This browser is not actively supported anymore. For the best passle experience, we strongly recommend you upgrade your browser.

Freshfields TQ

Technology quotient - the ability of an individual, team or organization to harness the power of technology

| 3 minutes read

Are US companies required to use contact tracing technology?

This post is part of a series on contact tracing apps. You can read our introduction to the series and get links to the other entries here.

Some weeks ago, when COVID-19 contact tracing apps were entering the scene, my colleagues and I began to consider the legal implications. 

For the most part, contact tracing apps were meant to be tools to help individuals figure out if they'd been exposed to a person who's tested positive. (For that reason, people have rightly started referring them by the more accurate moniker "exposure notification" apps.) 

But could companies use the technology indirectly to protect their facilities? For example, could a business require customers, employees, and visitors to present their apps and then screen out people who might pose a risk? In other words, what if businesses become unintended, second-hand users of the apps?

We answered some of those questions in "round one" of this blog series. Next, in "round two," we asked ourselves what sorts of laws might constrain companies that wanted to go down this route. For our third and final round, we meant to explore whether workplace safety law or even general tort principles might affirmatively require companies to take this route. 

But as it turns out, in the US, the question is premature.  

The initial promise of contact tracing apps in the US was that major tech platforms would agree on a common system and everyone would have access to it. But those universal technologies are still not available. 

In the meantime, major tech platforms have released APIs that would enable individual states to establish their own contact tracing apps. That changes the character of the apps. The value of these apps is in their "network effects": the more people using a common app, the more effective its ability to identify exposure. State-by-state apps obviously will be somewhat less effective than a nationwide app. (Though by how much, I won't speculate.) Plus, only a few states have announced that they would develop contact tracing apps, according to the ongoing tracking at, and fewer than a handful have actually launched one, according to MIT Technology Review. Businesses can't be required to use something that doesn't exist. So for now, the answer to our third question is "no". 

Not only is the question unripe, but legislative developments may render it moot permanently.

Bipartisan legislation recently introduced into the US Senate is meant to regulate exposure notification apps. Most of the draft Exposure Notification Privacy Act consists of restrictions that apply to the people providing the apps. But buried at the end, it contains a critical provision that applies to what I earlier referred to as "unintended, second-hand users":

It shall be unlawful for any person or entity to segregate, discriminate against, or otherwise make unavailable to an individual or class of individuals the goods, services, facilities, privileges, advantages, or accommodations of any place of public accommodation (as such term is defined in section 301 of the Americans With Disabilities Act of 1990 (42 U.S.C. 12181)), based on covered data collected or processed through an automated exposure notification service or an individual’s choice to use or not use an automated exposure notification service.

In other words, you can't stop customers at the door and ask to see their contact tracing app. Well, I suppose, you could--but it would be pointless, because you couldn't then deny them access based on what you saw in the app or even whether the person was willing to show you their app in the first place. Denying that person access would constitute an unfair trade practice, and you'd be subject to enforcement actions by the Federal Trade Commission or states attorneys general.  

Now, I can't say for sure that this legislation moots the question. First of all, it's less than a week old (as I'm writing this, the text hasn't even been uploaded to the Thomas database--it's only available one of the sponsor's website), so it's far too early to predict how the proposal will fare. And even if the bill did pass in its current state, it doesn't seem to apply to the employer-employee relationship, so presumably employers could still ask their employees to use exposure notification apps.

The bottom line, for now, is that there is no bottom line. In the US, the question that we had intended to answer will have to wait for another day. So stay tuned.

Other posts in this series:


covid-19, americas, intellectual property, data, data protection