporate Counsel, Internet and Tech Practitioners, In-House Counsel. Visit the website to learn more.

As states roll back stay-at-home orders, contact tracing has quickly emerged as an essential tool to manage the spread of the coronavirus and allow the country to return to work safely.

Governments and businesses alike are considering how to leverage new technologies to make these efforts more effective by digitally monitoring our social interactions and physical locations — tracking, logging, storing, and sharing them — all for the greater good.

But such innovative contact tracing methods raise a host of privacy concerns, forcing a reckoning with how we balance privacy and public health.

|

Hunting an Invisible Killer

In past epidemics, public health officials have successfully relied on manual, labor-intensive contact tracing techniques to locate and interview individuals with possible disease exposure. For example, when Ebola outbreaks pummeled West Africa in 2014-2015 and the Democratic Republic of Congo in 2018-2019, "old-fashioned" contact tracing helped prevent a global catastrophe — enabling health officials to implement containment measures by isolating infected individuals, administering vaccines, and limiting travel.

COVID-19 is different. The virus has a longer incubation period. We have limited information about infected individuals, and asymptomatic carriers are contributing to large-scale community spread. Because of this fatal combination, public health officials are struggling to find and notify people who may have been exposed to COVID-19. Standard contact tracing techniques are likely insufficient to address a problem of this scale.

|

No Silver Bullet

Now the race is on to improve contact tracing by harnessing new technology. In mere months, numerous contract tracing mobile apps have been released and more are in development.

These apps all boil down to a basic premise: using our smartphones to identify whenever we have been in contact with another individual diagnosed with COVID-19 or someone who later becomes infected. Some of these apps use Bluetooth technology to alert a user whenever they encounter someone who has tested positive, is using a similar app, and has noted their health status in their phone. Other apps use stored location data to trace an infected person's history of movement and then alert anyone who may have their crossed path.

Both of these methods have their limits, though. For instance, they may not account for whether people are wearing masks, whether they are separated by a partition, or whether people are otherwise following recommended social distancing practices. As a result, app-based contact tracing that hinges on location data may not tell the full story.

|

Use It Or Lose It?

Public buy-in adds another layer of complexity, because the value proposition of contact-tracing apps is much different than most of the apps that we typically download. Instead of providing an individual benefit, contact-tracing apps are geared toward the good of the community. And unless there is a shared sense of community obligation propelling the use of these apps — or a mandate requiring it — it will be challenging to reach the levels of widespread adoption and regular use needed for the apps to be effective.

It is a safe bet that people will only use these apps if they are confident that their data will be protected and used appropriately. This is proving to be a high hurdle to clear, with government efforts already getting off to an inauspicious start. In North Dakota, the state's initial version of a voluntary contact tracing app unintentionally allowed data to be shared with a third party. Other efforts by state and local officials are likely to face similar security risks.

|

In the Workplace

The pitfalls are even greater for companies that are banking on contact tracing apps to protect their employees and business operations. Employers would be wise to be mindful of the numerous laws that potentially govern their use of contact tracing technology.

The Americans with Disabilities Act (ADA), along with many similar state laws, generally limits the ability of employers to collect medical information. However, the Equal Employment Opportunity Commission (EEOC) has issued guidance permitting employers to test for COVID-19 and to prohibit employees who pose a direct threat to health in the workplace from physically being in the workplace. Employers potentially could also require the use of a contact tracing app — provided the app is used in a non-discriminatory manner.

Additionally, some information collected by a contact-tracing app could potentially be considered "medical information" under the ADA and would need to be stored with appropriate confidentiality protections. The EEOC coronavirus guidance is intended to be temporary, although given the extended nature of the pandemic, it is not clear when it will be rolled back.

|

Protecting Privacy

As it currently stands, there is no federal privacy law addressing the use of contact tracing, although the Federal Trade Commission issued guidance in 2013 on data collection through mobile apps that emphasized the need for transparency and control, including just-in-time disclosures to consumers. Apps must also obtain their users' affirmative express consent before accessing sensitive content, such as a geolocation.

On the state level, California's Consumer Privacy Act (CCPA) offers the country's most comprehensive privacy protections and will likely serve as the default approach for companies until a uniform federal law is enacted.

CCPA provides California consumers important rights to notice and rights to know, access, delete and say no to the sale of tracking information—and not to be discriminated against for exercising these rights. Under CCPA, companies engaging in contact tracing will need to provide notice of what categories of information they are collecting, the purpose of the collection, the categories of sources of such information, and the categories of third parties with whom such information is shared or disclosed.

Upon request, companies also need to be prepared to provide people with the actual information collected. Further, companies will need to assess whether any information-sharing constitutes a sale. This is important because, under CCPA, the transfer of personal information to a third party for monetary or other valuable consideration would require that people be provided with opt-out rights. These notices must be readable, understandable, and more importantly — accurate.

CCPA does provide an important exception: allowing personal information to be collected from employees, officers, directors, and contractors "in the course of and solely within the context of" that person's role with a business. However, a business must still provide people with a notice of what information is being collected and the purpose of the collection. And whether the scope of COVID-19 contact tracing is in the "course of" and "within the context" of employment raises difficult questions, including whether information of an employee's activities outside of their workplace — such as during social events or at home — would be considered exempt or subject to the full panoply of CCPA rights.

Finally, businesses need to track the status of a proposed ballot measure in California that has been submitted to the California Attorney General for the November election. The measure, called the California Privacy Rights Act (CPRA), would define "precise geolocation" information as sensitive information for which additional notice and opt-out rights are required. It would allow consumers to prohibit businesses from tracking their precise geolocation for many purposes, including advertising, to a location within roughly 250 acres. If passed, this may make contact tracing more difficult to implement.

|

Going Forward

As we emerge from COVID-19 lockdowns into what will become a "new normal," the country will need to balance the need for increased contact tracing with the equally important need to protect and preserve privacy. Where this balance will ultimately fall remains to be seen, and there will likely be numerous twists and developments as researchers continue to learn more about the virus.

One thing is clear: to navigate these complicated considerations, a solid understanding of the issues of data collection, use, and retention will be crucial. How we respond to these issues today — with both public health and personal privacy at stake — will impact how we respond to global health emergencies for decades to come.

*****

Scott Pink is special counsel in O'Melveny's Silicon Valley office and a member of the firm's Data Security & Privacy Group. He is a former general counsel for a major media company. His O'Melveny practice focuses on intellectual property, privacy, and cybersecurity issues. You can find Scott's full bio and contact information here.

John Dermody is counsel in O'Melveny's Washington, DC office and a member of the firm's Data Security & Privacy Group. He is a former legal advisor at the National Security Council, Department of Homeland Security, and Department of Defense. His O'Melveny practice focuses on national security and data security issues. You can find John's full bio and contact information here.