March may seem like a distant memory, but it was just a few months ago that the United States was first confronted with the realities of the global coronavirus pandemic. As health experts, government leaders, and citizens struggled to understand the scope and severity of the rapidly growing pandemic, Verily, a subsidiary of Google’s parent company Alphabet, launched an ambitious program to help people obtain COVID-19 testing. But due to a lack of privacy protections of the sensitive health data the company was collecting from patients, it failed to gain trust among communities it was seeking to serve.
Dr. Noha Aboelata, head of East Oakland’s Roots Community Health Center, was frustrated by the COVID-testing service that Verily set up in her clinic. She explained to Kaiser Health News that the service, which required users to sign in to a Google account, reflects a long-standing problem: “Corporations that are not really invested in the community come helicoptering in, bearing gifts, but what they’re taking away is much more valuable.” What’s valuable, according to Dr. Aboelata, is the personal data collected about the Californians who sign up for testing.
Concern about Verily’s use of consumer data has led to a dramatic development: San Francisco and Alameda counties suspended COVID-testing contracts with the company. To some local officials, it became evident that the service didn’t meet a primary goal, to provide convenient COVID-testing services to communities that were hit hardest by the disease.
Why did Verily raise concerns? According to Dr. Aboelata in the Kaiser story, users were wary of the requirement to sign in to their Google accounts — or, if they didn’t have an account, to open one — in order to access the service. And, she says that they were concerned by language in the authorization form that allowed for certain data sharing.
While Verily claims that they need people to create Google accounts in order to authenticate applicants, to contact them during the testing process, and to place them on waitlists, all of those objectives can be achieved by using the applicant’s phone number or email address. Further, the Google account requirement raises a serious threat to consumer privacy. It gives Google the ability to track everything you do online — not only on Google, but on thousands of other websites as well. There’s simply no need for Verily to force people to create Google accounts to receive testing services.
People, especially those most affected by COVID, shouldn’t be forced to choose between their privacy and accessing critical health care services. This incident is particularly discouraging given the relative scarcity of testing options. Consumer Reports has called on Verily to remove the Google account requirement, and officials at the federal and local levels echoed those requests. Though California’s Health and Human Services Secretary Dr. Mark Ghaly wrote that they are working to address privacy issues, Verily’s website indicates that a Google account is still required to use Project Baseline.
To help ensure equal outcomes during a public health crisis, policymakers need to step up and provide privacy protections that are currently not available. Verily isn’t covered by HIPAA, the strong privacy law that limits the disclosure of data collected by healthcare providers and insurance companies. The California Consumer Privacy Act (CCPA), California’s new privacy law, gives consumers the right to stop the sale of their information to third parties, but it puts next to no limits on the collection and use of the data by a company such as Verily. The newly-passed, CR-supported Proposition 24 would provide new controls over the use of sensitive data, but not by default. In addition, most of the provisions of the new law don’t go into effect until 2023.
Moreover, people throughout the country need protections, not just in California. U.S. Senator Sherrod Brown’s Data Accountability and Transparency Act of 2020, for example, offers a good model to ensure that consumer privacy is protected by default. In the new Congress, legislators have the opportunity to set baseline privacy protections to help further efforts to address the COVID crisis. Otherwise, people seeking to protect their privacy while dealing with the ongoing pandemic may find themselves unable to access the services they need to stay healthy.