November 04, 2020 Feature

Mobile Technologies and COVID-19: A Primer on Fighting the Virus with Cell Phones

By Michael R. Roberts
Mobile technologies can help combat the spread of COVID-19—and also spread privacy and security risks.

Mobile technologies can help combat the spread of COVID-19—and also spread privacy and security risks.

Credit: da-kuk / E+ via Getty Images

As of September 2020, the coronavirus and the disease it causes, COVID-19, had taken the lives of over 180,000 people in the United States and caused widespread economic dislocation and unemployment. Tragically, the virus also shows little sign of abating, and public health officials warn that there may be a “second wave” of infections. U.S. governments and businesses thus continue to seek ways to mitigate COVID19’s effects, at least until a safe and effective vaccine or antiviral treatment is discovered. Mobile technologies are consistently mentioned as a piece of this mitigation puzzle, whether it be by enabling quarantine strategies through “contact tracing,” providing mobile “passports” to signify viral diagnoses or potential immunity, or assisting in health monitoring and alerting to prevent the spread of the virus.

Not a member of the ABA's Infrastructure and Regulated Industries Section? Join now to view premium content. 

Even as governments and businesses deploy these strategies, however, questions and controversies regarding their use persist. What data will be collected and used? How long will it be retained? And, critically, what steps should be taken to try to ensure that the COVID19 crisis won’t permanently reset the balance between privacy and security to the detriment of civil liberties?

This article cannot definitively answer these questions and does not recommend any particular technology to respond to the pandemic. Any attempt to do so risks obsolescence given the light-speed pace of technological development and policy debates.

Instead, this article provides a short primer on key relevant privacy considerations and issues in order to assist businesses considering whether to develop or use mobile technologies to fight COVID-19. It first outlines the main ways governments and businesses might use mobile technologies to fight the virus and the potential applicability of current laws to these uses. It then details how those laws might change as legislatures and regulators address the novel privacy and civil liberties issues raised by COVID-19. Finally, this article offers a checklist to capture important data privacy and security legal considerations relevant to the use of mobile technologies to combat COVID-19.

How Mobile Technologies May Help Fight COVID-19

Although we learn more about COVID-19 on an almost daily basis, the basic ways mobile technologies might help address the pandemic are unlikely to change.

At least at the start of the pandemic, there was little understanding about whether humans had any immunity to COVID-19 because it is novel and, because the virus is also highly communicable, it spreads rapidly if infected people have sufficient contact with healthy individuals. Given this, earlier this year, the United States and various state and local jurisdictions adopted a variety of measures—including physical distancing and statewide shutdowns—to help slow the virus’s spread. These measures helped to “flatten the curve”—i.e., mitigate the exponential growth of COVID-19 that can overwhelm health systems. Numerous jurisdictions began allowing more activity in May and June in an effort to reopen the economy, attempting to focus quarantine and self-isolation efforts on infected individuals rather than on the general population. Pervasive asymptomatic spread of COVID-19, however, complicated those efforts, and the relaxing of measures produced a resurgence of COVID-19 cases in some areas.

These developments put additional pressure on businesses and governments to determine whether there is a way to enable economic activity and increase in-person interactions without producing an unacceptable surge in COVID-19 infection rates in the absence of a safe and effective vaccine or antiviral treatment. Technologists and others have suggested three key ways that mobile technologies may help.

Contact Tracing

First, mobile technologies may assist in contact tracing, which seeks to curb the spread of COVID-19 by identifying individuals who have been in “contact” with infected persons and then alerting those contacts so that they can take appropriate precautions to prevent further infections. Of course, this strategy is at best a partial mitigation approach. Contact tracing would not assist with tracing infections that may have been caused by asymptomatic carriers or carriers who do not report that they have COVID-19.1 Nevertheless, contact tracing could be one tool that helps jurisdictions move away from shutdowns and physical distancing by identifying a set of individuals who need to quarantine.

An unfortunate problem with “traditional” contact tracing is that it is difficult to scale and time-consuming, and it is also subject to the vicissitudes of memory and other human factors, such as the ability to locate potential contacts for purposes of informing them of their potential exposure.2 And this is where mobile technologies enter the discussion.

According to the U.S. Centers for Disease Control and Prevention (CDC), there are two broad categories of ways technological tools can supplement or replace traditional contract tracing approaches. First, tools can be used for case management—i.e., to improve “the efficiency and accuracy of data management and automating tasks” and “reduce the burden of data collection on public health staff by allowing electronic self-reporting by cases and contacts.”3 Here, mobile applications can automate much of the typically labor-intensive interview and tracing process, saving manpower and time. Second, and more dramatically, technology can be used to “identify community contacts unknown to the case,” which is also known as “proximity tracking.”4 This second use takes advantage of the fact that individuals typically carry with them mobile devices that can communicate with other mobile devices, making it is possible for those devices to store close “contacts” so that they can be uncovered at a later time if necessary for virus prevention. (Of course, proximity tracking requires widespread community adoption and, as discussed later, raises significant privacy and civil liberties questions.)

