There’s an (Almost) App for That: Coronavirus Contact Tracing with Privacy at the Core

Apr 21, 2020 Published Article

In an effort to combat the spread of COVID-19 (commonly referred to as the Coronavirus) and save lives during this pandemic, Google and Apple recently announced plans to collaborate to develop a mobile application designed to help identify individuals that may have been exposed to the virus.  Many have celebrated the notion that software developers can leverage contact tracing to proactively notify those at high-risk, while also protecting such sensitive information.  However, with California enacting the California Consumer Privacy Act of 2018 (CCPA), one of the most comprehensive privacy regulatory schemes in the United States, we dig deeper into whether the safeguards within this tracing technology appear to satisfy CCPA requirements.

How it Works

The concept is that Bluetooth technology can be utilized to determine whether people have been in close proximity to an individual eventually diagnosed with the virus at a time when such individual may have been infectious to others.  These efforts will be conducted in cooperation with public health authorities, and designed to work alongside their applications, with a goal to release the app in May that can be downloaded for use on both Android and iOS devices.  Following the release of the initial app, the second stage of this project will be the eventual release of a broader Bluetooth-based contact tracing platform to allow more individuals to participate.

Despite statements by Google1 that “user privacy and security [are] central to the design” of this app and that “[p]rivacy, transparency, and consent are of utmost importance in this effort”, many are concerned that the app will violate individual privacy rights and create a means to link data to specific individuals. However, from what is presently understood about the app at this time, it will incorporate a number of privacy safeguards into its design.  Further, both Google and Apple have agreed to openly publish information about their work for others to analyze2.

Privacy Safeguards

It should be noted that in order to track contact amongst individuals, the app will not rely on collecting location information.  Instead, the app will rely on Bluetooth technology that measures how far devices are located from one another.  Further, the app will not be designed to collect any other personally identifiable information.

Participation by users will also be voluntary as users will need to elect to “opt in” to using the app when it is downloaded.  Similarly, anyone that may have been infected with COVID-19 would need to voluntarily share this information with health authorities to be used for tracing efforts.

Is the App Collecting Personal Information?

For purposes of the CCPA, the proposed app would likely satisfy the requirements for collecting information.  Civil Code Section 1798.140(e) provides as follows:

“Collects,” “collected,” or “collection” means buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.

Arguably, by comparing the location of one’s device to another’s device, the app is receiving information.  But would the information be considered “personal information” subject to the requirements of the CCPA?

The CCPA defines “personal information” very broadly as:

“information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, the following if it identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household…” Civil Code Section 1798.140(o)(1).

Amongst the categories of personal information identified, the following appear most relevant to this app would be the following:

  • Any categories of personal information described in subdivision (e) of Section 1798.80. (Civil Code Section 1798.140(o)(1)(B)); and
  • Geolocation data. (Civil Code Section 1798.140(o)(1)(G)).

1798.80 (e) of the Civil Code also includes an expansive definition of “personal information” that includes an individual’s:

“name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.”

For individuals infected by the virus, this would clearly be medical information.

As for geolocation data, this would include any information that can be used to identify a device’s physical location.  Arguably, the app would need to know the location of one’s device to compare its location to other devices.

Therefore, it would appear that the proposed app will likely be subject to the CCPA and consumers will need to be provided all requisite disclosures, such as the categories of personal information it has collected about that consumer, the sources from which the personal information is collected and any third parties with whom the business shares personal information.

However, there are a number of exceptions to the definition of “personal information.”  Specifically, Civil Code Section 1798.140(0)(3) states:

“Personal information” does not include consumer information that is deidentified or aggregate consumer information.”

In other words, if the information can be accessed in a manner that cannot reasonably identify, relate to, describe, be capable of being associated with, or be linked, directly or indirectly, to a particular consumer, including the implementation of technical safeguards (See Civil Code Section 1798.140), then the app would fall outside the privacy requirements of the CCPA.  While it will depend on the ultimate development and release of the app, it appears that privacy safeguards have been thoroughly considered and likely comply with the CCPA.

Why Does This Matter

  • California residents should be aware of the potential information that will be gathered using this tracing technology.
  • Companies involved with the technology must make a careful examination of whether the information being collected would be considered “personal information.”
  • Taking a conservative approach would be advisable to all parties developing this app as well as its technology, and it is recommended that the app be distributed with full transparency and consumer choice, particularly in the State of California.

It is remarkable that technology can be used to help save lives as we all deal with the evolving COVID-19 crisis, yet, any development must be designed to protect the security of personal information and comply with CCPA requirements related to the same.

For additional information, you can consult with a Task Force attorney Task by emailing NDCovid19Response@ndlf.com or contacting our office directly at 949-854-7000.

1See “Apple and Google partner on COVID-19 contact tracing technology” published Apr 10, 2020 on Google.com.

2See “Apple and Google partner on COVID-19 contact tracing technology” published Apr 10, 2020 on Google.com.