Today's Law As Amended


Bill PDF |Add To My Favorites | print page

AB-1782 Personal information: contact tracing.(2019-2020)



As Amends the Law Today


SECTION 1.
 This act shall be known, and may be cited, as the Technology-Assisted Contact Tracing Public Accountability and Consent Terms (TACT-PACT) Act.

SEC. 2.

 Title 4.5 (commencing with Section 1924) is added to Part 4 of Division 3 of the Civil Code, to read:

TITLE 4.5. TECHNOLOGY-ASSISTED CONTACT TRACING PUBLIC ACCOUNTABILITY AND CONSENT TERMS (TACT-PACT)

1924.
 For purposes of this title:
(a) “Business” means a sole proprietorship, partnership, corporation, association, or other group, including, but not limited to, a nonprofit entity.
(b) (1) “Consent” means an affirmative act by an individual that is both of the following:
(A) Clearly and conspicuously communicates the individual’s authorization of an act or practice.
(B) Made in the absence of any mechanism in a user interface that has the purpose or substantial effect of obscuring, subverting, or impairing decisionmaking or choice to obtain consent.
(2) Consent shall not be inferred from inaction.
(c) “Data” means measurements, transactions, determinations, locations, or other information, whether or not that information can be associated with a specific natural person.
(d) “Personal information” means data that identifies, relates to, describes, is reasonably capable of being associated, or could reasonably be linked, directly or indirectly, with a specific natural person or household.
(e) “Public health entity” means a state or local health department or a public university health center.
(f) (1) “Technology-assisted contact tracing (TACT)” means the use of a digital application or other electronic or digital platform that is capable of independently transmitting information and is offered to individuals for the purpose of identifying and monitoring individuals, through data collection and analysis, who may have had contact with an infectious person as a means of controlling the spread of a communicable disease.
(2) “Technology-assisted contact tracing (TACT)” does not include the use of a device issued at a general acute care hospital, acute psychiatric hospital, or skilled nursing facility, as defined in Section 1250 of the Health and Safety Code, that is used only within the issuing health facility’s campus.
1924.1.
 A business or public health entity offering TACT to individual users shall do all of the following:
(a) Ensure that a request for an individual’s consent for the collection, use, maintenance, or disclosure of data includes the public health purpose for which that individual’s data will be collected, used, maintained, or disclosed, and the party or parties to whom that data will be disclosed.
(b) Provide a simple mechanism for a user to revoke consent for the collection, use, maintenance, or disclosure of data and permit revocation of consent at any time.
(c) Disclose to the user the categories of data collected, used, or disclosed and the specific public health purposes for which each category will be collected, used, or disclosed.
(d) Provide users with an effective mechanism by which to access, correct, and delete their personal information.
(e) Delete any personal information collected pursuant to TACT within 60 days from the time of collection.
(f) (1) Delete any data collected pursuant to TACT within 60 days from the time of collection.
(2) This subdivision shall not apply to data that is maintained and used solely for the purpose of research, as defined in Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, and is subject to the regulations pursuant to that part.
(g) Ensure that all components of TACT are capable of being temporarily disabled and removed by the user in a manner that is clear, simple, and does not include any unnecessary steps.
(h) Encrypt any data collected and maintained pursuant to TACT to the extent practicable.
(i) Clearly and conspicuously disclose that the absence of an exposure notice does not ensure that the individual has not been exposed to the condition of public health concern.
(j) Issue a public report, at least once every 90 days, containing all of the following information:
(1) The number of individuals whose personal information was collected, used, or disclosed pursuant to TACT.
(2) The categories of data collected, used, or disclosed and the specific public health purposes for which each category was collected, used, or disclosed pursuant to TACT.
(3) The recipient to whom any of the information described in paragraphs (1) and (2) was disclosed.
