Keypoint: If properly deployed, the use of COVID-19 contact-tracing apps by employers, in combination with other measures, could be an effective way to return employees to the workforce. However, before deploying these apps, employers should take caution to fully vet the technologies being used to ensure that employee privacy is respected.
As the United States and Europe have started the process of returning to work, the development, deployment, and use of COVID-19 contact-tracing apps has become a focal point for how governments intend to mitigate risk. China, Singapore, and South Korea have already implemented national contact-tracing apps. European countries and Australia have been rapidly working towards their deployment.
In connection with the rapid development of governmental contact-tracing apps, tech companies have started to develop similar apps for employers. A handful of employer-focused contact-tracing apps are already on the market and many more are in development. Some employers are already planning to deploy these apps. For example, Ferrari recently announced that it will utilize a contact-tracing app as part of its “Back on Track” plan.
The use of these apps raises numerous privacy concerns for U.S. employers. As employers begin to vet these apps, they will need to ensure that they do not unintentionally violate privacy laws or assume liabilities by deploying them with their workforce.
What are Contact-Tracing Apps?
Although there are variations, government-deployed contact-tracing apps work by notifying users if they have come in contact with someone who tested positive for Coronavirus. The process requires a user to download the app onto their smartphone. The app then uses Bluetooth or GPS to track other smartphones that the user encounters. If someone the user has been in contact with self-reports having Coronavirus, the app alerts the user depending on certain parameters (e.g., length of time since contact and distance from the individual). For a more detailed discussion of these apps and how they work, see this recent article from WIRED.
The apps deployed in Asia are reportedly more invasive. For example, China’s app classifies people as green, amber, or red. That classification dictates where individuals can go and what they can do.
Employer-focused contact-tracing apps can do more (or less) depending on the app. For example, one app screens visitors by asking questions about recent trips and health. Such an app can easily be repurposed for employee screening.
A second app prompts workers to answer daily questions, take notes on who they come in contact with outside the organization, and tracks worker interactions through the use of mobile location technology, similar to the government contact-tracing apps discussed above.
A third app requires workers to wear a device that tracks their movements while on the employer’s premise. This allows employers to know where their employees are at all times. If a worker becomes sick, employers can identify which areas of the business need to be sanitized and workers who may have been exposed.
A fourth app allows employees to notify their employer of their health status. This type of contact-tracing app allows employers to track how many employees may have been exposed to the Coronavirus. It is unclear if this app is based on mobile location technology or if it solely relies on self-reporting.
Tech companies are rapidly developing COVID-19 contact-tracing apps for employers and more will likely be on the market soon. Presumably, future contact-tracing apps will integrate additional functionality, such as recording temperature scans or test results.
The European Approach
To date, European governmental entities have focused extensively on the development and deployment of contact-tracing apps.
On April 8, 2020, the European Commission issued a Recommendation towards a common EU toolbox for the use of technology and data to combat and exit from the COVID-19 crisis.
On April 14, 2020, the European Data Protection Board (an EU body in charge of the application of the EU’s General Data Protection Regulation) issued a letter to the European Commission on the Recommendation. The letter outlined the EDPB’s concerns with respect to contact-tracing apps, including that the apps should be voluntary, should not require location tracking of individuals, should be mindful of where the data is stored, and should not be used as social platforms for spreading social alarm.
Thereafter, on April 15, 2020, the e-Health Network, with the support of the European Commission, published a common EU toolbox for member states that includes numerous proposed requirements for contact-tracing apps.
Most recently, on April 17, 2020, the Commission issued guidance “to ensure a coherent approach across the EU and provide guidance to Member States and app developers.” The guidance “sets out features and requirements which apps should meet to ensure compliance with EU privacy and personal data protection legislation, in particular the General Data Protection Regulation (GDPR) and the ePrivacy Directive.”
In addition, EU member state data protection authorities have been actively involved in vetting these apps. According to the Independent, the Italian government is testing a contact-tracing smartphone app developed by tech-start up Bending Spoons. The app, which was selected from hundreds of proposals, would use Bluetooth technology to record when users are in close proximity with each other. The app would then notify users who have come into contact with an infected individual and would provide suggested health recommendations, such as self-quarantine or virus testing. An Italian government official stated that “the app would be used voluntarily, in line with recommendations by Italy’s data protection authority and European privacy rules.”
The United States Approach
The United States has taken a different approach than the European Union.
