EFF strongly backs calls, including from California Senate Judiciary Chair Hannah-Beth Jackson, for Governor Gavin Newsom to ensure that his response to this crisis respects Californians’ constitutional right to privacy. We urge the California legislature and Governor Newsom to pass measures that would protect our privacy now, in the aftermath of this crisis, and beyond. As a national leader in privacy and a leading voice in setting policy regarding the coronavirus, California must step up and do the right thing as it makes policy to address the effects of COVID-19.
Right now, companies and governments are trying many new things to deal with an unprecedented public health crisis. These include public-private partnerships where government services come from mobile apps and website portals built by corporations such as Verily, a subsidiary of Google’s parent company Alphabet. Yet Verily’s launch shows how companies are making vague promises and commitments about how they will protect information they collect, and how it can be used later. It’s also unclear how governments can use information collected from such programs, and whether our personal information is the currency paid by governments to companies for public health programs to deal with this crisis.
Crises often open the door to erroneous judgment, panicked decisions, and programs that—while perhaps well-intentioned—damage privacy and prove difficult to roll back. But privacy does not stand in opposition to public health. In fact, privacy is a necessary piece of the equation to build public trust, which is in turn is a necessary ingredient of successful public health programs.
Some types of technology, such as face surveillance, should be off the table because of the magnitude of their privacy harms. EFF has also called repeatedly for any proposed government or company programs that track the spread of COVID-19 to place key privacy safeguards at their heart.
But to fix the serious trust problems, we need consumer data privacy laws—not just promises. There is a bankruptcy of trust between consumers and companies that collect personal information, and if companies are going to build public health tools, that mistrust is bad for all of us. A recent poll from The Washington Post and the University of Maryland found that half of Americans capable of downloading an app to track the spread of coronavirus wouldn’t, primarily due to a “distrust of Google, Apple and tech companies generally, with a majority expressing doubts about whether they would protect the privacy of health data.”
Privacy does not stand in opposition to public health. In fact, privacy is a necessary piece of the equation to build public trust.
And who can blame them? Companies that harvest and monetize our personal information have shown time and again that they will not look beyond their own balance sheets to consider the privacy harms to their customers. Now, more than ever, we cannot allow companies to make land grabs for our data—especially from people who are forced by the outbreak to conduct more of their work and personal lives online than ever before. We cannot tolerate short-sighted company proposals or public-private partnerships that trade our information away, especially for unvetted, untested promises that this will advance our public health and our economic health.
Many privacy groups in California support a bill that would solve a big privacy problem not addressed by the California Consumer Privacy Act (CCPA): limiting how companies collect, use, share, and store our personal information to what companies actually need to give us what we asked for. This is often called “minimization.” For example, when companies collect our personal data to address a public health crisis, the CCPA currently does not stop them from also collecting personal information that is irrelevant to the crisis, from using or sharing the data for non-crisis purposes, or from keeping the data long after the crisis ends. The only CCPA rights that allow people to control this information are the rights to delete and opt-out of sales. The language in AB 3119 (Wicks) would solve this problem by requiring minimization. That means no collection, use, sharing, or retention of our data for purposes that we haven't agreed to, subject only to narrow exceptions.
This bill would also close CCPA loopholes that, according to major tech companies, allow them to continue to share our personal data with third parties—actions that are out of step with the letter and spirit of this landmark law.
Yet the California Assembly’s Privacy and Consumer Protection committee has said it will not hear this bill this year. That decision echoes last year, when Assemblymember Ed Chau, the chair of that committee and author of the CCPA, refused to hear a bill that would have made strides to close these and other loopholes.
This is a serious mistake that deprives Californians of privacy protections they have long needed, and need even more during the COVID-19 crisis. It is simply disingenuous to argue that we can’t protect privacy and public health at the same time.
In fact, privacy protection is vital for any such efforts to succeed. Setting clear legal guidelines that businesses must follow protects ordinary people in an extraordinary time, and would be an important step to reestablishing trust between consumers and the companies that make money of their information.
We urge California’s legislators and Governor Newsom to do the right thing for all of us, and rightfully place privacy at the heart of the state’s response efforts as we move forward.