Bloomberg Law
May 7, 2020, 10:01 AM

Tech Companies Take Privacy Reins During Virus Absent U.S. Law

Daniel R. Stoller
Daniel R. Stoller
Senior Legal Editor

Technology companies helping to fight the coronavirus are policing themselves to protect consumer data in the absence of a comprehensive U.S. statute and only a few state privacy laws.

The companies are taking voluntary steps based on Europe’s privacy law, such as restricting the types of data they collect and stating upfront their specific purpose for gathering information.

But without federal laws requiring such steps, consumers may doubt that companies will actually follow through and protect their data, said Neema Singh Guliani, senior legislative counsel at the American Civil Liberties Union.

Such consumer distrust would complicate the challenge facing Alphabet Inc.'s Google, Apple Inc., and other companies as they try to leverage their digital expertise to stop the spread of the coronavirus without regulatory guardrails to boost confidence that privacy protections will be enforced.

“The last thing we want is a tool that people are afraid to use,” Guliani said.

Apple and Google are helping public health authorities create a system that uses Bluetooth tracking to alert citizens if they came into contact with someone who has the virus. The program’s success hinges on the willingness of Americans to voluntarily share the fact that they’ve been infected—and trust that their disclosure will be kept anonymous.

But 56% of smartphone users trust Apple, Google, and other tech companies “not too much” or “not at all” to maintain their anonymity through virus tracing apps, according to a Washington Post-University of Maryland poll taken April 21-26.

The companies say they’re taking privacy seriously during the virus, even without state and federal statutes.

“Privacy and security are always important,” said Kate Goodloe, policy director with BSA|The Software Alliance. Group members, including Microsoft, have built privacy protections “into their business models,” she said.

Company Efforts

Apple and Google aren’t alone in employing tools to help stop the spread of the coronavirus.

Microsoft Corp. has teamed up with the Centers for Disease Control and Prevention to create an automated system aimed at helping people check possible Covid-19 symptoms without overburdening the health care system.

Early Facebook Inc. investor Peter Thiel’s Palantir Technologies Inc. is leveraging its data-mining software to help governments predict when the next coronavirus outbreak will occur and where medical staff and supplies are most needed.

Fitbit Inc. teamed with Scripps Research and Stanford Medicine to see how wearables can help stop coronavirus spread. The company lets users share heart rate and other medical data with the academic institutions.

In Europe, a comprehensive data-protection law would regulate the companies’ efforts.

The General Data Protection Regulation, which took effect two years ago, lets consumers delete, access, and control data collected about them. It also requires companies to have a legitimate purpose for collecting data. The law requires them to build technical and procedural safeguards into their systems, known as privacy by design.

Not so in the U.S., where the explosion in use of digital networks, video conferencing apps, and other technology during the pandemic have revealed possible consumer privacy concerns, said Dan Jaffe, executive vice president of government relations at the Association of National Advertisers.

The coronavirus “has dramatically demonstrated the need for a national privacy law” in the U.S., Jaffe said. Still, Facebook, Google, and other ANA members are protecting “legitimate privacy concerns,” he said.

Apple said in a statement it supports the creation of a federal privacy law in the U.S. and has designed its exposure notification system to align with existing statutes, including California’s and Europe’s.

Courtney Bowman, head of Palantir’s global privacy and civil liberties team, said “privacy and civil liberties considerations are central to our work on Covid-19 response efforts domestically and elsewhere,” in an email.

Microsoft, Google, and Fitbit didn’t immediately comment.

U.S. Stumbles

Former President Barack Obama failed in his second term to persuade Congress to enact what he called the Internet Bill of Rights. The legislation would have created consumer rights to control, access, and delete personal data collected about them.

Legislative efforts stalled until late 2018, when Senate lawmakers, including Commerce Committee Chairman Roger Wicker (R-Miss.) and ranking member Maria Cantwell (D-Wash.), revived talks on a privacy bill after reports that Cambridge Analytica used millions of people’s Facebook profiles without permission for political advertising.

But in late 2019, the two lawmakers diverged, with Wicker releasing a draft privacy measure and Cantwell putting out her own comprehensive legislation. No markup has been scheduled on either bill.

Wicker now plans to introduce a bill, the COVID-19 Consumer Data Protection Act, which would give people the right to opt-out of data transfers, collection, and processing of personal health, geolocation, or proximity information. The Wicker bill also would mandate security protections and require data to be deleted after the pandemic, according to a draft of the measure.

At the state level, the California Consumer Privacy Act, which took effect this year, is the only comprehensive privacy law in the U.S. Nevada and Maine have statues that aren’t as far-reaching as California’s. The remaining 47 states and the District of Columbia lack such statutes.

Recent state efforts to enact privacy laws have stalled.

Work on a New York proposal by state Senate staff has slowed amid budget battles over the pandemic, said Joseph Jerome, director of multi-state policy at Common Sense Media. There likely won’t be time to consider the bill this year, he said.

The Microsoft-backed Washington Privacy Act failed earlier this year, in part because the coronavirus was spreading through the state as the legislative session closed. The bill was held up on the last legislative day by state Sen. Reuven Carlyle (D) because of disagreement over a proposed provision that would give citizens a right to bring lawsuits under the state’s consumer protection law.

Company Oversight

Absent a federal privacy statute, and so few state laws, tech companies are setting their own standards for how they will conduct contact tracing and other efforts to stop the spread of the coronavirus that causes Covid-19 disease.

Apple and Google have placed data-use limits on public health authorities that will collect consumers’ coronavirus information. They are requiring that the agencies get user consent before an app can use the proximity tracing tools, Apple and Google executives have said in media briefings.

The tech companies also told public health authorities that they should collect the minimum amount of data necessary for Covid-19 relief efforts and placed bans on the use of such data for targeted advertising.

Microsoft said it will get “meaningful consent” for data collection and be transparent about its purpose for doing so, according to its virus technology privacy principles released last month.

Data collected must have reliable security protections, such as using de-identified and encrypted data that limit hacking attacks, according to Microsoft. The company wants public health authorities to delete data collected for Covid-19 after the pandemic is over.

Justin Brookman, director of consumer privacy and tech policy at Consumer Reports, said that while the voluntary privacy efforts are welcomed, they don’t replace strong laws that force companies to act.

Americans will lack trust, he said, because the U.S. lacks “default rules to constrain data practices to what is reasonably necessary.”

BSA|The Software Alliance supports the creation of a federal privacy regime, but “companies should respect the privacy and security of data they hold, even without a national privacy law,” Goodloe said.

To contact the reporter on this story: Daniel R. Stoller in Washington at

To contact the editor responsible for this story: John Hughes at; Keith Perine at