Given these potential benefits, it is unsurprising that numerous countries have announced or implemented contact tracing apps or other app-based technologies intended to help tracing efforts.5 In the United States, there is currently no comprehensive federal contact tracing system, but the CDC has been “conducting a landscape analysis and evaluation of contact tracing tools; generating preliminary tool recommendations for piloting tracing in areas with limited introduction of COVID-19; and coordinating with public health agencies, healthcare organizations, academic institutions, non-profit organizations, and private companies to maximize contact tracing effectiveness.”6

States have also adopted a range of approaches. For instance, New York State partnered with Bloomberg Philanthropies, Johns Hopkins Bloomberg School of Public Health, and Vital Strategies to launch a contact tracing program that will be implemented in coordination with New Jersey and Connecticut.7 Several states have also leveraged mobile technologies and platforms for contact tracing purposes or even created their own contact tracing apps,8 and others are reportedly exploring doing so.9

Quick Response (QR) Codes and Digital “Immunity” Passports

A second way mobile technologies can be used to address the COVID-19 crisis is by serving as quick response (QR) codes—machine-readable tags that identify the device user or that user’s traits. The possible uses of such codes are extremely varied. For example, they can be used to track the presence of individuals at particular places to assist with contact tracing. Or the codes can serve as “digital passports” to show that individuals are symptom-free or approved to report to work.

Indeed, various countries, such as Singapore and New Zealand, are already using QR code technologies to address COVID-19.10 In addition, South Korea has deployed QR codes as symptom-free electronic passports.11 And on June 10, after determining that a simple sign-in system was not comprehensive, South Korea required “places at high-risk” for COVID-19, including bars, clubs, and other entertainment venues, to register patrons in a QR code–based registration system.12

Health Screening, Monitoring, and Alerting Systems

A third way mobile technologies can assist is by aiding health screening, monitoring, and alerting, although experts continue to evaluate the impact of such uses.13 These mobile technologies are relatively straightforward and may be used in conjunction with wearables and contactless kiosks.14

Indeed, due to government mandates for symptom screening and the speed at which such technologies can be deployed, these technologies are becoming increasingly prevalent. Many state and local governments now require or recommend that businesses conduct daily symptom screenings before employees enter a physical work location.15 Businesses faced with determining how to implement such guidance are increasingly looking to mobile technologies to simplify the task.

Existing Laws Applicable to Mobile Technologies Fighting COVID-19

As noted at the outset, the use of mobile technologies to address COVID-19 implicates important data privacy and security considerations. The technologies discussed in the prior section may collect and use various types of data that can reveal sensitive details about an individual’s life. For example, contact tracing applications may track detailed movement and location information, QR code programs may also require individuals to uniquely identify their location, and all of the applications would likely collect or use sensitive health information. It is therefore understandable why privacy and civil liberties advocates want to ensure that there are appropriate protections before unleashing these technologies on COVID-19.

But it would be a mistake to assume that the calls for further legislation and regulation mean that there are no existing laws governing the most common ways technologies may be brought to bear against the virus. Indeed, to the contrary, detailing all the relevant laws would extend far beyond the scope of this article. Instead, it provides a brief tour of important existing legal regimes that might govern some of these mobile technologies.

Before turning to the legal specifics, however, it is important to note that the laws discussed in this section, even if plainly applicable during the COVID-19 pandemic, were not enacted and have not necessarily been interpreted with a global public health crisis in mind. Indeed, regulators are rapidly considering their enforcement posture and how these laws might apply to present-day facts, with the following examples representing only a small portion of their recent guidance.

  • The U.S. Occupational Safety and Health Administration (OSHA), which regulates safety and health issues in the workplace and enforces the Occupational Safety and Health Act of 1970, has explained that it will evaluate community spread of COVID19 in each geographic area when considering the frequency of workplace inspections and its enforcement priorities.16
  • Similarly, the Equal Employment Opportunity Commission (EEOC), which enforces workplace antidiscrimination laws, has issued guidance concerning COVID-19 and the Americans with Disabilities Act (ADA), the Rehabilitation Act, and other equal employment opportunity laws, which may include the Family and Medical Leave Act and the Genetic Information Nondiscrimination Act.17 Importantly, this guidance asserts that employee medical information about COVID-19 symptoms and diagnosis must be maintained as a “confidential medical record” under the ADA, including when the employer receives such information in relation to a medical examination or inquiry or if the employee volunteers to provide the employer with such pandemic-related medical information.18
  • The Federal Trade Commission (FTC) has also issued guidance on its enforcement posture during the pandemic, explaining that it “will be flexible and reasonable when it comes to bringing enforcement actions against companies engaged in good faith, thoughtful efforts to address the effects of the pandemic,” while cautioning that it still “doesn’t pay to be in the news for privacy and security problems, and then have to retreat to address them.”19 The FTC has previously issued guidance on mobile privacy issues, including recommending that platforms provide notice to and obtain affirmative express consent from individuals before permitting apps to access geolocation information.20 The FTC has also highlighted four critical “tips” for businesses using data during the pandemic, specifically that a business should (1) consider privacy and security as it develops products and services, and not after launch; (2) utilize privacy protective technologies; (3) consider using anonymous, aggregate data; and (4) delete data when the crisis ends.21

The bottom line is that, to ensure the compliance of their plans, companies that employ COVID-19 technologies should check the latest regulatory guidance applicable to their efforts.

And with that crucial message out of the way, here are some of the key laws that businesses should consider when evaluating whether to deploy any of the technologies identified above.

