The State of COVID-19 Personal Data Protection
September 20, 2020
Return to Learning Center
The COVID-19 epidemic has given rise to a market for technology tools for mapping individuals' exposure, checklisting symptoms, providing locations of testing centers, and giving people good health best practices to keep their families and communities safe. Where digital "contact tracing" comes into play, the largest players by far are Google and Apple who cooperated in the Android and iOS platforms in an unprecedented undertaking to bake this feature into their mobile products.
These companies have documented the security and privacy of user data gathered, but many American states looking to add exposure mapping and content-tracing apps have opted not to use Google and Apple's technology. Alternatively, many states have adopted a wide range of other mechanisms, from apps to online platforms, that collect some form of personally identifying information. For example, South Dakota was an early adopter of the Care19 contact-tracing app. The app assigns users a random number to keep their information anonymous and relies on a combination of GPS info, cell phone tower data, and WiFi location data to track users. In Berkeley, California, local authorities are using the Coalition app, which relies on short range Bluetooth technology to monitor where users cross paths. In Kansas, a COVID-19 platform analyzes anonymous cell phone data and compares GPS data from before and after the implementation of social-distancing measures to track how effective that mandate was on a county by county level.
Across this wide range of tools, there are no federal safeguards in place to ensure data are meaningfully protected. Some apps, such as the HealthyTogether app that is being used in Utah, have privacy policies that provide details on data collection and retention measures. But these privacy policies vary, with no de facto standard for important elements such as whether and when the data will be automatically deleted, with whom a company will share the data, or how the security of the data will be protected. This data could eventually find its way into nefarious hands with no standard for protection.
The lack of standard protections is a problem society should be thinking about heavily today. While all states are in various stages of re-opening, some experts believe we have not reached the end of the COVID-19 outbreak, and some epidemiologists believe it may worsen as cold weather returns.
Congress may choose to intervene to protect Americans' privacy as states implement COVID-19 response technology. Recently, several U.S. representatives introduced the Public Health Emergency Privacy Act, which is designed to safeguard privacy as a variety of exposure mapping and other COVID response technologies flourish. The bill follows many expert privacy recommendations including applying strong data protection principles such as imposing limitations on the collection and use of COVID-19-related data, and preventing these data from being re-used for commercial or advertising purposes. This gets even more important as the resolution to the Coronavirus outbreak arrives and vaccines might be introduced. Nobody definitively knows what will happen with COVID-19 or the economic consequences of the lockdowns, but hopefully peoples' privacy will not be compromised in these important efforts.
We hope you enjoyed reading this guide and learned something new! Check out our Learning Center to learn more about online privacy and security or consider subscribing to our Online Privacy Service to remove your phone number, name, and address from Google, Bing, Yahoo, and DuckDuckGo search results and hundreds of data broker sites.