1. The Act covers companies regulated by the Federal Trade Commission
Financial institutions regulated by financial regulators, healthcare companies regulated by the US Department of Health and Human Services, and airlines and transportation companies regulated by the US Department of Transportation will want to determine if they are “covered entities” under the Act.
2. The Act covers a wide range of data processing related to COVID-19 management
The scope of the Act will likely include questionnaires administered to staff regarding their health status; temperature checks or facial imaging administered at workplace entrances; and manual and app-based contact tracing.
3. The Act requires opt-in consent of employees
Employers considering mandating that employees use contact tracing apps may need to shift gears. The Act also requires employers to provide detailed privacy notices and transparency reports to employees, a blueprint for gaining the trust and full participation of their workforce that is necessary for app-based contact tracing to achieve optimal results.
- Models by a team at Oxford University suggest that the epidemic could be stopped in the UK if approximately 60% of the population uses the app and adheres its recommendations. Even lower numbers of app users could have a positive effect: If the app is carefully implemented alongside other measures, such as testing and social distancing, it has the potential to substantially reduce the number of new coronavirus cases, hospitalizations and ICU admissions.
- Americans are currently split on their willingness to use smartphone apps for contact tracing. Only 50% would download an app to alert them if they were in close contact with someone who tested positive for COVID-19, according to a survey from the Kaiser Family Foundation. Only 45% would share the names of their close contacts with public health authorities. Consumer understanding is evolving, and several surveys conducted in April reveal varying degrees of consumers’ willingness to share information under different conditions.
4. Employers will likely need qualified privacy engineers
The Act includes specifications for data de-identification that hackers can’t counter, along with data deletion protocols once COVID-19 management objectives have been met. Employers will not want to take any chances with the health, safety and privacy of their employees — or be second-guessed by regulators or judges. They will want to meet the prevailing industry standards for implementing the privacy provisions of the Act.
5. The Act offers an opportunity to demonstrate employees do not have to give up privacy to participate
The Act offers an opportunity to demonstrate that employees do not have to give up privacy to participate in contact tracing efforts. As long as the privacy principles in the Act are followed, there’s an opportunity for employers and developers to show that contact tracing is trusted technology — not the necessary evil that some consumers think tech is, according to PwC’s survey on trust in tech.
- Tech providers like Apple and Google have created privacy-friendly APIs, ready for use by entities that favor privacy principles, such as prohibitions on location data collection and use in targeted advertising.