Federal Laws Applicable to the Government

Businesses initially should consider whether they will work with the federal government in using mobile technology to address the COVID-19 crisis. If they will, businesses must take into account a set of laws applicable only to the government, including the Privacy Act of 1974 and the Freedom of Information Act (FOIA).22

The most important law applicable to the government is, of course, the Fourth Amendment to the U.S. Constitution, which protects people against unreasonable searches and seizures.23 As a practical matter, the Supreme Court has interpreted this mandate as prohibiting the government from gathering data without consent when individuals have a reasonable expectation of privacy unless the government has a warrant or an exception to the warrant requirement applies.24 Since recent precedents make clear that individuals have such reasonable expectations regarding the contents of their cell phone and historical cell-site locational information, this means that, to engage in the sorts of contact tracing described above, the government might need a warrant or an exception to the warrant requirement.25

To that end, the Supreme Court has repeatedly recognized that the government may conduct a search without obtaining a warrant if it would be impractical to do so, the goal is not traditional law enforcement, and the search is otherwise reasonable and proportional to the facts and circumstances.26 This is commonly known as the “special needs” or administrative search doctrine. While the scope and criteria for this doctrine are not well-defined, the Court has used the doctrine to allow certain public health and safety initiatives, and it may be applicable here.27

Moreover, the Fourth Amendment likely does not apply to location data that is sufficiently de-identified and aggregated,28 which may be relevant if the government is using aggregated data to understand compliance with quarantine orders.

In short, if businesses are providing applications or information to the government, they should evaluate whether the Fourth Amendment applies and, if it does, whether the provision of information is consistent with it.

Generally Applicable Federal Laws

Although the United States does not have a comprehensive cross-sectoral privacy regime like the European Union’s General Data Protection Regulation (GDPR), it does have various legal regimes that focus on particular sectors or interests. While a complete tour of this landscape is beyond this article’s scope, the following highlights three of the legal regimes most likely relevant to the technological applications identified above.29

Wiretap and Stored Communications Acts

The Wiretap Act and the Stored Communications Act (SCA) are the primary federal laws protecting the privacy of electronic communications. The Wiretap Act, among other things, generally prohibits the nonconsensual “interception” of electronic communications, absent lawful process.30 The SCA generally prohibits service providers from knowingly disclosing the contents of communications to any person or entity31 and also bars providers from sharing with any governmental entity certain information, specifically a customer record or other information regarding a subscriber.32

While it is unlikely that the technological uses outlined here would implicate the Wiretap Act, many uses could leave businesses in possession of information covered by the SCA. Businesses thus should carefully evaluate any disclosure of such information, particularly if they are disclosing the information to a governmental entity. As previously noted, businesses are not barred from disclosing customer records to private parties as long as those records do not reflect the content of communications.33

The Federal Trade Commission Act

Section 5 of the Federal Trade Commission Act (FTC Act) prohibits “unfair or deceptive acts or practices in or affecting commerce,”34 and the FTC has frequently taken enforcement action for various “deceptive” or “unfair” acts or practices related to data privacy and security. For instance, the FTC has brought enforcement actions against companies for failing to reasonably secure personal information, adequately disclose data collection practices, and operate in accordance with the representations made in their privacy policies.35

Because all of the COVID-19 technologies identified previously could implicate any of these areas, businesses should review their data practices and privacy policies and notices with respect to such technologies to ensure compliance with FTC standards and guidance.

The Health Insurance Portability and Accountability Act of 1996 and Health Information Technology for Economic and Clinical Health Act of 2009

Health-related data is, of course, at the core of many of the forms of data collection and use discussed above. A key initial question is whether the data that businesses collect or process is protected under the Health Insurance Portability and Accountability Act of 1996 and the Health Information Technology for Economic and Clinical Health Act of 2009 (together, with their implementing regulations, HIPAA) and state laws relating to health data, which are discussed further below.

Importantly, HIPAA does not apply to all health data; instead, it applies only to protected health information (PHI) held by either “covered entities” or “business associates.” Covered entities include healthcare providers, health plans (including employer health plans), and healthcare clearinghouses that engage in certain electronic transactions involving PHI.36 Business associates are entities with which a covered entity contracts to perform a function for or on behalf of the covered entity that involves PHI, or to provide services to a covered entity that involve the use or disclosure of PHI.37

If HIPAA does apply, its compliance requirements can be substantial. HIPAA requires covered entities to adhere to certain privacy standards, including limitations on disclosure, absent authorization. HIPAA also requires covered entities and their business associates to engage in certain security measures to ensure PHI is properly protected.

The U.S. Department of Health and Human Services has announced that it intends to exercise enforcement discretion with respect to limited aspects of HIPAA, including with respect to certain uses of telehealth, in light of the pandemic.38

State Laws and Regulations

Every state has numerous laws and regulations potentially applicable to the use of COVID-19 technologies. Many of these laws mirror federal laws outlined above; for example, every state or nearly every state has a state-constitution equivalent to the Fourth Amendment, a Wiretap Act analogue (with many also having an SCA analogue), and an “unfair and deceptive practices” statute mirroring the FTC Act. But there are also unique state laws that have no exact federal analogue, with key examples of such state laws as follows.

