by FOCUS, a Leonine Business
Congress and several state legislatures are looking to regulate contact tracing applications, as states have either developed and are using their own technologies or have turned to private third-party application providers for additional tools to contain and prevent new cases of COVID-19. This trend has begun to raise privacy and security concerns about how government and private companies are collecting data through contract tracing applications and how that information is being stored, protected and used.
As of June, three contract tracing privacy bills have been introduced in Congress that are aimed at restricting the use of sensitive medical information collected through such apps. The main bill that is expected to get most of the attention is The Exposure Notification Act, which has bipartisan and industry support. The bill contains many concepts suggested by industry, including requiring opt-in consent for participation, giving user’s a right to delete their information and prohibiting companies from using medical information collected to use for commercial uses or for targeted advertising.
Kansas was the first state to enact a privacy-related contact tracing law. In June, following Attorney General Derek Schmidt’s recommendation, Democratic Gov. Laura Kelly signed the COVID-19 Contact Tracing Privacy Act (HB 2016), which requires contact tracing to be voluntary and prohibits use of cell phone location tracking for contact tracing purposes. Anyone lawfully affiliated with a government health authority in Kansas cannot now legally use cell phone contact tracing apps if it allows tracking of Kansas citizens’ movements and associations.
Ten more states have introduced measures that propose privacy restrictions upon COVID-19 tracing technologies, including California, Hawaii, Louisiana, Minnesota, New Jersey, New York, Ohio, South Carolina, Utah and Wisconsin.
These bills propose different privacy restrictions upon varying private and public sectors. For example, California AB 1782 would prohibit any contact tracing vendor entering into a state contract from sharing personal information they obtained through the contact tracing applications or services provided. Meanwhile, New Jersey AB 4170 would prohibit data collected for contact tracing efforts by public health agencies to be used for any other purpose but additionally would require that the data be deleted after 30 days. Violators could be slapped with a fine up to $10,000 for each incident.
Minnesota HF 164 is aimed specifically at employers and would require that employees be given a choice to be part of digital contact tracing technology, while New York AB 10462 would impose criminal penalties for anyone misusing contact tracing data and would require an individual’s explicit consent before including them in a digital tracing program. Both the Minnesota and New York bills would allow for a private cause of action against violators.
With the increased use of contact tracing technologies and with no end to the COVID-19 pandemic in the near future, the privacy debate will increase across the nation and we expect to see an increase in measures being filed proposing new mandates and restrictions on the use of contract tracing technologies; any one of which could ultimately affect your company, your employees and your customers.
Reach out today to see a sample FOCUS report, demo the bill tracking database or to learn more about how FOCUS can keep you informed about contact tracing policies that may impact you.
You can also sign up for FOCUS on Contact Tracing newsletter here.