HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

NAAG Urges Apple and Google to Take Further Steps to Protect Privacy of Users of COVID-19 Contact Tracing Apps

On June 16, 2020, The National Association of Attorneys General (NAAG) wrote to Google and Apple to express concern about consumer privacy related to COVID-19 contact tracing and exposure notification apps. NAAG has made recommendations to help protect the personally identifiable information and sensitive health data of the millions of consumers who will be urged to download the apps to help control COVID-19.

“Digital contact tracing may provide a valuable tool to understand the spread of COVID-19 and assist the public health response to the pandemic,” explained the state AGs in the letter. “However, such technology also poses a risk to consumers’ personally identifiable information, including sensitive health information, that could continue long after the present public health emergency ends.”

Privacy protections are essential for ensuring that users of the apps do not have sensitive data exposed or used for purposes other than helping to control the spread of COVID-19. Without privacy protections, consumers will simply not download the apps, which will decrease their effectiveness. A study conducted by the University of Oxford suggests that in order for the aims of the apps to be achieved, there needs to be uptake of around 60% of a population. If consumers feel their privacy is at risk, that figure will not be achieved.

Current perceptions about the privacy protections of COVID-19 contact tracing apps were explored in a recent survey conducted on behalf of the antivirus firm Avira on 2,005 individuals in the United States. 71% of respondents said they do not plan to use the apps when they are made available. 44% were concerned about digital privacy, 39% said the apps provided a false sense of security, 37% said they did not think the apps would work, and 35% do not trust app providers.

Please see the HIPAA Journal Privacy Policy

The survey revealed most consumers do not trust Apple and Google to protect the data collected by the apps. Only 32% of respondents said they trusted the companies to protect their sensitive data, even though both companies have taken steps to implement privacy and security controls. There is even less trust in the government. Only 14% of respondents said they would trust contact tracing apps provided directly from the government. 75% of Americans said they believe their digital privacy would be placed at risk if COVID-19 contact tracing data was stored in a way that government and authorities could access the data.

In the letter, which was signed by 39 state attorneys general, concern was raised about the proliferation of contact tracing apps in the Google Play and Apple App Store. These apps are typically free to download and use and offer in-app adverts to generate revenue. Rather than using Google and Apple’s API and Bluetooth for identifying potential exposure, the apps rely on GPS tracking.

The state AGs also expressed concern that as more public health authorities start releasing contact tracing apps that use the Google and Apple API, it is likely many more developers will start releasing apps, and those apps may not incorporate the necessary privacy and security controls to comply with states’ laws.

Google and Apple were praised for the steps they have taken so far to ensure consumer privacy is protected but have been urged to go further. NAAG has requested any contact tracing app that is labeled or marketed as related to COVID-19 must be affiliated with either a municipal, county, state, or federal public health authority, or a hospital or university in the U.S. that is working with such public health authorities.

NAAG also called for Google and Apple to guarantee that all COVID-19 contact tracing apps will be removed from Google Play and the Apple App Store if they are not affiliated with the above entities, and for Google and Apple to pledge that all COVID-19 apps will be removed from Google Play and the App Store when the COVID-19 national public health emergency ends.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.