  • First, as mentioned previously, many states have medical privacy laws, which may be different in material respects from HIPAA. Although many of these laws do not apply to employers performing return-to-work health screenings for their employees, they do contain provisions that must be tracked on a state-by-state level, including such provisions as those contained in the Alabama and Illinois codes, which mandate information security protections for health information.39
  • Second, state laws may require businesses to disclose their collection and use practices and also grant consumers rights with respect to their personal information. The most important of these is the California Consumer Privacy Act of 2018 (CCPA), which gives California residents important rights regarding their “personal information.”40 Among other things, the CCPA requires business to provide consumers with the rights to access and delete their personal information, as well as opt out of its “sale.”41 The CCPA also requires businesses to detail privacy practices in a publicly accessible privacy policy; the personal information that they collect, use, store, and share; and how consumers may exercise their CCPA rights.42
  • Third, as particularly relevant to contact tracing applications with a geolocation component, several states have laws that regulate location tracking of individuals.43
  • Fourth, certain states, such as Illinois, Texas, and Washington, have laws that specifically regulate the collection of biometric information.44 These laws may require businesses to obtain explicit consent to collect such information, and the Illinois Biometric Information Privacy Act (BIPA) provides a private right of action with statutory damages.45
  • Fifth, it is also important to note that all states grant their governors and/or public health authorities emergency powers, which may allow them to suspend otherwise operative laws during a public health crisis or to implement emergency regulations.46 It is thus important to be aware of any invocation of these authorities, particularly if a business is working with the government.

The key point is that businesses should consider the legal regime of each applicable state based on the locations of their operations, employees, and consumers.

International Regulators and Governments

Finally, if operating internationally, a business should consider the laws, regulations, and standards of relevant jurisdictions, as well as regulator guidance and statements related to the use of technologies in the fight against COVID-19. Key international regulators may include the European Data Protection Board and the United Kingdom Information Commissioner’s Office (ICO). Both of these regulators have evaluated data processing and sharing practices relevant to the COVID-19 response.47 Additionally, the ICO continues to issue public assessments of COVID-19 technologies and the national contact tracing system sponsored by the British government and health authorities.48

How COVID-19 Might Change Data Privacy and Security Law

The COVID-19 pandemic raises numerous privacy challenges. Asymptomatic spread requires prophylactic measures; the wide range of potential symptoms associated with COVID-19 makes identifying cases of concern more difficult; and employers, schools, and other institutions may be placed in roles that they do not ordinarily play in order to keep spaces safe.

Although numerous privacy laws potentially apply to the use of mobile technologies to combat COVID-19, these laws were not designed to apply particularly to the use of information to fight a public health crisis of the current magnitude. This fact has led to concerns from both sides of the privacy spectrum. Privacy advocates fear that the existing laws do not sufficiently protect civil liberties during this time of crisis, while others believe that the existing laws may restrict too much activity that would help combat the virus’s spread. It is thus unsurprising that legislators and regulators are considering whether new laws and regulations are necessary to specifically address how governments and businesses may use data during the pandemic.

Two draft bills recently introduced in Congress may serve as a good indication of the issues central to the current debate on COVID-19 privacy legislation. First, the COVID-19 Consumer Data Protection Act (CDPA) was introduced by Senate Republicans on May 7, and second, the Public Health Emergency Privacy Act (PHEPA) was introduced by Senate Democrats on May 14. The table below provides several key elements of these bills.

  CDPA
PHEPA
Scope

Applies to a “covered entity,” defined to include any organization subject to the FTC Act, as well as any common carrier or nonprofit organization defined per federal law.

Includes exemption for service providers.

Applies to a “Covered Organization,” which broadly includes any person subject to de minimis and household exceptions, including any governmental entity that is not a public health authority.

Includes exemption for service providers and healthcare providers.

Authorized Purposes for Processing

Prohibits covered entities from collecting, processing, or transferring data of an individual unless (1) the covered entity is processing the data for a “covered purpose” or (2) the covered entity satisfies specified notice and consent protocols.

Defines covered purpose to include (i) tracking the spread, signs, or symptoms of COVID-19; (ii) measuring compliance with social distancing guidelines and requirements; and (iii) contact tracing of COVID-19 cases. Explicitly prohibits certain types of data processing, including those related to (i) commercial advertising; (ii) marketing, soliciting, or selling activities in targeted areas such as housing, education, and finance; and (iii) discriminating or disadvantaging an individual in a place of public accommodation.

Requires processing only be performed for a good faith public health purpose and, like the CDPA bill, permits processing if it is otherwise required by law.

Does not include a “notice and consent” safe harbor but, rather, requires that consent be obtained in all instances in which emergency health data is collected, unless a particular exception applies, with such exceptions limited to purposes related to guarding against fraud, protecting against data breaches, and adhering to legal requirements.

Notice Obligations

Requires covered entity to publish a special public-facing privacy policy within 14 days of the law’s enactment, disclosing the categories of recipients who receive covered data and the entity’s data retention and data security practices. 

Further requires entities to issue a report within 30 days of the law’s enactment, (i) stating the number of individuals whose covered data has been collected, and (ii) describing the categories, purposes, and recipients of such covered data.

