From the New York attorney general’s office:
New York Attorney General Letitia James on Monday urged two of the world’s largest technology companies – Apple, maker of the iPhone, and Google, developer of the Android operating system – to take necessary steps to protect consumer information and privacy as New Yorkers and Americans across the country continue to battle the coronavirus disease 2019 (COVID-19).
In letters to both companies – which follow up on inquiries previously made by the AG’s office – James calls on Apple and Google to ensure that existing and future third-party contact tracing apps published through Apple’s App Store and Android’s Play Store do not inappropriately collect and retain users’ sensitive information. She seeks the companies’ help in preventing untrusted third-party apps from collecting sensitive personal health information, minimizing invasive data collection, and ensuring appropriate deletion of consumer information. James also asks the companies to make clear to consumers the difference between apps launched by governmental public health agencies, meant to notify individuals they may have been exposed to the virus, and third-party contact tracing apps, which could possibly take advantage of consumers for financial gain.
“As businesses open back up and Americans venture outdoors, technology can be an invaluable tool in helping us battle the coronavirus,” James said. “But some companies may seek to take advantage of consumers and use personal information to advertise, mine data and unethically profit off this pandemic. Both Apple and Google can be invaluable partners in weeding out these bad actors and ensuring consumers are not taken advantage of by those seeking to capitalize on the fear around this public health crisis.”
Today’s letters follow recent announcements by both Apple and Google, in which the companies stated that a joint framework would enable certain “exposure notification” apps on iPhones and Android phones to notify consumers when they have come in contact with and may have been exposed to someone with COVID-19. This exposure notification framework was designed to protect consumer privacy, and only apps affiliated with federal or state public health agencies are permitted to make use of the framework. Moreover, the specific apps that use this exposure notification framework are unable to access a device’s geolocation information and are prohibited from using consumer information for targeted advertising or any other purposes unrelated to COVID-19 response efforts.
Unfortunately, however, third-party contact tracing apps are not subject to the same requirements as apps affiliated with governmental public health agencies that rely on the exposure notification framework. James has therefore asked Apple and Google commit to increased oversight of these apps by:
√ Only permitting apps affiliated with federal or state public health agencies to collect sensitive, personal health information from consumers, such as COVID-19 test results;
√ Prohibiting third-party contact tracing apps from collecting and using consumer information for targeted advertising;
√ Prohibiting third-party contact tracing apps from using data to identify anonymous users; and
√ Requiring third-party contact tracing apps to delete consumer information on a rolling, 14-day basis, and to provide consumers with an easy-to-use mechanism for deleting their information.
James’ letters also urge Apple and Google to require third-party contact tracing apps to clearly disclose to consumers that they do not use the exposure notification framework available to governmental public health agencies. Additionally, the AG said she wants these two companies to ensure that consumers can provide informed consent before using a third-party contact tracing app by requiring the apps to disclose the type of data they are collecting and how consumers will be tracked.
In an effort to minimize the risk of personal information being shared without consent, James recommends consumers remain vigilant when downloading third-party apps that purport to offer contact tracing. Consumers should always check with the Apple App Store or Android Play Store for information on what entity operates the app and whether the app collects geolocation information or other data.