Contact Tracing Raises Privacy Issues for Businesses to Consider

October 22, 2020 | Privacy, Data & Cyber Law

As more and more businesses throughout the state resume operations after the COVID-19 pandemic shutdown, they face a continuing concern about the virus from customers, employees, and vendors who come to their facilities. Many organizations have instituted temperature checks and inquire about symptoms, out-of-state travel, and other issues in an attempt to weed out individuals who might be ill and contagious. State and federal authorities have put forth a variety of guidelines explaining how companies can properly and fairly institute these procedures.

Other steps, most notably masks and social distancing, also can help tamp down transmission of the virus. But one of the most powerful tools available to fight COVID-19 is known as “contact tracing,” which has long been used to limit the spread of everything from tuberculosis and measles to HIV and Ebola.

Companies considering whether to suggest, or even to require, contact tracing for employees or others must consider a host of legal issues, including privacy. This column describes contact tracing, focusing on how technology has made it a more powerful weapon against viruses and diseases than ever before. Then, after discussing how privacy concerns are implicated, this column will review a bill passed by the New York State legislature with respect to the confidentiality of contact tracing information of individuals who have contracted the virus or who have come in contact with another person with a confirmed or probable diagnosis.

What Is Contact Tracing?

Simply put, contact tracing is the process of contacting all people who have had contact with someone who has tested positive for COVID-19. Contact tracers work with people who have tested positive for COVID-19 to identify people they have had contact with and to let those individuals know they may have been exposed to the disease. This can mean that a person who has tested positive for COVID-19 may be asked for the names and addresses of all people he or she met with while contagious. See “New York State Contact Tracing,” available at,Your%20participation%20is%20confidential.

New York State began a contact tracing program in May 2020 as part of its effort to stop the spread of COVID-19 and to move toward reopening the state. The plan envisions an “army” of contact tracers to help identify COVID-19 positive individuals and who they have been in contact with and to isolate those who may have been infected. The state estimated that there would be 30 contact tracers per 100,000 individuals.

The New York State contact tracing program is an example of a program that involves a great deal of tedious legwork, with in-person visits, calls, and follow-up. Technology, however, has done for contact tracing what it has done for other aspects of modern life, as reflected in the contact tracing app, COVID Alert NY, launched earlier this month by New York State, available at

The App

The webpage for the COVID Alert NY app describes it as a “voluntary, anonymous, exposure-notification smartphone app.” The app collects information provided by a user, if the user chooses (i.e., the county the user lives in and the user’s gender, age-range, race, ethnicity, and symptoms), as well as information generated by using the app itself. The data is recorded anonymously.

If a user has logging enabled, the “Exposure Notification” feature within the user’s smartphone’s operating system collects the random codes of other smartphones that are within six feet of the user’s phone for longer than 10 minutes. If the user is in close contact with someone who tests positive for COVID-19, the app will share the most recent date that the user was in close contact with that person. The user’s phone automatically shares the phone’s IP address with the back-end server for the purposes of logging exposures. The app uses the IP address in its communication with the server to request exposure information but does not collect or store the IP address of the user’s phone itself. The server also does not store the user’s IP address, in a stated effort to ensure anonymity with all app users. Knowing about a potential exposure allows the person receiving the exposure notification to self-quarantine immediately, get tested, and reduce the potential exposure risk to family, friends, neighbors, co-workers, and others.

The app provides users with data as to how fast COVID-19 is spreading statewide and by county; allows users to note symptoms and how they feel on a health log; explains what to do if a user tests positive for COVID-19; and discusses the precautions a user who has tested positive should take to limit the risk of spreading COVID-19 to others (e.g., stay home; do not have visitors; use a separate bathroom; wash hands; etc.).

The more people who download the app, the more effective it will be because it will be able to trace more people who test positive and notify more people who were in close contact with someone who has tested positive.

