Californians have a constitutional right to privacy. There is no more important time to protect that right to privacy than during a crisis, such as the current pandemic. That is why EFF, along with the American Civil Liberties Union of California, Media Alliance, Oakland Privacy, Privacy Rights Clearinghouse, and Consumer Reports have called on the state’s political leaders to ensure that any program that asks Californians to share contact tracing information have strong privacy guardrails.
Being upfront and honest about what information contact tracing programs collect, how that information is used, and acting from the start to protect against abuses of that information can protect Californians at a vulnerable time. It can also increase trust in public health programs. The evidence is mounting that people don’t trust—and therefore do not wish to participate in—programs that have not respected privacy from the start. Our groups call on Governor Gavin Newsom, Senate President pro Tempore Toni Atkins, Assembly Speaker Anthony Rendon, and all members of the California Assembly and Senate to recognize that privacy protections are necessary to public health efforts.
Our coalition asks for the following four, common-sense protections:
- A data minimization rule that ensures that the information a public or private entity collects actually serves a public health purpose.
- A guarantee that any private entity working on a contact tracing program does not use the information for any other purpose—including, but not limited, to commercial purposes.
- A prohibition from discriminating against people based on their participation—or nonparticipation—in a contact-tracing program, to protect those who cannot or do not want to participate in a data collection program, and to avoid programs with compulsory participation, which also risks declines in the quality of data.
- A strong requirement to purge data from such programs when it is no longer useful—we are asking for a 30-day retention period. We would not, however, object to a narrowly-crafted exception from this data purge rule for a limited amount of aggregated and de-identified demographic data for public health purposes—for the sole purpose of tracking inequities in public health response to the crisis.
EFF also believes that the following additional guardrails are necessary for manual and automated contact tracing programs:
- A ban on location tracing as a part of Tech-Assisted Contact Tracing. Location data (such as GPS and cell site location) is not sufficiently granular to identify whether two people were close enough together to transmit COVID-19. But it is sufficiently precise to show whether a person attended a protest, a worship service, or a hospital appointment. Thus, location tracking invades privacy without advancing public health. It might be possible to use Bluetooth-based proximity data to provide automated exposure notification in a privacy-preserving manner. But such systems must not use location data.
- A prohibition against contact tracing by state and local law enforcement. Many people will share less of their personal information if they fear the government will use it against them. This would frustrate containment of the outbreak.
- Effective enforcement of these privacy rights with a private right of action. Every person should be able to act as their own privacy enforcer. Private rights of action are a standard feature of legislation that protects people from governmental and corporate wrongdoing. Violations of privacy regarding contact tracing information should be no different.
EFF, along with many other privacy groups, strongly supports two bills currently in the California legislature—A.B. 1782 (Chau/Wicks) and A.B. 660 (Levine)—that include these and other important protections. We thank those authors for their work, and will continue to work to pass those bills in the legislature.
Respecting privacy can help establish much-needed trust in these programs, which will in turn increase their efficacy in addressing the current public health crisis. It is also simply the right thing to do.