Contains requirements similar to the CDPA, although (i) there is no specific requirement that the privacy notice be public-facing; (ii) the privacy policy must include a summary of individual rights; and (iii) the public reporting obligation only applies to entities that collect the data of 100,000 individuals or more, but it requires that such organizations issue a public report every 90 days, rather than just once.
Affirmative Private Rights and Obligations 
Requires covered entities to (i) provide an effective opt-out mechanism to revoke consent and otherwise restrict processing of covered data; (ii) delete all covered data when it is no longer being used; (iii) ensure the accuracy of covered data and provide a mechanism for individuals to report inaccuracies; (iv) implement data-minimization processes in accordance with guidelines to be issued by the FTC; and (v) establish reasonable administrative, technical, and physical data security policies and practices to protect covered data.

Apart from a specific data-minimization obligation, contains the other privacy rights and obligations found in the CDPA: an opt-out mechanism, data destruction requirement, data accuracy obligation, and a mandate to establish reasonable safeguards for the protection of emergency health data. 

Also requires reasonable safeguards to protect against discrimination and to ensure that data is disclosed to governments only for public health reasons.

Enforcement
Delegates primary enforcement authority to the FTC under section 5 of the FTC Act; secondary enforcement authority given to state attorneys general.

Delegates primary enforcement authority to the FTC under section 5 of the FTC Act; secondary enforcement authority given to state attorneys general.

Includes private right of action with maximum statutory damages of $5,000 per violation, as well as reasonable attorney fees and other fees that the court deems appropriate.

While these two bills are not likely to be the last word on this subject, as this table shows, there is substantial overlap between these two bills—overlap that provides a good overview of the areas where legislators believe that existing law should be supplemented. These areas include gathering health information for public health purposes to combat the COVID-19 pandemic while requiring additional protections—such as use restrictions, data-minimization requirements, retention limits, and individual rights protections—to ensure that the data are used properly and for more targeted purposes.49

Checklist of Privacy and Security Considerations for COVID19 Technologies

As the foregoing discussion demonstrates, the technological landscape for using mobile applications to fight COVID-19 is constantly evolving and legally dense. While this article does not seek to comment on or evaluate any particular application of technology, below please find a basic checklist of privacy-related considerations for use of these technologies.50

  • Take privacy into account when developing plans for using the mobile technologies by, for example, using “privacy by design” principles to develop the technology; ensuring that data collection, particularly of sensitive information (such as biometrics), is necessary and proportionate, including by evaluating whether it would be possible to use de-identified or aggregate data; procuring affirmative user consent; and conducting a privacy impact assessment of the plan.
  • Assess what legal requirements apply, including by evaluating the jurisdictions in which the technology will be used (to see what international, federal, state, and local laws might apply); the types of entities that will be gathering or using the information and the type of information that will be gathered (to determine the applicability of any sector-specific or category-specific regimes, such as HIPAA); and whether any relevant regulators have recently issued guidance on how those rules apply with respect to COVID-19.
  • Review disclosures regarding data collection, use, and privacy practices to ensure that they are consistent with any legal requirements and provide sufficient and accurate information about how data will be collected and used to combat COVID19. Consider whether additional communications to data subjects about the technology used or the data collected are helpful and appropriate.
  • Review existing information security policies and procedures to ensure that they are consistent with applicable regulations and guidance and contain appropriate security and handling protections.
  • Establish appropriate and lawful protocols for data retention, including with respect to its destruction after its retention is no longer necessary and/or the COVID-19 pandemic has ended.
  • Evaluate relevant contracts with suppliers, vendors, and clients to ensure that privacy and information security issues, and the allocation of liability among the parties, are appropriately addressed.
  • Review existing or, if necessary, establish new governance structures and monitoring protocols for evaluating and auditing the effectiveness of the technological use and privacy safeguards, as well as compliance with any internal policies or procedures.

A current legal obligation may not be linked to each of these considerations. However, by entertaining these considerations, businesses could reduce other privacy and reputational risks that might arise. And, importantly, by incorporating these suggestions, businesses will be better prepared in the event that such considerations do become applicable—a likely occurrence as the law in this area is evolving rapidly.

Endnotes

1. Interim Clinical Guidance for Management of Patients with Confirmed Coronavirus Disease (COVID-19), Ctrs. for Disease Control & Prevention (updated July 22, 2020).

2. See, e.g., Matt Richtel, Contact Tracing with Your Phone: It’s Easier but There Are Tradeoffs, N.Y. Times (updated July 20, 2020), https://www.nytimes.com/2020/06/03/health/coronavirus-contact-tracing-apps.html

3. Digital Contact Tracing Tools for COVID-19, Ctrs. for Disease Control & Prevention (updated May 26, 2020).

4. Id.

5. See, e.g., Help Speed Up Contact Tracing with TraceTogether, Singapore Gov’t Agency (Mar. 21, 2020), https://www.gov.sg/article/help-speed-up-contact-tracing-with-tracetogether. Based on a survey of online sources, the list of countries with contact tracing technologies at the national, state, or province level includes Australia, Azerbaijan, Bahrain, Bangladesh, Canada, China, Colombia, Czech Republic, Denmark, France, Germany, Ghana, Hungary, Iceland, India, Israel, Italy, Japan, Jordan, Latvia, Malaysia, New Zealand, North Macedonia, Norway, Qatar, Saudi Arabia, Singapore, Spain, and Switzerland.

