Consumer Reports supports of AB 1782 to protect the privacy of information collected pursuant to “technology-assisted” contact-tracing (TACT) apps. This bill will help ensure that these apps, if they are introduced in California, will be safer and more effective. For example, unless a majority of consumers use these apps, they will be much less useful in helping to contain COVID-19. If rolled out now, survey data suggests that too many consumers would be concerned about potential privacy harms to participate. About half of Americans with smartphones “probably or definitely would not” use these apps, in large part due to the potential threats posed to consumer privacy.
A number of apps are in development to help public health agencies and consumers engage in accelerated contact-tracing, based on Apple and Google’s proposed Bluetooth-based API, and one is now available in Virginia. If a consumer has opted in, their phone will be able to anonymously track his or her proximity to other users. If a user tests positive for COVID, the app will enable users to notify others who may have been infected. Though there are valid concerns about whether or not they will be effective in determining who might have been infected, they have been used by several other countries as part of the COVID-19 response, and it seems likely that other states will join Virginia in pursuing this approach.
While it remains to be seen whether the state of California will follow, consumers need to have privacy and security requirements in place so that there is no gap in protections if it is rolled out quickly. Already, in other countries, the information collected through exposure notification apps is used in coercive ways, such as to limit users’ access to transportation, despite the threat of false positives. Further, location-tracking apps could reveal whether or not a consumer had attended a political protest. That information could be shared with authorities that aren’t involved in the public health response, which would likely have a chilling effect on political expression. Additionally, without appropriate protections, by default, information collected by these apps could be monetized for advertising purposes.
This bill will help ensure that any technology-assisted contact-tracing app developed and brought to market in California will be privacy-protective. It establishes a strong standard of data minimization: limiting collection, sharing, maintenance, and disclosure of data to what is reasonably necessary to operate the service requested by the consumer. This means that consumer privacy is ensured by default, rather than leaving it to the consumer to figure out how to exercise their privacy preferences. Of course, not every consumer would want to subject themselves to this data collection in the first place, so appropriately, consent for use is required, and there is a strong non-discrimination provision that ensures that consumers have a meaningful choice as to whether or not to participate.
Additionally, we appreciate the work that your committee and the author have done to strengthen protections included in the bill. Notably, the recent amendments prohibit public entities from deploying TACT apps that use location data, to ensure that entities aren’t allowed to collect logs of consumers’ movements. New data deletion requirements mean that information would be less likely to be misused or to fall into the wrong hands in the event of a data breach. And the new, strong enforcement provisions will ensure that companies have appropriate incentives to comply—an issue brought into relief by widespread non-compliance with respect to the CCPA, which lacks strong enforcement. While we, along with other privacy groups, continue to urge the author to consider further refinements such as adding similar privacy protections to data collected by manual contact tracing, the substantial improvements to the bill have led us to move our position from “support if amended” to full support.
This bill provides consumers important privacy protections in this time of unprecedented data collection. We urge your AYE vote.