News & Insights

Client Alert

June 9, 2020

Contact-Tracing Apps: A Delicate Balancing Act of Workplace Safety and Privacy Rights


As the patchwork of state and local stay-at-home restrictions lighten, organizations are exploring safe return-to-work options, including the use of contact-tracing mobile apps for employees while on company premises.  Such a program raises novel data privacy and security concerns.

The app is downloaded on a smartphone and uses Bluetooth technology to identify other app users with whom an individual comes into contact within a predefined range.  The app logs the length of time one has been in contact with other users (or rather their phones) and distance between them, based on Bluetooth signal strength.  If an app user tests positive for COVID-19, they can then enter their positive status into the app, and the app identifies and notifies the other users with whom the individual has come into close contact before diagnosis.   

Although there is no express authority from agencies regarding employer-mandated contact-tracing app programs, guidance from the Occupational Safety and Health Administration (OSHA), Equal Employment Opportunity Commission (EEOC), Centers for Disease Control and Prevention (CDC), and the White House provide helpful support.

OSHA’s worker-protection mandate coupled with its acknowledgement of contact-tracing as part of a control plan suggest that use of contact-tracing technology by employers to protect their workers would be permissible.  Under OSHA, employers have a duty to furnish to workers with “employment and a place of employment, which are free from recognized hazards that are causing or are likely to cause death or serious physical harm.”1Occupational Health and Safety Act of 1970, § 5(a)(1).   Although OSHA has not issued guidance on the use of contact-tracing technology in the workplace, it has discussed (in a limited fashion) contact-tracing in certain industries.  CDC and OSHA jointly have issued interim guidance for the meat packing industry, and directed that as part of a COVID assessment and control plan, meat packing plants “should consider the appropriate role for testing and workplace contact-tracing (identifying person-to-person spread) of COVID-19-positive workers in a worksite risk assessment.”2 (last updated May 12, 2020).    

The EEOC has determined that the COVID-19 pandemic meets the “direct threat” standard under the Americans with Disabilities Act (ADA) as of March 2020— that is, there is a significant risk of substantial harm by having somebody with COVID or its symptoms present in the workplace.3 (Oct. 9, 2009, as updated Mar. 21, 2020).   Although the EEOC has not provided guidance on the use of contact-tracing apps, it does permit certain analogous inquiries and medical examinations by employers related to COVID, including that an employer may: 

  • Ask employees who feel ill at work or call in sick questions about their symptoms to determine if they have or may have COVID;
  • Take employees’ temperatures to determine whether they have a fever;
  • Administer a COVID test before permitting employees to enter the workplace;
  • Ask whether the employee is returning from certain location (for business or personal reasons) where the CDC recommends visitors returning from those places self-quarantine;
  • Require that employees adopt infection-control practices upon return to the workplace (e.g., regular hand washing and social distancing);
  • Require employees wear personal protective equipment designed to reduce transmission (e.g., face masks, gloves, gowns); and
  • Where a manager confirms that an employee has COVID, or symptoms associated with the disease, interview the employee to get a list of possible people with whom the employee had contact through the workplace so that the employer can notify those who may have come into contact with the sick employee.4EEOC Pandemic Preparedness, at §§ B.6, B.7, B.8, B.11, B.12; (updated May 5, 2020); (Mar. 27, 2020).

The White House has heralded the importance of contact-tracing as a means to reopen the economy.  For example, in its “Opening Up American Again” webpage, the White House suggests that employers “[d]evelop and implement policies and procedures for workforce contact-tracing following employee COVID+ test.”5

Even with this guidance, organizations still must be cautious on how they implement an employee-mandated program, including evaluating what information is being collected, how it is being collected, from whom, usage and processing parameters, information protections, and with whom information is being shared, if anyone.  The California Consumer Privacy Act and General Data Protection Regulation should be top-of-mind considerations for organizations subject to their provisions. 

Concerns about personal privacy recently have led lawmakers in Congress from both parties to introduce COVID-19 related privacy legislation.  Though still pending, the legislation suggests an increasing sensitivity to personal data implicated by COVID-19.  On May 7, Republican members of the Senate Commerce Committee introduced the “COVID-19 Consumer Data Protection Act,” which would put in place rules regarding the collection, processing, and transfer of geolocation data, proximity data, persistent identifiers, and “personal health information” during the COVID-19 public health emergency, subject to certain exceptions and exclusions.  One week later, on May 14, a group of Democratic lawmakers introduced the “Public Health Emergency Privacy Act,” which also restricts the collection, usage, and disclosure of certain data during COVID-19, but defines covered data more expansively than the Republican bill and contains stronger protections for individual rights, including a private right of action and a non-preemption clause. 

The use of contact-tracing apps reinforces the uncharted legal waters in which organizations find themselves during the COVID-19 public health emergency.  On the one hand, organizations seek to provide a safe workplace for their returning personnel while at the same time attempt to avoid creating risk under privacy laws.  Before deploying an employee-mandated contact-tracing program, organizations should prepare for and plan out what deployment will look like, including:

  • Vet the app provider’s data privacy and security program;
  • Ensure that the data is securely collected and maintained and limited to the minimum amount necessary to accomplish the program’s purpose;
  • Develop and circulate advance notice to employees describing what is being done, why, and how;
  • If the organization does not issue smartphones to all of its workforce, evaluate the legal implications (including wage and hour and tax) of requiring employees to download the app to personal devices; and
  • Ensure that the collection of contact-tracing information is not counter to existing privacy policies or notices.

To succeed, there must be meaningful buy-in from employees, including downloading the app, carrying their smartphones with them when onsite, and promptly and accurately updating information on the app if they receive a positive diagnosis.  Persuasively communicating that the program is limited in reach and designed for workplace safety (versus employee monitoring) will go a long way to accomplishing that goal.