6. Digital Contact Tracing Tools for COVID-19, supra note 3.

7. New York State Contact Tracing, State of N.Y., https://coronavirus.health.ny.gov/new-york-state-contact-tracing (last visited July 15, 2020).

8. Several states, notably South Dakota and Utah, chose to deploy their own contact tracing apps. David Ingram, Coronavirus Contact Tracing Apps Were Tech’s Chance to Step Up. They Haven’t, NBC News (June 12, 2020), https://www.nbcnews.com/tech/tech-news/coronavirus-contact-tracing-apps-were-tech-s-chance-step-they-n1230211. Other states—Alabama, North Dakota (CARE19 app), and South Carolina (SC-Safer-Together app)—have said that they will use existing technology in their contact tracing apps. Kif Leswing, Three States Will Use Apple-Google Contact Tracing Technology for Virus Tracking Apps, CNBC News (May 20, 2020), https://www.cnbc.com/2020/05/20/three-states-commit-to-apple-google-technology-for-virus-tracking-apps.html.

9. See, e.g., Amit Syal & Sam Burdette, Campus Reentry Update: University of Arizona Begins Testing Phase for New Contact Tracing App, Daily Wildcat (June 18, 2020), https://www.wildcat.arizona.edu/article/2020/06/sc-tracing-app; Amy Wadas, Pennsylvania Health Department Working to Hire More Coronavirus Contact Tracers, CBS Pittsburgh (June 8, 2020), https://pittsburgh.cbslocal.com/2020/06/08/covid-19-contact-tracing-hiring-in-pennsylvania; Case Investigations and Contact Tracing, Wash. State Dep’t of Health (2020), https://www.doh.wa.gov/Emergencies/NovelCoronavirusOutbreak2020COVID19/CaseInvestigationsandContactTracing; David Gutman, Why You Might Now Get a Phone Call to Tell You You’ve Been Exposed to the Coronavirus, Seattle Times (updated May 21, 2020), https://www.seattletimes.com/seattle-news/health/washington-trains-more-than-2100-callers-as-it-expands-contact-tracing-to-battle-coronavirus; Frank Witsil, New Contracts Restart Volunteer Contact Tracing, but Epidemiologist Takes Aim at Effort, Detroit Free Press (updated May 14, 2020), https://www.freep.com/story/news/local/michigan/2020/05/12/volunteer-contact-tracing-michigan-rock-connections-deloitte/3107351001; Kelly House & Riley Beggin, Michigan Launches Coronavirus Contact Tracing. Here’s What You Need to Know, Bridge Mag. (May 9, 2020), https://www.bridgemi.com/michigan-health-watch/michigan-launches-coronavirus-contact-tracing-heres-what-you-need-know; Maine Expands Contact Tracing to Limit the Spread of COVID-19, State of Me. Office of Governor Janet T. Mills (May 26, 2020), https://www.maine.gov/governor/mills/news/maine-expands-contact-tracing-limit-spread-covid-19-2020-05-26.

10. GovTech, Responding to COVID-19 with Tech, Singapore Gov’t Agency (last updated July 6, 2020), https://www.tech.gov.sg/products-and-services/responding-to-covid-19-with-tech (providing overview of SafeEntry, “national digital check-in system” that “is used for contact tracing and data verification through (1) scanning of QR codes or (2) scanning of [National Registration Identity Cards] at hotspots and high traffic locations”); NZ COVID Tracer QR Codes, Gov’t of N.Z. Ministry of Health (updated Aug. 27, 2020), https://www.health.govt.nz/our-work/diseases-and-conditions/covid-19-novel-coronavirus/covid-19-novel-coronavirus-resources-and-tools/nz-covid-tracer-app/nz-covid-tracer-qr-codes.

11. Victoria Kim, Welcome, Please Scan Your QR Code: In South Korea, a High-Tech Registry for Nightlife amid Coronavirus, L.A. Times (June 10, 2020), https://www.latimes.com/world-nation/story/2020-06-10/welcome-please-scan-your-qr-code-in-south-korea-a-high-tech-registry-for-nightlife-amid-coronavirus.

12. U.S Mission Korea, Health and Travel Alert—U.S. Embassy Seoul, Republic of Korea, U.S. Embassy & Consulate in the Republic of Kor. (June 12, 2020), https://kr.usembassy.gov/061220-health-and-travel-alert-u-s-embassy-seoul-republic-of-korea.

13. See, e.g., Natasha Singer, Employers Rush to Adopt Virus Screening. The Tools May Not Help Much, N.Y. Times (May 11, 2020), https://www.nytimes.com/2020/05/11/technology/coronavirus-worker-testing-privacy.html.

14. For example, some businesses are deploying mobile technologies and wearables to monitor for COVID-19 symptoms and enhance their ability to identify potential cases and limit exposure to the virus. See, e.g., Geoffrey A. Fowler, Wearable Tech Can Spot Coronavirus Symptoms Before You Even Realize You’re Sick, Wash. Post (May 28, 2020), https://www.washingtonpost.com/technology/2020/05/28/wearable-coronavirus-detect. Businesses are also deploying technologies such as temperature-checking applications and contactless temperature-checking kiosks. See, e.g., Sarah Whitten, Contactless Temperature-Checking Kiosks Are Coming, Here’s What It’s Like to Use One, CNBC (May 21, 2020), https://www.cnbc.com/2020/05/21/contactless-temperature-checking-kiosks-are-coming-amid-coronavirus.html.

