Maryam Casbarro of Davis Wright Tremaine takes a look at potential risks for firms, writing, in part:
The nature of contact tracing apps provides a number of parties in the data ecosystem with a broad set of data that could be used either purposefully or unintentionally and shared for purposes other than contact tracing. For example, it was recently revealed that public health authorities in North Dakota and South Dakota had rolled out a contact tracing app that shared location data with an outside location data aggregator, contrary to the app’s Privacy Policy.
Surreptitious data sharing (or other practices of the like) may expose the companies developing and/or deploying the contact tracing apps to typical privacy claims: collecting data beyond the scope of what the individual agreed to may lead to claims of intrusion upon seclusion, violation of constitutional rights to privacy, and breach of contract. Moreover, state laws, such as the California Consumer Privacy Act, permit consumers to prohibit sharing their data with third parties.
If the contact tracing technology collects more data than was consented to by consumers, or if the data—without notice or consent—is linked with other information about an individual to create profiles of specific individual consumers, the entities that develop and deploy the app may be subject to state “unfair and deceptive acts and practices” claims.
Read more on the firm’s Privacy & Security Law Blog.