Since President Donald Trump touted Verily’s Project Baseline testing service as a key part of the nation’s coronavirus response, the corporate cousin of Google has opened testing sites in nine cities in California and two-dozen in Rite Aid pharmacies in eight other states, and conducted more than 30,000 tests.
Users can sign up by creating a Google account or using an existing account, then submit information on Verily’s website and be sent to an in-person testing site if they qualify for the test.
But in the two months since Verily rolled out the testing sites in California, advocates and lawmakers have been warning the Alphabet subsidiary may not be in compliance with California’s strict new privacy law that requires companies to give detailed, clear information to consumers on what kind of information it’s collecting.
“What is concerning is that the state of California is partnering with these private companies, I think probably out of desperation, but there is very, very sensitive information that’s at stake,” said Mary Stone Ross, an Oakland-based consumer privacy expert. “There’s no reason why they don’t put safeguards in place to make sure that it’s protected.”
“California is partnering with these private companies, I think probably out of desperation, but there is very, very sensitive information at stake.”
Ross helped state lawmakers write the California Consumer Privacy Act, a sweeping state law that just went into effect in January and that has been described as the strictest law of its kind in the country. She said Verily is not complying with the letter of the law because it does not list on its website every category of personal information it collects from users, referencing the exact language used in the law.
Ross said Project Baseline’s privacy policy is confusing, presented in paragraph form, and worded too vaguely for consumers to fully understand all categories of information the company likely collects. Ross said it should list, for instance, whether it collects biometric or geolocation information and other data types.
As an example of how it should be done, she pointed to the website of the health tracker FitBit, where every category is listed just as it appears in the text of the law.
Moreover, Verily’s privacy policies are mentioned in several locations and posts on the company’s website. For instance, the privacy policy website for Project Baseline says the company may collect several types of information, like name, email address, home address, phone number and information included in responses to the questionnaire, where users are asked recent travel history, among other things.
On a separate privacy policy on the website of Verily, which does broader life-sciences research than just COVID-19 testing, the company discloses that it could collect web browsing data. And since the service requires users to sign up for a Google account, Google would presumably have access to broader personal data, like billing information, according to Google’s privacy policy.
Trusting the system
“The way for contact tracing to work properly is that people have to trust the system,” Ross said. “Like, you want them to disclose a lot of information. And so if, if there’s no trust there, then I think it’ll be limited in its effectiveness.”
Though Ross has not used the testing service, she decided to check their disclosure policies and sent a request to Verily to see all “categories and the specific pieces of personal information that Verily has collected about me.” The company has not yet responded.
California Gov. Gavin Newsom’s office referred a request for comment to Verily and to the state’s health department. The health department did not respond to questions by press time.
Verily spokeswoman Carolyn Wang contended that the company does follow the California privacy law in its collection of data, and pointed to its privacy policies on the Project Baseline website. She said Verily does not collect any information other than what it specifically mentions on the website, and does not collect biometric or geolocation data.
“We disclose all of the categories of personal information collected in detail in the privacy policy,” Wang said. “We’re not collecting any data beyond that.”
Still, state and national lawmakers aren’t satisfied with those disclosures, and several are now asking questions. Democratic Sen. Hannah-Beth Jackson, the chairwoman of the State Senate Judiciary Committee, sent a letter to Newsom last week calling for broader transparency in what data is collected, assurances that only the minimum amount of data necessary is being collected, and guarantees about how the data is being shared, among other things.
“Although these efforts are critical to getting us back up and running, they also raise serious privacy concerns that must be addressed,” she wrote. “We must not lurch toward the dystopian world of Aldous Huxley’s ‘Brave New World’ or George Orwell’s ‘1984’ as the price of protecting our health and safety — nor do we have to.”
Lack of oversight
Jackson’s letter comes weeks after Verily CEO Andrew Conrad said the company would not sell data or use it for commercial purposes. That came in reply to a March letter from Democratic Sens. Bob Menendez, (N.J.), Sherrod Brown, (Ohio), Cory Booker, (N.J.), Richard Blumenthal, (Conn.) and Kamala Harris, (Calif.), expressing concerns, among other things, that Verily requires users to use a Google account to sign up for testing, which could lead to health information being packaged with other information Google already has to profile users.
More broadly problematic is the fact that there seems to be little oversight of the company, said Samantha Corbin, a lobbyist who represents privacy groups in California. For example, the California privacy law passed in January is not going to be fully enforced until July.
“The expectation is the [California] Attorney General’s office isn’t going to actually enforce the law until July,” she said. “If it is enforced, this is light-touch enforcement. There’s not a lot of teeth to this. So good luck catching me first, and then if you do, this is not the end of the world for me as a major tech conglomerate.”
A spokeswoman for California Attorney General Xavier Becerra declined to comment.
States are largely left to their own devices because Verily is not covered by the Health Information Portability and Accountability Act, or HIPAA, a federal law that governs privacy of health records.
In an April letter to Trump son-in-law and senior adviser Jared Kushner, Sens. Mark Warner, (D-Va.) and Richard Blumenthal, (D-Conn.) and Rep. Anna Eshoo, D-Calif.), expressed broad concerns about the administration’s testing policies, and specific concerns about Verily.
“That site is inexplicably not covered under HIPAA,” they wrote. “We have seen numerous examples of the limits of HIPAA undermining the strong protections we have come to expect of our sensitive health information.”
Cover: A person displays their documentation behind the rolled up car window, to enter the Verily coronavirus free drive-up testing site at Cal Expo in Sacramento, Calif., Friday, March 27, 2020. (AP Photo/Rich Pedroncelli)
