FPF Presents Expert Analysis to Washington State Lawmakers as Multiple States Weigh COVID-19 Privacy and Contact Tracing Legislation



In response to the ongoing public health emergency, over the past few months state legislatures in the United States have diverted their resources towards establishing state and local reopening plans, allocating federal aid, and promoting public trust and public participation by addressing concerns over privacy and civil liberties. 

Many states have introduced bills which would govern collection, use, and sharing of COVID-19 data by a range of entities, including government actors and commercial entities. Unless appropriate guardrails are put in place, data collected by governments through contact tracing could be used in unexpected, inappropriate, or even harmful ways. This has frequently been cited as a factor that undermines the likelihood of over-policed and undocumented individuals to participate in contact tracing, and is also one of the reasons why the Google-Apple Exposure Notification API is only available for decentralized apps. 

Below, we discuss FPF’s participation in a July 28th COVID-19 Public Work Session hosted by the Washington State Senate Committee on Environment, Energy & Technology, and the wide range of active COVID-19 legislation in state legislatures, including New York, New Jersey, and California.

Washington Public Work Session (July 28) 

On July 28, 2020, the Washington State Senate Committee on Environment, Energy & Technology held a Public Work Session to discuss government uses of data and contact tracing technologies. The Committee invited guest experts to give presentations, including FPF’s Senior Counsel Kelsey Finch, Consumer Reports’ Justin Brookman, and the Washington State Department of Health. 

In FPF’s presentation, we recommended for policymakers and technology providers to follow the lead of public health experts, and outlined key considerations when deciding how to design and implement digital contact tracing tools. Important considerations exist between public health, privacy, accuracy, effectiveness, equity, and trust; and best practices are emerging around: (1) transparency about data collection and sharing; (2) purpose & retention limitations (3) privacy impact assessments; (4) prioritization of accessibility; (5) SDK caution; (6) interoperability; and (7) security. Recognizing widespread consensus that apps ought to be voluntary, Ms. Finch also emphasized the need to find ways to promote and maintain public trust. 

These recommendations align with FPF’s recent report to promote responsible data use; and FPF’s April 2020 testimony on the topic of “Enlisting Big Data in the Fight Against Coronavirus,” convened by the U.S. Senate Committee on Commerce, Science, and Transportation.

  • Download a copy of FPF’s presentation HERE
  • Watch the full video HERE.
  • Read FPF & BrightHive Report: “Digital Contact Tracing: A Playbook for Responsible Data Use”
  • See FPF Infographic: “Understanding the “World of Geolocation Data”

Legislative Trends in the States 

State governments, private employers, and schools are increasingly turning to new technologies and digital solutions to help address the ongoing public health emergency. Over 20 states are considering, developing, or implementing decentralized Bluetooth-based apps based on the Apple Google Exposure Notification API, an effort supported nationally by the Association of Public Health Laboratories for individuals to receive exposure alerts even when they travel across state borders. 

Meanwhile, most state legislatures have suspended their sessions for the year, with only some states remaining in regular session, and others convening special sessions to address the pandemic. Contact tracing efforts (both manual and digital) rely not only on fast and reliable testing, but also on public participation and trust — a key public health consideration that is leading many states to consider how they can bolster public promises with strong privacy and data protection laws.

As a result, in some states, COVID-19 privacy bills have already been signed into law, including a few notable new state laws:

  • Kansas’s H.B. 2016 (signed into law June 8, 2020 following a special session) requires participation in state contact tracing to be voluntary and mandates confidentiality and data retention requirements for contact tracing information, and prohibits the use of cellphone location data to “identify or track, directly or indirectly, the movement of persons” for contact tracing purposes; 
  • New York’s S 8362 (signed into law June 17, 2020) requires that all contact tracers hired by the state health departments be representative of the cultural and linguistic diversity of the communities in which they serve.
  • South Carolina’s HJR5202 (signed into law June 25, 2020) prohibits the local health department from using mobile apps created for contact tracing. 

In other states, COVID-19 privacy legislation has been introduced and remains active — with some bills appearing likely to pass in upcoming weeks. Most notably, active bills in New York, New Jersey, and California, if passed, would create a range of new requirements for both private sector companies and government entities with respect to COVID-19 related health information.

