The coronavirus/COVID-19 global pandemic has permeated and impacted all facets of life, including public health and privacy. In fact, the broader protection of public health as an objective has collided with prevailing considerations of privacy rights, especially when it comes to the health privacy of citizens. Should an individual's privacy rights yield to the overarching common good of public health in the face of a pandemic?
The Federal Trade Commission ("FTC") says it's not quite a "zero-sum game." The FTC says it's possible to strive for a balance between the common good and prevailing privacy considerations. To aid in this effort to find that balance, the FTC offers several tips[1] that businesses could use as guidance in order to leverage consumer data in a privacy-centered way.
Consider Privacy and Security as You're Developing Your Products and Services, and Not After Launch.
Do not rush to bring a product to market. Although the FTC will be flexible and reasonable when it comes to bringing enforcement actions against companies engaged in good faith, thoughtful efforts to address the effects of the pandemic, it doesn't pay to be in the news for privacy and security problems, and then have to retreat to address them.
Use Privacy-Protective Technologies
There are many engineering tools that can preserve consumer privacy while getting the data you need to combat the coronavirus. For instance, researchers have developed privacy-friendly, decentralized protocols that allow users to voluntarily share encrypted data directly with epidemiologists.
Consider Using Anonymous, Aggregate Data
Using anonymous, aggregated location data for public health purposes will allow you to sidestep many of the privacy concerns related to tracking individuals' location. For example, if a consumer has granted you permission to use their location data, nothing would prohibit you from disclosing a heat map of average distances traveled for public health purposes. A consumer's consent for this use of aggregate, anonymous data would not be required.
Delete Data When the Crisis Is Over.
If you tell consumers you're collecting, analyzing, using, or sharing information for emergency public health purposes, only use it for those purposes, and delete the data when the need is over. This idea of "purpose limitation" or "use limitation" has been a standard tenet of privacy norms over the years. And it also forms the basis of an allegation we made in our 2019 Facebook complaint, where we alleged that the company violated the FTC Act by claiming that it collected users' phone numbers for a consumer-protective security purpose, but used the information for advertising as well.
As stated above, the path towards managing data in light of the pandemic is not impossible and can be done with a little creativity and patience.
RFL – Here to Help
As always, the professionals at Rosenberg Fortuna & Laitman, LLP are available to assist and answer any questions you may regarding these issues. Please do not hesitate to contact us.