In the United States, there has not – to-date – been a concerted national push for the deployment of contact-tracing apps. On April 9, 2020, Reuters reported that a number of local governments were planning to sign deals to implement contact tracing apps. However, as of April 15, 2020, the Harvard Business Review reported that such discussions were still underway. Apple and Google also made national headlines in April by announcing a partnership on COVID-19 contact-tracing technology.
In comparison to Europe, the United States lacks a GDPR-like national privacy law. As a result, any contact-tracing apps deployed in the United States will not be held to a universal privacy standard, and consequently, will be much more difficult for U.S. employers to examine.
Best Practices for Vetting Employee Contact Tracing Apps
- Understand the Product
Perhaps the most important consideration for employers seeking to deploy contact-tracing apps is to understand how the product works. Employers must be aware that these apps are being developed by companies that may or may not have considered all relevant privacy and security issues. Indeed, one need only think of the numerous privacy and security complaints made against Zoom after it saw an exponential increase in its users.
As a starting point, it is essential that employers understand what information is being collected, the purpose for such collection, and where the information will be stored. As previously discussed, some apps are question oriented and ask people for personal information such as their name, health status, and recent travel. Other apps go much further by tracking employee movements on an automated basis. Additionally, employers should be aware that apps downloaded directly to users’ phones may collect other information through cookies and other tracking technologies. Given these differences, employers must understand exactly what the app is collecting and why the information is being collected.
Further, the fact that an app has a certain functionality does not mean that an employer needs that functionality. For example, is it necessary for an employer to track all employee movements as opposed to just tracing contacts? Employers should articulate exactly why they need each functionality and not use apps that collect unnecessary information.
In addition, some other questions employers should consider are:
- If proximity data is being collected, is it being done through Bluetooth or geolocation data?
- If proximity data is being collected, will it be stored on an individual’s device or on a separate server?
- Is the app collecting the right data?
- Is the app collecting too much data?
- Will biometric information be collected?
- How long will the app keep the data? Is there any justification for the app keeping data beyond 30 days?
- Does the developer have access to the information that is collected?
- Will the developer share personal information with others?
- Will the developer sell personal information to others?
Another crucial aspect of vetting the app will be understanding how both the app and the information it contains are secured. This includes the use of encryption, pseudonymization, and anonymization, where appropriate. In short, businesses should have their information security teams analyze the app as part of the vetting process.
Ultimately, the foundation of any privacy analysis is understanding what information is collected, why, and how it is processed. It is only after fully understanding all three of these features that employers can analyze the risks and legal implications of deploying a COVID-19 contact-tracing app.
- Make Sure Your Employees Understand the Product
The effectiveness of contact-tracings apps depends on the number of people participating in the contact-tracing pool. For employers, one of the more difficult aspects in deploying these apps will be gaining employee participation, as the use of this technology will be met with resistance from privacy-minded individuals.
Although some companies may attempt to require employees to use these apps, we anticipate that the majority of employers will make use voluntary, most likely in combination with other protective measures such as face masks, regular temperature taking, and testing.
To attain employee participation, businesses will need to inform employees about the type of information the app collects, how the employer will use that information, who has access to that information, and when the information will be deleted. Further, employers should identify and describe the rights employees have to their information. For example, can employees access the information? Can they ask for it to be deleted?
Employers should also articulate the economic benefits of using such contact-tracing apps (i.e., allowing employers to identify those individuals who may need to self-quarantine while permitting other employees to continue working).
To ensure that these apps gain widespread adoption by employees, employers should also consider additional questions and concerns that employees may have with using these apps and proactively address them through FAQs and/or presentations.
- Internal Policies and Procedures
Another important aspect of using these apps will be to implement internal policies and procedures ensuring their proper use. For example, employers should identify which employees need to have access to the information collected by these apps and exclude all others from accessing such information. Further, employers should develop strict confidentiality guidelines around the use of this information and should implement clear standard operating procedures to ensure that the information collected does not violate users’ privacy rights.
Employers also need to think through the process of how they will respond to a positive Coronavirus report. Will the app inform workers of the positive test or will the employer be the gatekeeper of this information? If the app directly informs users of a potential infection, what will the app say? Will it provide resources and instructions for how workers should respond? If this response process is not deliberate and well thought out it could cause panic amongst employees.
- Biometric Privacy Law Implications
Although none of the apps discussed claim to collect biometric information, it is a foreseeable future development for these apps. For example, existing smartphone apps with temperature-taking functionalities could be integrated into these COVID-19 contact-tracing apps.
