CAOn August 13, two California contact tracing bills, AB-660 and AB-1782, were approved by the California Senate Judiciary Committee.  These bills would affect how public agencies can collect, store and disclose personal information that is used to facilitate COVID-19 contact tracing.

  • If enacted, AB-660 would prohibit any use or disclosure of data collected for purposes of contact tracing other than further contact tracing efforts.
  • If enacted, AB-1782 would require businesses using or providing contact tracing technologies to provide individuals with the right to consent, access, correct, and delete personal information about them, and to carry out other measures regarding use, security. and maintenance of the data.

Both bills could have major implications for businesses engaging in contact tracing.  Summaries of the bills, and further considerations for each are as follows:

AB-660

AB-660 bill would prohibit maintaining or disclosing data collected for contact tracing for any other purpose and would require deletion of such data within 60 days of collection.  Both requirements would not apply to data in the possession of local or state health departments.  In addition, the bill would prohibit the participation of law enforcement in contact tracing.  Contact tracing is defined as “identifying and monitoring individuals, through data collection and analysis, who may have had contact with an infectious person as a means of controlling the spread of a communicable disease.”  The bill would provide private plaintiffs with a civil cause of action to obtain injunctive relief against violations, and the prevailing party would be entitled to reasonable attorney’s fees.  In a statement to the Committee, the bill’s author, Assembly member Marc Levine, stated that the bill was intended to encourage, “successful implementation of contact tracing to stop the spread of COVID-19” which he felt would, “require trust and public confidence in the actions taken by federal, state and local governments.”

AB-1782

AB-1782, referred to as the Technology-Assisted Contact Tracing Public Accountability and Consent Terms (TACT-PACT) Act, would regulate contact tracing applications developed and employed by both public entities and private businesses.  It would require entities offering such applications to obtain opt-in consent from individuals before collecting or using data pertaining to them (except for research purposes, and other limited exceptions) and to provide a mechanism for revoking such consent.  It would further grant data subjects with rights to access and delete data collected through contact tracing applications.  Critically, the bill would prohibit companies from “discriminating” against individuals who choose not to opt-in to using a contact tracing application, which could seriously impair businesses’ ability to use such applications to support workplace safety in return to work scenarios if “discrimination” is interpreted to include prohibiting employees from entering office spaces unless the application is turned on.

Similar to AB-660, the bill would require that contact tracing data be deleted within 60 days.  In addition, AB-1782 would require entities to encrypt all data collected for contact tracing and to maintain security safeguards. The bill would require verification of exposure reports by a health care professional or public health entity and would also require public reporting of certain data, including the number of individuals whose personal information was collected or used, the categories of data used, the public health purposes for the use, and any recipient of data collected. The bill would provide for considerable fines and penalties as a result of any violations.

Conclusion

The next step for these bills is consideration by the Senate Appropriations Committee.  The bills could then be voted on by the full California Senate when it meets on August 31, 2020.  We will continue to monitor the progress of these bills.