Sandra Jeskie

As countries grapple with the global threat of COVID-19, some are leveraging user location data and tracking apps to model potential contamination paths. China has tapped into its facial recognition tools to track the virus and has deployed drones that tell people to wear masks. Singapore has launched an app called TraceTogether which uses Bluetooth to determine who could be at risk of infection. And the United Kingdom is reportedly in talks with telecom providers on how to best use location data to stem the crisis. 

But the coronavirus turning the world upside down does not mean companies can throw out the General Data Protection Regulation and the California Consumer Privacy Act, as well as other privacy protections. Here’s how law experts and companies can comply with existing legal standards and new norms set by the pandemic.

Sandra Jeskie, Duane Morris’ team lead for the technology, media and telecom industry group, said in an email that businesses under GDPR or CCPA still have to comply with the laws unless the information they are sharing is anonymized or de-identified.

If companies find a new application for users’ personal information, they might have to send out an updated notice. “That notice usually comes in the form [of] a privacy policy and with regard to CCPA, notice must be provided at or before collection of personal information,” she said. “So, to the extent a business previously collected personal information for a specific purpose, as reflected in its privacy policy at the time the information was collected, it cannot use that information for a different purpose without notice to the individual.” [...]

Reprinted with permission from The Recorder, © ALM Media Properties LLC. All rights reserved.