Although temperature readings in and of themselves do not typically implicate state biometric privacy laws, such readings, if taken by cameras using facial detection, could result in serious penalties under Illinois’ Biometric Information Privacy Act (BIPA). BIPA requires that informed consent be obtained prior to collecting biometric information, including scans of the face. BIPA has a private right of action with statutory penalties of $1,000 for negligent violations. Similar biometric privacy laws exist in Texas and Washington (but without the private right of action).
Employers should ensure that they are not inadvertently violating these biometric privacy laws through their use of a contact-tracing app.
- California Employees
The California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, and the state Attorney General can start enforcing violations on July 1, 2020. Although the CCPA contains an exemption for employee information, employers still must provide California residents with a notice of the personal information collected along with the business and commercial purposes for such collection. In this context, that means that employers that deploy contact-tracing apps in California will be required to provide disclosures to California employees. Notably, the CCPA’s employee information exemption also does not apply to the CCPA’s private right of action (discussed below).
- State Breach Notification Laws
Finally, employers must be aware that contact-tracing apps could be collecting personal information that is potentially subject to state breach notification laws. Although these laws differ amongst jurisdictions, they generally require entities to notify individuals if there is unauthorized acquisition of personal information, which is defined as an individual’s first name or first initial and last name combined with a specified data element. Some of these laws cover medical information and/or biometric information.
There are two types of risk with these laws. First, the app itself could be hacked. Therefore, employers should review the app’s terms of service to understand whether the app developer has a duty to notify the employer in the event the app is breached. The terms of service should also identify which entity would contractually assume the breach notification obligation and whether there are any defense and indemnity provisions.
Indeed, it goes without saying that hackers are going to be testing the security vulnerabilities of these products. If employers do not understand the data security risks, they could be walking into a substantial liability.
This is particularly true in California where the CCPA allows for statutory damages of between $100 and $750 per consumer, per incident. Again, although the CCPA has an employee information exemption, that exemption does not apply to the CCPA’s statutory damages section. Plaintiff’s attorneys are already filing CCPA class action lawsuits and one can envision more lawsuits arising out of the use of COVID-19 contact-tracing apps.
The second type of risk under state breach notification laws is that the employer could lose the information. This is especially true if these apps are rapidly deployed without fully vetting the privacy and security implications previously mentioned. A loss of such information would potentially result in a data breach and implicate the same issues discussed above.
- Health Insurance Portability and Accountability Act of 1996 (HIPAA)
Generally, if an employer uses a contact-tracing app that collects personal information (or Protected Health Information, or PHI, in HIPAA-speak) then that employer is likely not subject to HIPAA. That is because HIPAA applies only to Covered Entities (which are healthcare providers, health plans, and healthcare clearinghouses) and their Business Associates (which are entities that perform certain functions on behalf of the Covered Entities). Further, HIPAA does not cover PHI that is received directly from the employee. However, HIPAA should not be dismissed so easily.
Some employers are themselves a health plan if they operate a self-funded health plan. In that case, if the self-funded health plan is collecting information via the contact-tracing app, then HIPAA would most certainly apply. This means that all the HIPAA rules regarding the use and disclosure of PHI are applicable. While the U.S. Department of Health and Human Services, Office of Civil Rights (OCR) has granted some waivers related to the use and disclosure of PHI (e.g., allowing certain healthcare providers to use platforms that do not necessarily meet the HIPAA security requirements and allowing certain waivers for community-bases testing sites), it has consistently insisted that all the other HIPAA rules apply (such as the minimum necessary standard). Accordingly, if an employer has reason to believe that it is subject to HIPAA, then it should ensure that any policies and procedures it implements as part of the contact-tracing exercise are compliant with HIPAA.
In addition, any contact-tracing app vendor that a Covered Entity chooses to use would be classified as a Business Associate. Business Associates must also comply with HIPAA and the parties must enter into a Business Associate Agreement. For Covered Entities, it would be important to ensure that any contact-tracing app that it chooses meets the requirements in the HIPAA security rules and that the Business Associate has robust HIPAA-compliant policies and procedures in place.
Any implementation of the tracing app in violation of HIPAA could result in an audit by OCR, followed by a penalty, which can range from $100 to $50,000 per violation.
If properly deployed, the use of COVID-19 contact-tracing apps by employers, in combination with other measures, could be an effective way to return employees to the workforce. However, before deploying these apps, employers should take caution to fully vet the technologies being used to ensure that employee privacy is respected.
A version of this article was originally published by Tag Cyber Law Journal.