New York

In New York, which will remain in session through the end of 2020, several COVID-19 privacy bills have gained traction in recent months, including:

  • NY A10500, which passed the New York Senate on July 23, would mandate the confidentiality of COVID-19 contact tracing information and prohibit access to such data by law enforcement or for immigration purposes. The ACLU and other community organizations support the bill.
  • NY S8448, which passed the Senate on July 23, would regulate the collection and use of emergency health data and the use of COVID-19 technology. The bill contains transparency requirements, data minimization obligations, retention limitations, and data security obligations for government entities and “third party recipients” of emergency health data. The scope of the bill resembles two federal bills introduced by Senator Blumenthal and Senator Wicker earlier this year to regulate emergency health data.
New Jersey

In New Jersey, the legislative session runs through the end of 2020. In January, a number of geolocation data bills were introduced that remain technically under consideration (e.g., A 193 and A 5259), in addition to general comprehensive privacy bills (e.g., S269 and A2188). However, New Jersey legislators have since prioritized urgent pandemic response bills, including:

  • A4170, passed the Assembly and received in the Senate on August 3, would require public health authorities to abide by purpose and retention limitations (30 days) for contact tracing data, and if data is shared with any third parties, to publish the names of those entities online. Third parties would also be required to abide by the same obligations, with a civil penalty available of up to $10,000 collected by the Commissioner of Health. S 2539 is a companion bill.

In California, the legislature has generally prioritized pandemic related bills over other pieces of legislation such as amendments to the California Consumer Privacy Act (e.g., AB 3119 and AB 3212). However, some related privacy bills remain under consideration, such as other CCPA amendments (AB 1281 and AB 713), and a consumer genetics privacy bill (SB 980). In California, the final day for bills to be passed by the House or the Senate is August 31, 2020. 

Active COVID-19 privacy bills in California include:

  • AB 685, which would require employers to notify its employees and state health departments of known or reasonably known exposures to COVID-19 within 24-hours. 
  • AB 2004, which would establish a pilot program to expand the use of verifiable health  credentials for communication of COVID-19 or other medical test results; and prohibit law enforcement agencies from requiring a patient to show such a credential. 

On August 20, 2020, two additional noteworthy bills narrowly failed to progress out of the Senate Appropriations Committee, which would have regulated data related to established methods of contact tracing (AB 660) and digital contact tracing tools (AB 1782).

  • AB 660 would have required that data collected for the purpose of contact tracing could only be used, maintained, or disclosed to facilitate contact tracing efforts, and would have prohibited law enforcement from participating in contact tracing. AB 660 was opposed by local law enforcement, due to lack of clarity regarding how it intended to apply to law enforcement in the context of an employer-employee relationship. Concern was also raised about possible unintended consequences within prisons, which have experienced outbreaks. At a recent hearing, some legislators argued that California already has adequate legislation to protect individuals from law enforcement, such as the California Values Act of 2017 (SB54), which prevents state and local law enforcement agencies from using their resources on behalf of federal immigration enforcement agencies. However, numerous community organizations supported the bill, arguing that it would increase participation in contact tracing, thereby contributing towards more complete datasets and overall effectiveness. 
  • AB 1782 would have comprehensively regulated digital contact tracing tools (“technology-assisted contact tracing”) offered by public health entities and businesses. AB 1782 would also have prohibited discrimination on the basis of participation in technology-assisted contact tracing. The scope of the bill resembles a bipartisan federal bill introduced by Senator Cantwell and Senator Cassidy to regulate exposure notification services. 

Overall Trends 

While most states, and the federal government, do not have a comprehensive baseline consumer privacy law that applies to all commercial uses of data, many existing federal and state laws do already apply to contact tracing efforts or to certain types of data (such as location data collected by cell phone carriers). For example, all states have unfair and deceptive practices (UDAP) laws and laws governing healthcare entities (supplementing HIPAA). Many states also have strong laws governing the confidentiality of state-held records, such as the California Confidentiality of Medical Information Act (Cal. Civil Code §§ 5656.37 [1992]), and the Uniform Health Care Information Act (National Conference, 988). 

However, as states increasingly contract with private entities to provide digital tools in response to the pandemic, COVID-19 policy frameworks are developing to regulate new data flows across public and private sectors, often involving sensitive location and health information. Both the application of existing state privacy laws and the introduction of new laws to address the pandemic are likely to influence federal and state privacy debates for years to come.