San Francisco—The Electronic Frontier Foundation (EFF) called on California Gov. Gavin Newsom and state lawmakers to ensure that all COVID-19 contact tracing programs include enforceable privacy protections that strictly limit how much and what kinds of data can be collected from Californians and prohibits using that data for anything other than reining in the pandemic.

More Californians will feel safe participating in efforts to trace transmission of the novel coronavirus if they know their information won’t be used to deport them or build data-rich profiles for data brokers and advertisers, EFF said this week in letters to Newsom and lawmakers. ACLU of California, Oakland Privacy, Media Alliance, Privacy Rights Clearinghouse, and Consumer Reports joined EFF in signing the letters.

“The success of contact tracing programs depends on participation by the public,” said EFF Legislative Activist Hayley Tsukayama. “Trust has been an issue—people are demanding protection over their private information. As a national leader in privacy and coronavirus policy-making, California should implement guardrails to prevent unwarranted privacy invasions and engender people’s trust that it’s OK to take part in contact tracing programs.”

EFF and its partners urged Newsom and lawmakers to bar the state, and privacy companies and contractors it works with to develop and implement manual and digital contact tracing programs, from collecting, retaining, using, or disclosing data except as necessary and proportionate to control the spread of COVID-19.

All contracts and agreements with outside companies should contain language that blocks them from using data for targeted advertising or other commercial purposes and combining participant data with any other data the companies may have. Data should be retained for no more than 30 days.

Contact-tracing programs should also be prohibited from discriminating against people on the basis of participation or nonparticipation. No one should be kept out of a workplace, school, or restaurant because they declined to participate in a contact-tracing program, privacy advocates said in the letters.

The state is stepping up contact tracing programs, announcing last week that Kaiser Permanente will donate $63 million to support the state’s work. Under its current contact tracing program, California Connected, public health workers will reach out to people who tested positive for COVID-19 via texts, phone calls, and emails. Those contacted are asked to give their names, ages, places they’ve been, and people they have been in contact with. The program pledges to keep the information confidential.

“Two bills currently before the California legislature—A.B. 1782 and A.B. 660—contain the important privacy protections we’re calling for,” said Tsukayama. “Ensuring people’s privacy at this time of uncertainty about our health and safety is the right thing to do. We urge Gov. Newsom to take the necessary steps to make our COVID-19 privacy protections a model for the rest of the country.”

For the letter:
https://www.eff.org/document/2020-08-coalition-letter-governorlegislature-contact-tracing-and-privacy

For more about contact tracing and privacy:
https://www.eff.org/deeplinks/2020/08/california-must-recognize-privacy-vital-public-health-efforts