This information is provided as a resource, but it is not legal advice. You are encouraged to speak to legal counsel to learn more about how “vaccine passports” and data privacy/security may affect your organization as it relates to passenger travel information.
- Most “vaccine passports” are operated by non-profit organizations such as The Commons Project’s CommonPass and the International Air Transport Association’s (IATA) Travel Pass.
- Regarding data security and privacy frameworks or policies, it is important to recognize that how a legal entity is structured and operates matters regarding data/privacy. While non-profits are often held to similar regulations as for-profit entities or corporations, there are some local laws or policies, such as the California Consumer Protection Act (CCPA), that may include some exemptions for non-profits, subject to the organization’s structure, and its current data and user privacy/security handling procedures.
- Any information or data collected by “vaccine passports” or technologies such as “exposure notifications” are usually designed in a “privacy-friendly” manner. “Exposure notifications,” like technologies through Apple and Google’s joint COVID-19 effort, rely on each user’s device’s Bluetooth short-range radio frequency band. Bluetooth keys or beacons do not reveal user identity or location. However, solutions that rely on cookies, IP information, and/or biometrics may disclose a user’s individual web browser or device through an IP Address, browser version, operating system, and other information, such as biometrics, and users who log in to or engage with such related software accounts may be individually identifiable to these related applications using session cookies or biometrics.