The COVID-19 pandemic has created a need for rapid, population-wide digital contact tracing. One solution, Bluetooth-enabled digital proximity tracing using smartphones, promises to preserve individual privacy while helping to contain society-wide viral outbreaks. However, this digital solution works effectively only if adopted by the majority of the population. This poses a collective action problem: everyone would benefit from widespread proximity tracing, but the benefits for the individual are indirect and limited. To facilitate such collective action at the societal level, this paper conceptualises the option space of IT governance actions for proximity tracing adoption along two dimensions: decision-making entities (who will govern the roll-out) and accountability enforcement (how strictly will adoption and use be enforced). Examining coherent governance approaches that arise from the framework, we show that there are no globally ideal approaches but only locally contextualised ones that depend on immediate health risk, prior experience with pandemics, societal values and national culture, role of government, trust in government and trust in technology in each society. The paper contributes specific propositions for governing digital contact tracing in the COVID-19 pandemic and general theoretical implications for IT governance for collective action at the societal level.