As shown by the many lawsuits challenging the collection and use of geolocation data over the last few years, consumers have concerns about being surveilled and monitored. But today, what was once anathema may be welcomed as the United States joins other countries to consider deploying contact tracing technology to track those diagnosed with COVID-19 in an effort to minimize the further spread of the virus and help reopen the economy safely.

Even so, companies developing such applications should be cautious: privacy laws do not have a "pandemic response" exception that will protect them from liability if consumers decide to question pandemic-related data collection and use. So, where do the pitfalls lie?

What Is Contact Tracing?

Contact tracing is a public health tool for containing the spread of infectious disease. Individuals who have been exposed to a confirmed case–the "contact"–are identified, evaluated for risk factors, and urged to take steps such as quarantining to prevent or minimize further spread of the disease.

Ideally, the potentially exposed individuals are contacted before they themselves have a significant opportunity to spread the virus. Tracing has traditionally been implemented by interviewing individuals, but to the scale of the pandemic, state and federal governments are considering more modern, technology-based methods to identify potentially exposed individuals for containment outreach.

What's Private About Being in Public?

Contact tracing technologies vary in their application. Some rely on Bluetooth signaling between devices to detect and exchange broadcast beacon keys with others in the area. Under this approach, the keys are collected and stored. Once an individual reports being infected, the infected individual's keys are matched to the keys of others who have been nearby, and those other individuals receive an alert that they may have been exposed.

Other applications allow users to self-report and then notify others. Yet another approach is the indiscriminate collection of location data about infected individuals and warning those who were in proximity to them using cell-site location data or the GPS capabilities of many wireless phones.

Irrespective of the specific technology, all contact tracing mechanisms require, at a minimum, ongoing collection and retention of data related to individuals' device-based whereabouts, their social network, and possibly their health—all of which can reasonably be viewed as private, at least in some circumstances. Finally, underlying all these methods is a technology that enables communication between various consumer devices and apps that store and process data related to contact tracing.

Class Actions

The nature of contact tracing apps provides a number of parties in the data ecosystem with a broad set of data that could be used either purposefully or unintentionally and shared for purposes other than contact tracing. For example, it was recently revealed that public health authorities in North Dakota and South Dakota had rolled out a contact tracing app that shared location data with an outside location data aggregator, contrary to the app's Privacy Policy.

Surreptitious data sharing (or other practices of the like) may expose the companies developing and/or deploying the contact tracing apps to typical privacy claims: collecting data beyond the scope of what the individual agreed to may lead to claims of intrusion upon seclusion, violation of constitutional rights to privacy, and breach of contract. Moreover, state laws, such as the California Consumer Privacy Act, permit consumers to prohibit sharing their data with third parties.

If the contact tracing technology collects more data than was consented to by consumers, or if the data—without notice or consent—is linked with other information about an individual to create profiles of specific individual consumers, the entities that develop and deploy the app may be subject to state "unfair and deceptive acts and practices" claims.

Enforcement Actions From Federal Agencies

Companies deploying contact tracing apps must clearly outline the information being collected and what will be done with it, as excessive and undisclosed data collection and processing may prompt federal agencies to bring enforcement actions. The FTC has for decades relied on its Section 5 authority (banning deceptive practices) to bring enforcement actions against private companies that do not follow their statements about data collection and processing.

Similarly, companies may risk an investigation by the Department of Health and Human Services' Office of Civil Rights if the data at issue is "protected health information" and if the entity that develops or deploys the app is a "covered entity" or "business associate," within the meaning of the Health Insurance Portability and Accountability Act (HIPAA).

If an entity is subject to HIPAA with respect to data collected by means of a contact tracing app, then the detailed and burdensome obligations in HIPAA's Privacy Rule and Security Rule may apply. These rules impose significant requirements both for obtaining consumer consent to collect and use the data, as well as for protecting the data that is collected. If HIPAA applies, companies may mitigate the risk of a violation by aggregating, anonymizing, and/or de-identifying any data stored.

Violations of State Privacy Laws

Although the United States does not have a national consumer privacy law, many states have laws to protect individual privacy, and all states have some form of data breach notification law. In the data breach context, information about an individual's health status, if linked to other information that permits the individual to be identified, is typically considered private information. If such information were to be accessed or disclosed in a breach, the entity suffering the breach could be subject to significant liability if the breach were not handled correctly.

Moreover, some states are considering COVID-19-specific privacy legislation. For example, Kansas is considering legislation that, among other things, would mandate that data collected through contact tracing be used only for the purpose of managing the spread of COVID-19 and would ban sharing it with any third party without consent from the individual. Further, absent a warrant, Kansas' COVID-19 privacy legislation would prohibit sharing the information with the government.

What Should Companies Do?

While COVID-19 has uprooted many routines, reliance on long-standing privacy principles continues to be key to risk mitigation. When it comes to privacy and the collection of data about individuals—including contact-tracing data—companies should:

  • Provide consumers with notice about who, what, and when data is collected and how it will be used;
  • Obtain either opt-in or opt-out consent from the consumer;
  • Use and disclose the data only for the public health purposes for which it was collected;
  • Minimize the amount of data that is collected;
  • Reduce the retention period of any data collected; and
  • Maintain the security of the data as it is stored and processed.

The facts, laws, and regulations regarding COVID-19 are developing rapidly. Since the date of publication, there may be new or additional information not referenced in this advisory. Please consult with your legal counsel for guidance.

DWT will continue to provide up-to-date insights and virtual events regarding COVID-19 concerns. Our most recent insights, as well as information about recorded and upcoming virtual events, are available at