The app is free and is available to anyone 18 or older who lives, works, or attends college in New York. The app is available in English, Spanish, Chinese, Bengali, Korean, Russian, and Haitian Creole.

The Privacy Concerns

The app has a detailed “Data and Privacy Policy.” It explains that exposure logging and notifications “are completely anonymous” and that users “will not be able to identify anyone that potentially exposed [a user] to COVID-19, and others will not be able to identify [a user] if [the user] potentially exposed them.” Moreover, a user’s information “is completely private and confidential. The app does not collect [a user’s] name or personal information.”

The app explains how a user can delete his or her personal information, the log of exposures, and any COVID Alerts the user received.

Notwithstanding the app’s stated policy, contact tracing has led to many privacy concerns being raised and questions about the privacy protections for the data collected during contact tracing. Among other things, some have wondered whether contact tracing data might be used by law enforcement or immigration authorities or to track a user’s location, contacts, doctors, or other people the user visits, and whether it might be subject to disclosure as a result of a cyberattack.


A number of bills have been introduced in New York in an effort to deal with privacy concerns stemming from contact tracing, whether through the COVID Alert NY app or otherwise. At present, the bill that appears most likely to become law is S. 8450-C/A. 10500-B, which passed both the New York State Assembly and Senate and at this writing is awaiting review by Governor Andrew M. Cuomo. See

S. 8450-C would amend Article 21 of the New York State Public Health Law by adding a new Title 8. Section 2180 of the new title would set forth various definitions, including for “contact tracing,” “contact tracing information,” “principal individual” (i.e., an individual with a confirmed or probable diagnosis of COVID-19); and “contact individual” (i.e., an individual who has or may have come in contact with a principal individual or who has or may have been exposed to and possibly infected with COVID-19).

Importantly, the “permitted purposes” for which contact tracing information may be disclosed under the bill are limited to “facilitating a legally-authorized public health-related action, in relation to a specified principal individual or contact individual, where and only to the extent necessary to protect the public health” plus two much narrower categories (i.e., where necessary to provide emergency care to an individual and in specified litigation).

The heart of the bill is a new Section 2181, which would:

  • Require that all contact tracing information be kept confidential and prohibit it from being disclosed except as necessary to carry out contact tracing or a permitted purpose;
  • Authorize an individual to waive confidentiality in a written, informed, and voluntary waiver in plain language understandable to the individual;
  • Authorize the disclosure, possession, or use of contact tracing information that has been de-identified for public health or public health research purposes and require technical safeguards against re-identification;
  • Prohibit contact tracers and entities from providing contact tracing information to law enforcement or immigration authorities except for permitted purposes;
  • Direct that state and city authorities enact regulations on technical safeguards for data storage, transmission, and use that are at least as protective as apply to other confidential information; and
  • Require non-governmental entities (such as private contractors hired for contact tracing programs) to expunge or de-identify information in their possession within 30 days of receiving it, while allowing for an additional 15 days if actively engaged in contact tracing using that information and the individual consents.

As can be seen, a number of the provisions of S. 8450-C apply to businesses involved in contact tracing and would require that they take steps consistent with the bill, upon it becoming law. Businesses contemplating becoming involved in contact tracing in one way or another should be advised as to the requirements of S. 8450-C and how best to comply.


Other bills in New York, see, e.g., A10500 and S8450A (available at and, respectively) and S8448D (available at, also seek to address privacy concerns relating to contact tracing, but at this point their future remains unclear.

What is clear, however, is that contact tracing can help to control the spread of COVID-19 while the economy regains strength. Businesses that encourage the use of contact tracing by those with whom they interact can help to control the pandemic while supporting the economy. When privacy issues are adequately addressed, willing participation in contact tracing is likely to increase, to the benefit of us all.

Reprinted with permission from the October 22, 2020 issue of the New York Law Journal. © ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.


Share this article:

Related Publications

Get legal updates and news delivered to your inbox