(k) Implement and maintain reasonable security procedures and practices, appropriate to the nature of the data and the purposes for which that data will be used, to protect that data from unauthorized use, disclosure, access, destruction, or modification, including all of the following:
(1) Administrative safeguards.
(2) Physical safeguards.
(3) Technical safeguards.
1924.3.
 A business or public health entity offering TACT to individual users shall not do any of the following:
(a) Collect, use, maintain, or disclose data for the purpose of providing TACT without the affirmative consent of the individual to whom that data pertains.
(b) Collect, use, maintain, or disclose personal information that is not reasonably necessary to provide TACT services.
1924.4.
 A business or public entity shall not do any of the following:
(a) Discriminate on the basis of participation or nonparticipation in TACT or any behavior or disclosure pursuant thereto.
(b) Impose a penalty on the basis of participation or nonparticipation in TACT or any behavior or disclosure pursuant thereto.
(c) Require any person, including, but not limited to, an employee or independent contractor, to participate in TACT or any behavior or disclosure pursuant thereto.
1924.5.
 (a) A business providing TACT that is not affiliated with a public health entity shall clearly and conspicuously disclose upon solicitation and provision of a TACT service that the service is not affiliated with a public health entity.
(b) A business described in subdivision (a) shall not hold itself out to be affiliated with a public health entity.
(c) A business described in subdivision (a) shall not associate data collected from a user pursuant to TACT in any way with data otherwise collected or maintained for other purposes without that user’s consent.
(d) A business described in subdivision (a) shall not use data collected from a user pursuant to TACT for a purpose other than facilitating contact tracing for the immediate public health purpose or implementing TACT system improvements.
(e) A business described in subdivision (a) shall not reidentify or attempt to reidentify deidentified, anonymized, or aggregated data collected pursuant to TACT.
1924.6.
 This title shall not be construed to limit or prohibit a public health entity or its agent from administering programs to identify individuals who have contracted, or may have been exposed to, a public health condition through traditional means intended to monitor and mitigate the transmission of a disease or disorder, including, but not limited to, interviews, outreach, case investigation, and other recognized investigatory measures.
1924.8.
 (a) (1) A business that violates this title shall be subject to a civil judgment for reasonable attorney fees, injunctive relief, and the following:
(A) If the violation does not directly result in disclosure of data, the greater of the following:
(i) Actual damages.
(ii) Statutory damages in an amount not greater than one hundred dollars ($100) for each day that the violation occurred.
(B) If the violation is not a willful violation, but the violation directly results in disclosure of data, the greater of the following:
(i) Actual damages.
(ii) Statutory damages in an amount not greater than one hundred dollars ($100) for each violation.
(C) If the violation is a willful violation and directly results in disclosure of data, the greater of the following:
(i) Actual damages.
(ii) Statutory damages in an amount not greater than five hundred dollars ($500) for each violation.
(2) The Attorney General, a district attorney, a city attorney, or a member of the public may bring a civil action against a business for relief pursuant to this subdivision.
(b) (1) A public entity that violates this title shall be subject to a civil judgment for reasonable attorney fees, injunctive relief, and the following:
(A) If the violation does not directly result in disclosure of data, injunctive relief.
(B) If the violation is not a willful violation, but the violation directly results in disclosure of data, actual damages.
(C) If the violation is a willful violation and directly results in disclosure of data, the greater of the following:
(i) Actual damages.
(ii) Statutory damages in an amount not greater than five hundred dollars ($500) for each violation.
(2) (A) A civil action against a public entity for damages pursuant to this subdivision may be brought only by the Attorney General, a district attorney, or a city attorney.
(B) A member of the public may bring a civil action against a public entity to obtain relief pursuant to this subdivision only to obtain injunctive relief and reasonable attorney fees.

