Lydia Bayley
Associate Editor
Loyola University Chicago School of Law, JD 2022

It cannot be denied that the COVID-19 pandemic has led to many novel legal and regulatory issues. One topic of major concern both domestically and abroad is how to manage the massive amounts of consumer data being collected in the attempt to quell the spread of the virus. This issue is especially complicated to address in the United States, where a convoluted patchwork of state and federal laws interact to create a relentlessly fragmented data regulation system. Now, as state and local governments, along with tech giants like Apple and Google, continue to roll out contact tracing applications, the need for comprehensive data privacy regulation is more pressing than ever.

Privacy concerns amplify amidst the pandemic

As the pandemic endures, technology companies and public health authorities across the globe have developed a myriad of contact tracing applications in an attempt to monitor and control the spread of the virus. However, with massive amounts of data being collected, implementation of these apps have raised both ethical and legal concerns regarding privacy rights and cybersecurity considerations. Significant concerns in moving forward with this technology include issues such as transparency regarding the purpose and use of the data collected, retention periods and restricting access to the information gathered, and the need to employ anonymization techniques to better protect consumer privacy.

Experts assert that the best way to control the virus is to be able to trace it, making widespread adoption of these apps crucial for the success of a technology-assisted contact tracing system. Studies have shown that even marginal increases in contact tracing app usage can reduce the spread of the virus by tens or even hundreds of thousands of new cases per day. This means that actual and potential users have enormous influence over the effectiveness of these applications. However, there is one major problem: privacy concerns have proven to be a heavy barrier to consumer adoption of contact tracing technologies.

These applications often require collection of personal information as well as locations, movements, and sometimes even relationships between users. It should come as no surprise that consumers, especially those that are particularly privacy conscious, are weary of location tracking and other information monitoring. The result is that many will not participate in a contact tracing system they do not trust to protect their personal data. And if an insufficient number of people choose to adopt technology-assisted contact tracing applications, their overall effectiveness is greatly diminished.

The case for making data privacy regulation a priority

With the infamous “second wave” of the pandemic disproportionately impacting countries where adequate contact tracing systems were never put in place to begin with, it is hard to deny that contact tracing is imperative to containing the spread of virus. However, participation rates in contact tracing apps are particularly low in the United States, where use is voluntary and data privacy regulations are far from comprehensive. As privacy continues to prevail over public health concerns, the need for a national data privacy standard to address consumer concerns is becoming increasingly apparent.

The US currently lacks a comprehensive federal data privacy law that protects the privacy of information being collected and stored by contact tracing applications. Not only could such legislation address very pressing issues of individual privacy rights, but trusted regulation could positively impact perception of technology assisted contact tracing tools and increase consumer utilization of these apps. Businesses across the globe have consistently shown that a comprehensive data privacy policy goes a long way towards boosting consumer trust, implying that if consumers new the standards to which entities collecting this data would be held, it may help achieve more widespread adoption of contact tracing technology necessary in order to most effectively limit spread of the virus.

Potential data privacy legislation on the horizon

Privacy experts assert that at a minimum, we need an interim measure to protect consumer data related to the pandemic. There are currently three measures in Congress that would address this: the Public Health Emergency Privacy Act, the Exposure Notification Privacy Act, and the COVID-19 Consumer Data Protection Act.

On May 7, Senate Republicans proposed the COVID-19 Consumer Data Protection Act, which would impose notice and consent requirements on regulated entities that collect geolocation data, proximity data, and health information related to COVID-19 under certain circumstances. Congressional Democrats followed with their own legislation one week later via the Public Health Emergency Privacy Act, which would also restrict the collection, usage, and disclosure of certain data during the pandemic, but includes a more expansive definition of the data to be covered, as well stronger protections for individual rights, including a private right of action. But many argue that the strongest of these bills is the bipartisan Exposure Notification Privacy Act. Introduced on June 1, the ENPA would require apps to be created in collaboration with public health authorities, to include strong privacy safeguards to prevent data misuse, and to acquire consent to collect data and delete it when consumers request.

It is undeniably urgent that the country find a means to balance public health and safety with information privacy and security. Implementation of federal regulation may be key to striking this balance and assuring widespread and effective implementation of the data collection practices necessary to manage the virus and maintain public health.