15. See, e.g., COVID-19: RESTART Guidance for Businesses, Gov’t of N.Y. City Health (July 2020), https://www1.nyc.gov/site/doh/covid/covid-19-businesses-and-facilities.page; Reopening New York City: Frequently Asked Questions (FAQs), Gov’t of N.Y. City Health (updated Aug. 21, 2020), https://www1.nyc.gov/assets/doh/downloads/pdf/imm/covid-19-reopening-nyc-faq.pdf; Reopening New York—Office-Based Work Guidelines for Employers and Employees, Governor of N.Y. (June 2020), https://www.governor.ny.gov/sites/governor.ny.gov/files/atoms/files/OfficesSummaryGuidelines.pdf; Reopening NYC Phase 2: Offices, Gov’t of N.Y. City (June 17, 2020), https://www1.nyc.gov/assets/coronavirus/downloads/phase2/offices.pdf; Reopening New York City: Frequently Asked Questions—What Offices Need to Know, Gov’t of N.Y. City (updated Aug. 17, 2020), https://www1.nyc.gov/assets/doh/downloads/pdf/imm/covid-19-reopening-offices-guidance.pdf.

16. See OSHA, Interim Enforcement Response Plan for Coronavirus Disease 2019 (COVID-19), U.S. Dep’t of Lab. (April 13, 2020), www.osha.gov/memos/2020-04-13/interim-enforcement-response-plan-coronavirus-disease-2019-covid-19; OSHA, Updated Interim Enforcement Response Plan for Coronavirus Disease 2019 (COVID-19), U.S. Dep’t of Lab. (May 19, 2020), https://www.osha.gov/memos/2020-05-19/updated-interim-enforcement-response-plan-coronavirus-disease-2019-covid-19.

17. Coronavirus and COVID-19, U.S. Equal Emp’t Opportunity Comm’n, https://www.eeoc.gov/coronavirus (last visited July 6, 2020); U.S. Equal Emp’t Opportunity Comm’n, What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws (June 17, 2020), https://www.eeoc.gov/wysk/what-you-should-know-about-covid-19-and-ada-rehabilitation-act-and-other-eeo-laws.

18. See, e.g., U.S. Equal Emp’t Opportunity Comm’n, Pandemic Preparedness in the Workplace and the Americans with Disabilities Act (rev. Mar. 21, 2020), https://www.eeoc.gov/laws/guidance/pandemic-preparedness-workplace-and-americans-disabilities-act; U.S. Equal Emp’t Opportunity Comm’n, What You Should Know About COVID-19, supra note 17.

19. Elisa Jillson, Privacy During Coronavirus, FTC Bus. Blog (June 19, 2020, 10:32 AM), https://www.ftc.gov/news-events/blogs/business-blog/2020/06/privacy-during-coronavirus (citing the FTC’s recent enforcement action against smart-lock manufacturer Tapplock as an example of a business that “rush[ed] to get a product to market without considering privacy and security issues”).

20. Fed. Trade Comm’n, Mobile Privacy Disclosures: Building Trust Through Transparency 15 (Feb. 2013) (“[C]onsistent with the Commission’s Privacy Report, before allowing apps to access sensitive content through APIs, such as geolocation information, platforms should provide a just-in-time disclosure of that fact and obtain affirmative express consent from consumers.” (citations omitted)).

21. Id.

22. The Privacy Act regulates federal agencies’ collection, use, and sharing of systems of records that store personal information, not only providing individuals with a way to access and correct information that an agency maintains about the individual, but also mandating certain restrictions for how federal agencies manage and disclose that information. See 5 U.S.C. § 552a(b)–(e) (2012). FOIA permits members of the public to submit formal requests in order to access federal executive agencies’ records, although certain exceptions do apply. See id. § 552. The important point here is that if businesses are working with the government, it is possible that either or both of these laws could apply in certain circumstances.

23. U. S. Const. amend. IV.

24. See Katz v. United States, 389 U.S. 347 (1967).

25. See, e.g., Carpenter v. United States, 138 S. Ct. 2206 (2018) (finding that the Fourth Amendment protects an individual’s historical cell-site locational information (CSLI) even if the information is in the possession of a wireless carrier). For a more detailed analysis of Carpenter and its potential implications for Fourth Amendment jurisprudence, see Christopher C. Fonzone, Kate Heinzelman & Michael R. Roberts, Carpenter and Everything After: The Supreme Court Nudges the Fourth Amendment into the Information Age, 58(4) A.B.A. Infrastructure & Regulated Indus. (Summer 2019).

26. See, e.g., Ferguson v. City of Charleston, 532 U.S. 67, 74 (2001) (applying “special needs” doctrine and upholding warrantless search to “serve non-law-enforcement ends”).

27. See, e.g., Mich. Dep’t of State Police v. Sitz, 496 U.S. 444 (1990) (applying special needs doctrine and finding that Michigan police sobriety checkpoints were reasonable searches and did not violate the Fourth Amendment).

28. Businesses should understand that de-identified or aggregated data could be reidentified, and, in certain circumstances, the Fourth Amendment could be applicable to such reidentified data.

