When the Biden administration announced it wouldn’t mandate federal “vaccine passports” in early April, several states and a few private corporations moved forward with plans to roll out digital vaccine passports of their own. More recently, Republican governors from a handful of states issued executive orders to ban the use of vaccine passports and other documentation of vaccination on the grounds that they violate civil rights and privacy.
The lack of a federal privacy law leaves digital vaccine passports vulnerable to privacy breaches.
While vaccinations are the top priority for beating back the virus, these governors have a point in resisting vaccine passports for a few important reasons — even if they aren’t the reasons they cite: The lack of a federal privacy law leaves digital vaccine passports vulnerable to privacy breaches, they don’t solve the glaring problem of vaccination inequality, and, perhaps most dangerously, they risk reinforcing a system of haves and have-nots when our poor and marginalized communities are already suffering disproportionately in the pandemic.
So-called vaccine passports refer to systems or records that can verify that a person has been vaccinated against a disease — in this case, the coronavirus, which is still wreaking havoc around the world. In theory, governments and corporations could use vaccination verification systems to limit travel and grant access to spaces to only those who have been vaccinated. Hypothetically, this could allow vaccinated people to return to shopping centers, restaurants, theaters and even international travel with a lowered risk of viral transmission.
So while vaccine passports could help hasten the end of the pandemic, they also come with severe risks to privacy, equality and civil liberties. There are ways to design vaccine passport apps to preserve as much individual privacy as possible. But the problem with any solution is that we lack legal remedies for privacy violations and technological discrimination.
Vaccination verification systems can collect and store the sensitive personal and health information of potentially millions of people. At minimum, a vaccine passport app will have to include personal information such as your name and contact information, as well as at least enough medical information to confirm that you have been vaccinated. To verify that information, a vaccine passport app is likely to have to interface with state vaccination registration databases or with medical records from health care providers.
Any app that collects this much information is ripe for abuse.
Any app that collects this much information is ripe for abuse, and app developers must ensure that cybersecurity protections are in place to prevent hacking and unauthorized access. Furthermore, there are no guarantees of how user privacy will be protected. There are few legal limits to what data a vaccine passport app could collect, and things get complicated if people feel forced to use the apps to re-enter society.
Of course, there are ways to solve these privacy and security problems. Vaccine passport apps should collect as little information as possible — and only information that is strictly necessary to verify vaccinations. States and companies would need to promise not to sell the information collected by the apps — or, at the very least, not to sell the health information or other sensitive private information.
These apps should include clear privacy notices and warnings that give consumers the complete information they need to make informed decisions about whether to opt in or opt out of using the app. However, giving users privacy notices and opt-in consent choices is hardly enough to protect privacy, especially when sensitive health data is involved.
We don’t have many laws that could protect user privacy for vaccine passport apps. The protections of the Health Insurance Portability and Accountability Act, or HIPAA, wouldn’t apply in most cases, as these apps could be developed without any information’s being transmitted to or from HIPAA-covered entities like hospitals and clinics. Even if a vaccine passport app suffered a major breach, consumers have legal rights in most states to be notified about data breaches only if leaks include financial information or Social Security numbers.
Some states have laws like Illinois’ Biometric Information Privacy Act, which offers special protections for biometric information — that is, information pertaining to or emanating from the body. But vaccination verification systems might include no biometric information at all, even if they collect personal health information.
consumers have legal rights in most states to be notified about data breaches only if leaks include financial information or Social Security numbers.
The Federal Trade Commission, or FTC, has broad discretion over privacy enforcement. But its enforcement is largely limited to holding companies to account for the privacy and security measures they claim in their notices to users. In addition, FTC enforcement often doesn’t carry strong penalties for companies that violate privacy, particularly large companies that have the money to easily pay fines.
It’s worth remembering that there were similar problems with contact tracing apps. Luckily, researchers quickly identified maximally privacy-preserving techniques to design those apps. Google and Apple led the industry by releasing a free privacy-protective exposure notification protocol.
With vaccine passport apps, private industry has another chance to lead the way, by working with governments and civil society to create apps that protect privacy and embrace values of equity and democracy. Still, we shouldn’t have to continually hope that corporations will save the day on privacy issues, especially in cases like this, in which the privacy issues at stake involve sensitive health data and the public health of our entire nation. Without a federal privacy law, most Americans have little recourse if a vaccine passport app violates individual privacy rights. Even if these apps are developed in privacy-preserving ways, there are still problems involving technological discrimination. President Joe Biden is right not to require vaccine passports, at least until we fix vaccination access. Vaccination inequity is still a problem in many parts of the country, disproportionately disadvantaging communities of color, as well as the poor. Until everyone is able to easily get vaccinated, using vaccine passports to restrict travel and access to spaces can reinforce a system of inequality, deepening discriminating against the less privileged. Requiring digital vaccine passport apps also discriminates against people who don’t have smartphones or mobile devices, as well as people who may not have reliable mobile data plans. These apps neglect people from marginalized communities, like undocumented people or formerly incarcerated people, who might have more reason to fear government and corporate surveillance of their private health information. If nothing else, the privacy and discrimination flaws in current vaccine passport app proposals show why the U.S. needs a federal privacy law to create consistent standards across the country. Such a law should mandate special protection for sensitive health information, regardless of whether the information is collected or shared by a health care entity. A federal privacy law should include measures to protect against technological or algorithmic discrimination based on private information. In the absence of a strong federal privacy law, the best we can do is to advocate for states and corporations to develop these apps in privacy-preserving ways and to implement them with an eye toward equity. Let’s be clear: Getting the country — and the world — vaccinated is a necessary and critical step to stopping this virus. We can’t reopen society or the economy until we reach herd immunity. Vaccine passport apps can help us get back to our lives. But we need to make sure they don’t hurt us — especially our most vulnerable — in the process.
Tiffany C. Li
Tiffany C. Li is a technology lawyer and legal scholar. She is an assistant professor of law at the University of New Hampshire School of Law and a fellow at Yale Law School's Information Society Project. 
