Pandemic contact tracing is an important tool. Operating such a tool while respecting personal privacy rights can be tricky. Just ask the state governments of North Dakota and South Dakota.
The app did send data to personal marketing companies. According to privacy watchdog Jumbo Privacy, the Care19 app had built in lines of code that sends location and identification data to third-party companies including Foursquare, BugFender and Google. Some of these entities market to consumers using location data.
ProudCrowd developed Care19 as “a free mobile app . . . to help slow the spread of COVID-19 in North Dakota.” The app works by identifying individuals who may have had contact with people who have tested positive.
Individuals using the app are given a random ID number and the app will anonymously cache the individual’s locations throughout the day. The app will store location data for visits for 10 minutes or more, and the ID number of each individual contains no other personal information. Individuals who test positive for COVID-19 can consent to their information being sent to the state departments of health in order to conduct contact tracing.
In 2015, then FTC Director Jessica Rich expressed the significance of misleading privacy policies. Her statement included that “materially misleading statements or omissions about privacy or data security that are likely to mislead reasonable consumers, such statements or omissions are deceptive. The FTC has used this authority, for example, to challenge false and misleading claims about how companies use and share consumer data; whether they track consumers’ movements online; whether they are honoring consumers’ opt-outs; and whether they are delivering on promises to secure consumers’ financial and health data.” The FTC has brought hundreds of enforcement actions protecting the privacy of consumer information. Its enforcement actions have addressed practices offline, online, and in the mobile environment.