Privacy in the Age of COVID-19

The Washington Post reports that a recent poll they conducted shows that 3 out of 5 Americans are unable or unwilling to use an infection-alerting app that is being developed jointly by Google and Apple. About 1 in 6 adults can’t use the app because they don’t own a smartphone – with the lowest ownership levels for those 65 and older. People with smartphones evenly split between those willing versus unwilling to use such an app.

The major concern among those not willing to use such an app comes from the distrust people have about the ability or willingness of those two tech companies to protect the privacy of their health data. This unwillingness to use such an app, particularly after already seeing the impact that the virus is having on the economy is disturbing to scientists who have said that 60% or more of the public would need to use such an app for it to be effective.

This distrust of tech companies is nothing new. In November the Pew Research Center published the results of the survey that showed how Americans feel about online privacy. That study’s preliminary finding was that more than 60% of Americans think it’s impossible to go through daily life without being tracked by tech companies or the government.

To make that finding worse, almost 70% of adults think that tech companies will use their data in ways they are uncomfortable with. Almost 80% believe that tech companies won’t publicly admit guilt if they are caught misusing people’s data. People don’t feel that data collected about them is secure and 70% believe data is less secure now than it was five years ago.

Almost 80% of people are concerned about what social media sites and advertisers know about them. Probably the most damning result of the survey is that 80% of Americans feel that they have no control over how data is collected about them.

Almost 97% of respondents to the poll said they have been asked to agree to a company’s privacy policy. But only 9% say they always read the privacy policies and 36% have never read them. This is not surprising since the legalese included in most privacy policies requires reading comprehension at a college level.

There is no mystery about why people are worried about the collection of personal data. There have been headlines for several years talking about how personal data has been misused. The Facebook / Cambridge Analytica data scandal showed a giant tech company selling personal data that was used to sway voters. The big cellular companies were caught several times selling customer location data that lets whoever buy it understand where people travel throughout each day. Phone apps of all sorts report back location data, web browsing data, and shopping habits and nobody seems to be able to tell us where that data is sold. Even the supposed privacy advocate Apple lets contractors listen to Siri recordings.

It’s not a surprise that with the level of distrust of tech companies that it’s becoming common for politicians to react to privacy breaches. For example, a bill was introduced into the House last year that would authorize the Federal Trade Commission to fine tech companies to as much as 4% of their gross revenues for privacy violations.

California recently enacted a new privacy law with strict requirements on web companies that mimic the regulations used in Europe. Web companies must provide California consumers the ability to opt-out from having their personal information sold to others. Consumers must be given the option to have their data deleted from the site. Consumes must be provided the opportunity to view the data collected about them. Consumers also must be shown the identity of third parties that have purchased their data.

The unwillingness to use the COVID-tracking app is probably the societal signal that the hands-off approach we’ve had for regulating the Internet needs to come to an end. Most hands-off policies were developed twenty years ago when AOL was conquering the business world and legislators didn’t want to tamp down on a nascent industry. The tech companies are among the biggest and richest companies in the world and there is no reason to not regulate some of their worst practices. This won’t be an easy genie to put back in the bottle, but we have to try.

California’s New Privacy Law

If you use the web much you noticed a flurry of new privacy notices at the end of last year, either through pop-up notifications when you visited a website or by emails. These notifications were all due to the California Consumer Privacy Act, the new privacy laws that went into effect on January 1.

The law applies to companies that use the web and that have annual revenues over $25 million, companies that buy, sell or collect data on 50,000 or more consumers, and companies of any size that make more than 50% of their revenue by selling customer’s personal information.

The new law has a lot of requirements for web companies operating in California. Web companies must provide California consumers the ability to opt-out from having their personal information sold to others. Consumers must be given the option to have their data deleted. Consumers must be provided the opportunity to view the data collected about them. Consumers also must be shown the identity of third parties that have purchased their data.

The new law defines personal data broadly to include things like name, address, online identifiers, IP addresses, email addresses, purchasing history, geolocation data, audio/video data, biometric data, or any effort made to classify customers by personality type or trends.

The penalties for violating the law are severe. Consumers can sue web companies for up to $2,500 if they don’t offer these options by January 1 and up to $7,500 per violation if a company intentionally violates the law. It’s not too hard to anticipate the class action lawsuits already brewing that will result from this law.

While these new rules only apply to web companies and how they interact with California consumers, many web sites have taken the safe approach and are applying the new rules to everybody. That’s a safe approach because it’s difficult for web companies to always know where a web visitor is from, especially for people who use VPNs to hide their location.

California isn’t the only state with new privacy rules. Washington has new rules that are not as severe as the California ones but that still layer a lot of new requirements onto ISPs. New York is working on a privacy law that is said to be even tougher than the California one.

These state laws are only in place because Congress seems unable to pass a set of federal privacy rules. The issue has been debated over the last two years, and draft bills have been written, but no proposed law has come before the Senate for a vote, so the issue has gone nowhere. People are rightfully concerned that their data is being used and many people want the government to set some guidelines to protect them. The states are filling the legislative void in the absence of federal legislators taking action.

Web companies will face dilemmas with a proliferation of state privacy laws. Do they try to comply only with customers in a given state? What’s most concerning for web companies is that as more states pass privacy laws that some of the laws will inevitably conflict. There is also a big question about how these laws apply to foreign companies. The California law is written to apply to every company interfacing with California consumers. To complicate matters for web companies, European Union privacy rules are also tough and will inevitably conflict with parts of the California rules.

Like all new laws, this new law will be tested in court. The more interesting challenges will be how this law might impact companies from outside California. The $25 million of revenue is a low threshold and there are numerous companies across the country with revenues of that size that have likely done nothing in response to this law. If companies keep even the most rudimentary database of customer information, then theoretically they violate this law if anybody in the database resides in California. There are going to be lawyers trying to make a living from chasing companies that violate the law, and I doubt that it will take long for the lawsuit to surface.