State COVID Privacy Bills: The Good, the Bad, and the Nonexistent

In recent months, policymakers, public health officials, and state governments across the United States have been considering, and in some cases deploying, digital tools, such as contact tracing systems, to assist in reopening society amid the ongoing COVID-19 pandemic. Technology can play an important role in assisting public health authorities in managing the pandemic, if used appropriately. However, its use can also amplify the privacy, equity, and civil liberties concerns already raised by manual approaches. Proposed efforts and tools around the COVID-19 pandemic should therefore be designed in a privacy-protective and inclusive manner, and with an eye toward the inequities uncovered in the spread of the coronavirus and those inherent in any technology-driven solution.

In order to protect the civil rights and civil liberties of all individuals, especially communities of color and other populations vulnerable to coronavirus, any pandemic response technologies must meet minimum privacy and equity standards, as advocates have outlined. New America’s Open Technology Institute (OTI), The Leadership Conference on Civil and Human Rights, the Lawyers’ Committee for Civil Rights Under Law, and 83 civil rights, civil liberties, labor, and consumer protection organizations urged that a digital tool should not be deployed unless it is: non-discriminatory, used exclusively for public health purposes, effective, voluntary, secure, and accountable.

Congress has also introduced various measures aimed at solving these data privacy issues related to digital tools, which vary in their privacy-protectiveness and adherence to the principles outlined above. As state governments begin deploying these tools, OTI urges them to bring forth strong privacy legislation that would align with the principles set forth above in order to safeguard individuals from discriminatory uses, commercial uses, and unnecessary or ineffective uses of their sensitive health and location information.

There have been some promising developments in a few states as of late. In the New York state legislature, for example, Assemblymembers have introduced COVID Tech Privacy bill (S. 8448-C/A. 10583-B), a comprehensive effort that largely satisfies all six principles. The bill applies to any entity that collects emergency health data or operates a system that is responding to the COVID-19 public health emergency. While the bill could go further by explicitly stating that data be collected only for public health purposes and requiring that entities only collect the minimum amount of data necessary, it does place strong restrictions on the use of personal and public health information. The bill specifically prohibits any collected information from being used to segregate or discriminate against individuals in places of public accommodation. It would also require all covered entities to obtain “specific, informed, and unambiguous opt-in consent” to process an individual's personal information. Laudably, the bill requires reasonable security measures and annual independent data protection audits which would include assessments of the risk of harm posed by the technology or whether usage may result in unfair, biased, or discriminatory decisions. Finally, the bill also creates a private right of action for individuals to bring lawsuits against entities that have violated the act. New York’s COVID Tech Privacy bill sets a strong example that other states should follow, which is why OTI and a coalition of privacy advocates have endorsed the bill.

Going a step further, Assembly members have introduced the Contact Tracing Confidentiality Act (S. 8450-B/A. 10500-B), a bill that would ban law enforcement and immigration enforcement agencies from serving as, or receiving information from, contact tracers, and from accessing information from contact tracing. It also requires that information only be disclosed if necessary to carry out contract tracing for public health purposes. This confidentiality could only be waived if an individual provides a written, informed, and voluntary waiver stating the scope and limit of the waiver. A coalition of local and national advocates, including OTI, has supported this legislation, as it would provide crucial protections to ensure that information stays confidential and protected from law enforcement, and thereby helps ensure increased public trust in contact tracing efforts. Allowing law enforcement access to contact tracing data would disproportionately impact communities of color, who are already over-policed, and could prevent individuals from taking a part in contract tracing efforts, thereby limiting these efforts’ effectiveness. While this is significant, this Contact Tracing Confidentiality bill alone may not fulfill the privacy needs of New Yorkers as digital tools potentially become more widespread. But together, these two pieces of legislation would give New Yorkers robust protections from improper use of their contact tracing data, and OTI urges the New York state legislature to pass them as soon as possible.

Other legislatures across the country have also considered COVID-related privacy legislation in recent months which align with the aforementioned principles to varying degrees. In Kansas, recently enacted comprehensive COVID-19 contact tracing legislation requires contact data to be used for contact tracing purposes only (and to be safely and securely destroyed when no longer necessary), blocks the use of cell phone location data for tracking, and requires voluntariness. Notably, it also permits a person to bring a civil action in case of violations. Although less comprehensive, a similar bill was also introduced and reported favorably out of the New Jersey General Assembly’s relevant committee. That bill includes strict 30-day storage and purpose limitations, would require public health entities that share data with a third party to publish the name of that third party, and make third-party misuse of the data unlawful.

In other jurisdictions, relevant bills are undergoing consideration as well, though are in earlier legislative stages. In Ohio, a set of bills (HB 61 and SB 31), which already passed first chambers, would expressly declare contact tracing voluntary and would require the acquisition of consent from each individual contacted for participation. California is also currently discussing two different bills on the matter. One of the California bills would prohibit public entities that are not public health entities from deploying technology-assisted contact tracing, and establish a comprehensive set of transparency, accountability, security, and privacy obligations for businesses and public health entities engaging in technology-assisted contact tracing. A second California bill is much narrower, and would only establish that contact tracing data shall not be shared with any entity other than a public health entity, while also expressly prohibiting law enforcement officials from engaging in contact tracing. Finally, a bill recently introduced in Minnesota would authorize contact tracing by electronic means, but prohibit mandatory contact tracing, mandatory tracking, mandatory disclosure of health status, and the health tracking of employees.

While Washington, D.C. is not currently reviewing a privacy bill, recent reports reveal that Mayor Bowser is “actively assessing” whether the District will deploy use of digital tools for contact tracing. Last month, OTI, along with a coalition of local and national advocacy organizations, sent a letter to Mayor Bowser and the City Council, urging them to follow principles of privacy and transparency as they make decisions about the District’s contact tracing strategy. Much like the privacy principles mentioned earlier, advocates called for any District contact tracing efforts to be led by public health officials, comply with use limitations, data protection, and data minimization principles, be fully transparent, include oversight and accountability mechanisms, and be limited to the COVID-19 crisis. More specifically, organizations urged that if the District considers digital tools for contact tracing, those tools must be voluntary in nature and avoid the use of location data, which is ineffective and privacy-invasive. Finally, the organizations urged the City Council to pursue COVID privacy legislation, especially if the District government moves forward with any digital tools for tracing. In light of recent news that D.C. might do so, City Council should act now and follow in the steps of the stronger proposals mentioned above.

These recommendations, both in the letter to D.C. officials and the principles outlined above, are also consistent with the guidelines for governments that OTI and the Safra Center at Harvard University released in a recent white paper on digital tools for contact tracing. To achieve a rights-protective approach to these tools, there the authors recommend in part that authorities minimize the amount of data collected to that which is actually needed by public health authorities, strictly limit what entities have access to the data, and enact legislation both limiting the entities authorized to access COVID-19 data and ensuring that the app providers have no commercial interest in this data. Also, for equity purposes, they encourage public health officials to maintain substantial investment in manual contact tracers to compensate for the digital divide, to confer with minority community leaders in developing a targeted approach toward program implementation, and to consider investing in digital literacy assistance programs.

It is essential for state governments across the U.S. that wish to implement digital tools to combat COVID-19 to make sure their initiatives align with the principles and guidelines outlined above. Otherwise, instead of providing public health officials with the information they need, these digital tools could risk promoting indiscriminate mass surveillance and exacerbating the inequities becoming increasingly present across the United States.