29. Depending on the technology platform, the intended users of the technology, and the types of personal information collected, other applicable laws may include the Communications Act, 47 U.S.C. § 222 et seq.; Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g et seq.; Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. § 6501 et seq.; and Federal Food, Drug, and Cosmetic Act (FDCA), 21 U.S.C. § 301 et seq.

30. 18 U.S.C. § 2511.

31. Id. § 2702(a)(1)–(2).

32. Id. § 2702(a)(3).

33. Id. § 2702(c)(6).

34. 15 U.S.C. § 45(a)(1).

35. See Fed. Trade Comm’n, FTC’s Use of Its Authorities to Protect Consumer Privacy and Security 3 (June 18, 2020) (citing enforcement actions and settlements, including In re InfoTrax Systems, L.C., FTC File No. 162 3130, Docket No. C-4696 (2019), in which the FTC alleged that the company and its former CEO failed to use reasonable security measures to safeguard clients’ personal information).

36. Id. § 160.102.

37. Id. § 160.103.

38. Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency, U.S. Dept. of Health & Human Serv., https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html (Mar. 20, 2020).

39. See, e.g., Ala. Code § 8-38-2(6); 815 Ill. Comp. Stat. 530/5.

40. Cal. Civ. Code § 1798.100 et seq.

41. See id. §§ 1798.100(d), 1798.105, 1798.110.

42. Id. § 1798.130 et seq.

43. Cal. Penal Code § 637.7 et seq. (prohibiting any person or entity in California from using “an electronic device to determine the location or movement of a person,” absent several exemptions including “the lawful use of an electronic tracking device by a law enforcement agency).

44. See 740 Ill. Comp. Stat. 14; Tex. Bus. & Com. Code Ann. § 503.001; Wash. Rev. Code Ann. §19.375.020.

45. See 740 Ill. Comp. Stat. 14/20.

46. See Benjamin Della Rocca et al., State Emergency Authorities to Address COVID-19, Lawfare (May 4, 2020, 3:03 PM), https://www.lawfareblog.com/state-emergency-authorities-address-covid-19 (providing an overview of state emergency authorities available to governors in their response to the pandemic).

47. See European Data Prot. Bd., Guidelines 04/2020 on the Use of Location Data and Contact Tracing Tools in the Context of the COVID-19 Outbreak (Apr. 21, 2020), https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_20200420_contact_tracing_covid_with_annex_en.pdf (providing guidance on the use of location data and contact tracing tools related to COVID-19).

48. See, e.g., Collecting Customer and Visitor Details for Contact Tracing, Info. Comm’rs Office, https://ico.org.uk/global/data-protection-and-coronavirus-information-hub/coronavirus-recovery-data-protection-advice-for-organisations/collecting-customer-and-visitor-details-for-contact-tracing (last visited July 7, 2020); Contact Tracing—Protecting Customer and Visitor Details, Info. Comm’rs Office, http://ico.org.uk/global/data-protection-and-coronavirus-information-hub/contact-tracing-protecting-customer-and-visitor-details (last visited July 7, 2020); Dep’t of Health & Soc. Care, Maintaining Records of Staff, Customers and Visitors to Support NHS Test and Trace, Gov.UK (updated Aug. 28, 2020), https://www.gov.uk/guidance/maintaining-records-of-staff-customers-and-visitors-to-support-nhs-test-and-trace; Elizabeth Denham, Blog: Combatting COVID-19 Through Data: Some Considerations for Privacy, Info. Comm’rs Office (Apr. 17, 2020), https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/04/combatting-covid-19-through-data-some-considerations-for-privacy; Info. Comm’rs Office, Information Commissioner’s Opinion: Apple and Google Joint Initiative on COVID-19 Contact Tracing Technology (Apr. 17, 2020), https://ico.org.uk/media/about-the-ico/documents/2617653/apple-google-api-opinion-final-april-2020.pdf; Paul Arnold, Statement on the Publication of ICO Guidance to Businesses Collecting Personal Data for Contact Tracing, Info. Comm’rs Office, http://ico.org.uk/global/data-protection-and-coronavirus-information-hub/statement-on-the-publication-of-ico-guidance-to-businesses-collecting-personal-data-for-contact-tracing (last visited July 7, 2020).

49. Of course, just like the ongoing debates over comprehensive federal privacy legislation, there are also divergent views on certain issues. See, e.g., Cameron Kerry, Keeping the Fires Burning for Federal Privacy Legislation, IAPP Privacy Persp. (June 3, 2020), https://iapp.org/news/a/keeping-the-fires-burning-for-federal-privacy-legislation (observing that, similar to prior congressional efforts to pass privacy legislation, the CDPA and PHEPA “both display the same gulf on preemption and private right of action”).

50. A number of regulators and commentators have provided similar sets of considerations that companies should take into account in addressing this fast-moving area. For a good example, see Denham, supra note 48.

Want more personalized content? Tell us your interests.

Entity:
Topic:

By Michael R. Roberts

Michael R. Roberts (mrroberts@sidley.com), formerly a White House intern in the Office of the Counsel to Vice President Biden, is an associate in the Sidley Austin LLP Privacy and Cybersecurity group. The author thanks Christopher C. Fonzone, a partner in the firm’s Privacy and Cybersecurity practice, for his contributions to this article. The views expressed herein are the author’s alone and do not constitute legal advice.