Virus will test the public’s support for privacy protections

The best way to test a society's support for privacy protections is to have a really good reason not to. COVID-19 could be such a reason.

More than 1.5 million people in the U.S have been infected with COVID-19 and the death toll has surpassed 93,000. Those numbers are expected to keep rising. Without adequate testing to confirm citizens' infection status, public health officials are focusing on tracing the movements of people infected to slow the transmission of COVID-19. What better way to track users than their smartphones, which have become like body appendages and are almost always turned on.

Apple and Google are releasing application interfaces this month that marshal a smartphone's Bluetooth capability to trace a person's movements. The smartphone broadcasts a random identifier that will be recorded by other cellphones that come within close proximity and vice versa. Those identifiers are stored on the phone for at least 14 days. If a person tests positive for COVID-19, he or she may notify the public health authority via the application and all phones that came within close proximity of the infected person's phone will be notified of possible exposure.

In the next few months, Google and Apple will add the tracing capability to the smartphone operating system "to help ensure broad adoption." If smartphone tracing were expected to be warmly embraced, it seems unnecessary to proactively try to boost adoption. Once the tracing capability is embedded in the operating system, smartphones will natively send out and listen for the Bluetooth beacons with no need to install a public health application. But the same process of self-reporting and matching tracing identifiers occurs in the background. If a match to an identifier of a COVID-19 positive person is found, the user will be prompted to download an application through which public health officials can advise on next steps such as self-quarantine. This capability apparently can be disabled by the user.

Google and Apple say that the public health applications "must meet specific criteria around privacy, security, and data control" but they provide no details about those criteria. This seems eerily similar to data tracking companies that (without notice or permission) used geolocation data collected from cellphones of people packing beaches in Florida during Spring Break to help identify where those people went afterward and predict possible trajectories of COVID-19 cases.

The rush to help trace the spread of COVID-19 is well intentioned, but it shouldn't be used as a reason to abandon privacy protections. The potential for misuse is easy to see. Take China for example. The Guardian reports that China has implemented a contact tracing application on cellphones that is mandatory, tied explicitly to the user's identity and governs whether a person may travel. The application signals whether the person identified is clear (green), amber (needs to isolate) or red (a confirmed case or close contact of a confirmed case) and QR scanners at public venues will admit or refuse entry based on the person's status.

California's Consumer Privacy Act would clearly prevent the draconian Chinese approach. But does it prevent the Google/Apple Bluetooth application? The CCPA applies to a wide range of data collection activities, including "buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer's behavior." Civil Code Section 1798.140(e).

The tracking application sends, receives and stores information comparing the location of one user's phone to another user's phone, which appears to fall within the statute either because the application is passively collecting data, or it is observing the user's behavior. But would the information be considered "personal information" subject to the requirements of the CCPA?

The CCPA defines "personal information" very broadly as "information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes information that identifies, relates to, describes, is reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household." Civil Code Section 1798.140(o)(1). Specifically, it includes medical information, physical characteristics or description, biometric information, geolocation data and audio, electronic, visual, thermal, olfactory, or similar information. Civil Code Sections 1798.80 (e); 1798.140(o)(1)(E)(G)(H).

Information that a person is infected with COVID-19 that is shared with public health officials through the application surely falls within the definition of protected personal information. But because the person knowingly provided his or her infection status to the application (unlike the tracking of beach goers), the user likely has adequate notice to avoid a violation of CCPA's rules on data collection.

The CCPA also restricts disclosure of personal information for commercial purposes. Civil Code Section 1798.120. Google and Apple said in a public statement "there will be no monetization from this project." If that's true, then the COVID-19 contact tracing application doesn't appear to be a commercial purpose. Further, the CCPA allows a company to share personal information if it is de-identified or in the aggregate. Civil Code Section 1798.145(a)(5). Because the Google/Apple application uses random numbers that are not associated with a person's identity, the COVID-19 status and exposure information likely fall within this exception.

CCPA's provisions go beyond limiting intentional disclosure of personal information. If a consumer's non-encrypted and non-redacted personal information is stolen, disclosed or accessed without authorization, he or she may seek damages. Cal. Civ. Code Section 1798.150. Google and Apple state that the tacking identifier is stored on the consumer's phone, not the tech company servers, but if the data is hacked and the tech companies required the data to be stored, it may be actionable. Also, it's not clear whether the data is encrypted.

So long as Google and Apple clearly disclose which public health authorities will have access to the data and how it will be used, as well as encrypting stored data, the contract tracking application appears to comply with the privacy requirements of the CCPA. This goes to show that even in times of a global pandemic it is possible to assist in protecting public health without undermining privacy rights. 