Many states have launched their own versions of exposure notification or tracking apps as a part of their response to the ongoing COVID-19 pandemic. California may be poised to join them. Yet the Golden State still has not enacted any privacy standards for state COVID tracking apps, or for contracts the state may enter to deploy such programs.

This week, Colorado announced a program using the Exposure Notifications Express (ESE) system. This system, newly baked into Apple’s iOS operating system, will soon also be an option on Google’s Android operating system. It allows tech users to opt-in to a public health program, which alerts them if they’ve been exposed, without requiring them to download a separate app. It is likely to become the easiest path for most smartphone users to participate in exposure notification systems.

While California has not officially announced any such program, there are strong hints that one is in the works. On August 28, three leaders in the California legislature — Assembly Privacy and Consumer Protection Chair Ed Chau, Senate Judiciary Chair Hannah-Beth Jackson, and Assembly Speaker Anthony Rendon—wrote to Governor Gavin Newsom referencing discussions for a pilot program in California that includes a “contact-tracing application.”

Worryingly, they also articulated concerns about the lack of privacy considerations that have accompanied those plans, saying that “the Administration has not fully considered many important implications of implementing” a statewide app. “We must work together every step of the way to ensure that any action taken by the Administration to deploy a contact-tracing application provide our constituents with the data privacy and security assurances necessary to encourage widespread participation,” the letter said.

Privacy protections are necessary to public health programs, particularly when a program needs high levels of participation to be effective. People will not use applications they can’t trust. That’s why EFF and other privacy groups have called on Governor Newsom to place basic privacy guardrails on any contact-tracing program run by or with the state. These include:

  • A data minimization rule that ensures that the information a public or private entity collects only serves a public health purpose.
  • A guarantee that any private entity working on a program does not use the information for any other purpose—including, but not limited, to commercial purposes.
  • A prohibition from discriminating against people based on their participation—or nonparticipation—in these programs, to protect those who cannot or do not want to participate in a data collection program, and to avoid programs with compulsory participation.
  • A strong requirement to purge data from such programs when it is no longer useful—we are asking for a 30-day retention period. We would not, however, object to a narrowly-crafted exception from this data purge rule for a limited amount of aggregated and de-identified demographic data for the sole purpose of tracking inequities in public health response to the crisis.

We supported two bills in the 2019-2020 legislation session to protect the privacy of our COVID data. AB 1782 (Chau/Wicks) would have ensured that any exposure notification program in the state included much-needed privacy protections for Californians at work and at home. AB 660 (Levine) would have provided related protections for manual contact tracing programs. Together, these two bills would have ensured COVID tracking programs in the state could not exploit data for other uses, including for marketing purposes, and guaranteed every Californian had the right to sue in case of a privacy violation.

Unfortunately, both bills recently died in the California Senate Appropriations committee, chaired by Sen. Anthony Portantino. This is a disappointing failure to protect the privacy of Californians and thereby advance public health. But while the legislature stalled efforts to protect our privacy, the need for these protections is only growing.

The letter from legislators suggests that Google and Apple may be willing to create a pilot program “for the State free of charge.” As the lawmakers wrote: “We caution that while contracting these companies to create the application may not cost the state financially, the Legislators and advocates attending closely to these issues over the years have learned that no such venture is truly free. Often times, products or services offered for ‘free’ are paid for through the surrender of sensitive personal information.”

Indeed, companies and governments have proven time and again that they cannot be trusted to do the right thing even — sometimes especially — when people are at their most vulnerable. Absent state protections, data collection programs administered by local governments, or by the private sector, face few limits or guarantees that the data will only be used for its intended purposes.

In addition, employees have few protections from employers who may wish to use information collected as part of pandemic response to track who their employees are talking to or to measure their productivity. And there are no protections to protect Californians—at work or not—from being discriminated against for choosing not to participate in such programs.

Pinky promises aren’t enough. We need legally binding rules. As the state prepares to launch a program to integrate technology into its pandemic response, it is more important than ever that the California governor do the right thing.