Attorney General pens letters to Apple, Google urging them to protect consumer privacy on COVID-19 tracing apps

New York State Attorney General Letitia James announced Tuesday that the state reached a settlement with BronxCare Health System for illegally billing sexaul assault victims for forensic rape exams.
File photo

Attorney General Letitia James is calling on two major tech companies to protect consumer information and privacy as New Yorkers and Americans across the country continue to battle COVID-19.

In letters penned to Apple and Google, AG James is urging both companies to make sure that existing and future third-party contact tracing apps published through Apple’s App Store and Android’s Play Store do not inappropriately collect and retain users’ sensitive information. The letter also asks that the companies make it clear to consumers the difference between apps launched by governmental public health agencies, meant to notify individuals they may have been exposed to the virus, and third-party contact tracing apps, which could possibly take advantage of consumers for financial gain.

“As businesses open back up and Americans venture outdoors, technology can be an invaluable tool in helping us battle the coronavirus,” said Attorney General James. “But some companies may seek to take advantage of consumers and use personal information to advertise, mine data, and unethically profit off this pandemic. Both Apple and Google can be invaluable partners in weeding out these bad actors and ensuring consumers are not taken advantage of by those seeking to capitalize on the fear around this public health crisis.”

The letters follow recent announcements made by Apple and Google, in which the companies stated that a joint framework would enable certain “exposure notification” apps on iPhones and Android phones to notify consumers when they have come in contact with and may have been exposed to someone with COVID-19. While the apps are unable to use exposure notification framework are unable to access a device’s geolocation information and are prohibited from using consumer information for targeted advertising or any other purposes unrelated to COVID-19 response efforts, third-party contact tracing apps are not subject to the same requirements as apps affiliated with governmental public health agencies that rely on the exposure notification framework.

Attorney General James has therefore asked that Apple and Google commit to increased oversight of these apps by:

  • Only permitting apps affiliated with federal or state public health agencies to collect sensitive, personal health information from consumers, such as COVID-19 test results;
  • Prohibiting third-party contact tracing apps from collecting and using consumer information for targeted advertising;
  • Prohibiting third-party contact tracing apps from using data to identify anonymous users; and
  • Requiring third-party contact tracing apps to delete consumer information on a rolling, 14-day basis, and to provide consumers with an easy-to-use mechanism for deleting their information.

The letters also call on the two companies to require third-party contact tracing apps to clearly disclose to consumers that they don’t use the exposure notification framework that is available to governmental public health agencies. Additionally, Attorney General James wants these two companies to ensure that consumers can provide informed consent before using a third-party contact tracing app by requiring the apps to disclose the type of data they are collecting and how consumers will be tracked.