The New Frontier of Digital Proximity Tracing

July 01, 2020|11:27 a.m.| ASTHO Staff

As state, local, territorial, and tribal (SLTT) health departments continue to cautiously reopen parts of their economy, they also continue to take necessary measures to prevent the spread of COVID-19. A major component of this work is traditional contact tracing, a staple of public health surveillance where public health workers track down and notify anyone who might have contact with someone who tested positive for an infectious disease. However, new strategies that would supplement traditional tracing have been gaining momentum.

Google and Apple collaborated to create an application programming interface (API) platform for public health agencies interested in a new type of “proximity tracing” or “exposure notification.” The platforms are expected to assist in the creation of apps between software developers and public health jurisdictions. It specifically utilizes Bluetooth technology —readily available in cellular devices—to randomly generate temporary keys on a user’s device when a user downloads an exposure notification application. This then enables the application to alert an individual if they have been or potentially exposed to someone who also uses the application and who tested positive for COVID-19. It’s worth noting the platform created by Google and Apple does not collect location information or information of users who do not voluntarily mark themselves as being positive for COVID-19. There are other notable exposure notification apps being used by SLTTs including Care19, an app developed by ProudCrowd that’s currently being used in North Dakota and South Dakota. Also, CommCare, which is currently being used in New Jersey and was developed by Dimagi.

As expected, the introduction and potential influx of these types of apps have brought many different concerns, primarily centered around data privacy and how the platforms and applications would protect, store, and safely discard information that it collects. This issue became of interest to Sen. Maria Cantwell, current ranking member of the Senate Committee on Commerce, Science, and Transportation. In response she drafted S. 3861 Exposure Notification Privacy Act, which proposes assistance to public health jurisdictions exploring exposure notification applications and technologies. The act would ensure that such platforms have the necessary capacity to protect the personal data of consumers, limit the type of data collected, as well as the type of entities that would have access to such data. In addition, the legislation also: reaffirms the role of public health officials in requiring their involvement in the development and deployment of exposure notification systems; requires that participation from individuals be on a voluntary basis and with consumer consent; limits the collection and use of data; prohibits commercial use of data; and permits participants to delete their data at any time; among other things. The legislation was recently co-introduced with Sens. Bill Cassidy and Amy Klobuchar, and received support from the Washington State Department of Health, Council of State and Territorial Epidemiologists, and the National Coalition of STD Directors. This legislation is currently pending in the Senate and it is unclear if it will be considered in the upcoming months.

There is also movement in state legislatures to address the use of technology. In California, legislation (AB 660) was introduced that would require any state agency contract that uses a mobile device’s geolocation data for exposure notification to a communicable disease to include provisions requiring the contractor to inform the app user of the authorized purposes of the app and collected data. Another bill (AB 1782) introduced in the state would require public health entities and businesses offering exposure notification services to allow users to revoke consent for the collection, use, maintenance, or disclosure of the user’s information. Businesses that provide exposure notification services but are not affiliated with a public health entity would be required to disclose its non-affiliation. The bill would also require the encryption of data collected by the technology, limit the use of the data as well as the amount of time the data can be maintained, and require reported exposures be verified by a healthcare provider before notifying logged contacts of their potential exposure.

In New York, companion bills were introduced (A 10583A and S 8448B) that would establish requirements for the collection and use of emergency health data and the use of technology for collecting data during the COVID-19 emergency. Specifically, the bill requires the disclosure of certain information to those who install and use data collecting apps on mobile devices, including information about the right to opt-in, the right to privacy, the app’s privacy policy, time limitations for maintaining the data, and the individual’s right to access the data. Unlike the bills in California, individuals in New York would be able to sue for violations of the law.

Several SLTT’s are currently either exploring, developing, or implementing proximity tracing applications within their respective jurisdictions. It remains critical that SLTT health departments evaluate the implementation of any proximity tracing option, while concurrently evaluating pertinent data and privacy related issues that may arise with the collection and sharing of information from individuals. In the coming days, ASTHO plans to release a guide to assist health officials as they think through the critical functionalities, technological options, and implementation of these emerging technologies. ASTHO will continue to track and monitor legislation that seeks to address data and privacy concerns with proximity tracing and exposure notification applications.


Jeffrey Ekoma is the director of government affairs at ASTHO.