SEC. 3.

 Chapter 5 (commencing with Section 104000) is added to Part 2 of Division 102 of the Health and Safety Code, to read:

CHAPTER  5. Technology-Assisted Contact Tracing Public Accountability And Consent Terms (TACT-PACT)
104000.
 For purposes of this chapter:
(a) (1) “Consent” means an affirmative act by an individual that is both of the following:
(A) Clearly and conspicuously communicates the individual’s authorization of an act or practice.
(B) Made in the absence of any mechanism in a user interface that has the purpose or substantial effect of obscuring, subverting, or impairing decisionmaking or choice to obtain consent.
(2) Consent shall not be inferred from inaction.
(b) “Data” means measurements, transactions, determinations, locations, or other information, whether or not that information can be associated with a specific natural person.
(c) “Personal information” means data that identifies, relates to, describes, is reasonably capable of being associated, or could reasonably be linked, directly or indirectly, with a specific natural person or household.
(d) “Public health entity” means a state or local health department or a public university health center.
(e) “Technology-assisted contact tracing (TACT)” means the use of a digital application or other electronic or digital platform that is capable of independently transmitting information, and is offered to individuals for the purpose of identifying and monitoring individuals, through data collection and analysis, who may have had contact with an infectious person as a means of controlling the spread of a communicable disease.
104002.
 (a) Notwithstanding any other law, a public entity that is not a public health entity shall not offer TACT.
(b) Participation in TACT, and any behavior or furnishing of information or consent for the purpose of effectuating TACT, shall be entirely voluntary.
(c) (1) Personal information collected, used, or maintained by a public health entity through TACT shall not be used for any purpose other than facilitating the response to the immediate public health purpose.
(2) For purposes of this subdivision, “facilitating the response to the immediate public health purpose” does not include enforcement of laws or orders pertaining to the public health purpose or created in response to the public health purpose, or investigations into violations of those orders and laws.
(d) A public health entity shall not associate data collected pursuant to TACT in any way with data otherwise collected or maintained for other purposes.
(e) A public health entity shall not offer TACT if the TACT collects, uses, retains, or shares geolocation information.
(f) A public health entity that is a public university health center shall not allow access to data collected pursuant to TACT by any agent or division of the university outside of the health center.
104004.
 A public health entity participating in TACT shall do all of the following:
(a) (1) Require that any report of exposure, including a presumptive report of exposure, be verified by a health care professional or public health entity before notifying persons who have been or may have been in contact with the reporting individual or before publicly disclosing exposure data.
(2) For purposes of this subdivision, “verified” means to have made an expert determination based on case history, test results, symptoms, or any other readily available information pertinent to the case that the condition of an individual meets the public health definition of a case, or presumptive case, of a specific infectious disease.
(b) Comply with other applicable laws, including Title 4.5 (commencing with Section 1924) of Part 4 of Division 3 of the Civil Code.
104006.
 A public health entity participating in TACT shall not charge a user fee for participation in TACT.
104008.
 This chapter shall not be construed to limit or prohibit a public health entity or its agent from administering programs to identify individuals who have contracted, or may have been exposed to, a public health condition through traditional means intended to monitor and mitigate the transmission of a disease or disorder, including interviews, outreach, case investigation, and other recognized investigatory measures.
104010.
 (a) A public entity that violates this chapter shall be subject to a civil judgment for reasonable attorney fees, injunctive relief, and the following:
(1) If the violation does not directly result in disclosure of data, injunctive relief.
(2) If the violation is not a willful violation, but the violation directly results in disclosure of data, actual damages.
(3) If the violation is a willful violation and directly results in disclosure of data, the greater of the following:
(A) Actual damages.
(B) Statutory damages in an amount not greater than five hundred dollars ($500) for each violation.
(b) (1) A civil action against a public entity for damages pursuant to subdivision (a) may be brought only by the Attorney General, a district attorney, or a city attorney.
(2) A member of the public may bring a civil action against a public entity to obtain relief pursuant to subdivision (a) only to obtain injunctive relief and reasonable attorney fees.

SEC. 4.

 Part 6 (commencing with Section 22360) is added to Division 2 of the Public Contract Code, to read:

PART 6. TECHNOLOGY-ASSISTED CONTACT TRACING PUBLIC ACCOUNTABILITY AND CONSENT TERMS (TACT-PACT)

22360.
 For purposes of this part:
(a) (1) “Consent” means an affirmative act by an individual that is both of the following:
(A) Clearly and conspicuously communicates the individual’s authorization of an act or practice.
(B) Made in the absence of any mechanism in a user interface that has the purpose or substantial effect of obscuring, subverting, or impairing decisionmaking or choice to obtain consent.
(2) Consent shall not be inferred from inaction.
(b) “Data” means measurements, transactions, determinations, locations, or other information, whether or not that information can be associated with a specific natural person.
(c) “Personal information” means data that identifies, relates to, describes, is reasonably capable of being associated, or could reasonably be linked, directly or indirectly, with a specific natural person or household.
(d) “Public health entity” means a state or local health department or a public university health center.
(e) “Technology-assisted contact tracing (TACT)” means the use of a digital application or other electronic or digital platform that is capable of independently transmitting information, and is offered to individuals for the purpose of identifying and monitoring individuals, through data collection and analysis, who may have had contact with an infectious person as a means of controlling the spread of a communicable disease.
22362.
 (a) Notwithstanding any other law, a public entity that is not a public health entity shall not enter into a TACT contract.
(b) Any data collected by, and any inventions, discoveries, intellectual property, technical communications, and records originated or prepared by, the contractor in the course of activities governed by the contract, including papers, reports, charts, computer programs, and other documentation, shall be the public health entity’s exclusive property.
(c) Any data collected and maintained in the course of fulfilling the duties of a TACT contract shall be encrypted to the extent practicable.
22364.
 A TACT contract shall include, but not be limited to, all of the following provisions:
(a) Participation in TACT, and any behavior or furnishing of information or consent for the purpose of effectuating TACT, shall be entirely voluntary.
(b) (1) Except as provided in paragraph (2), the contractor shall comply with the requirements imposed on public health entities pursuant to Chapter 5 (commencing with Section 104000) of Part 2 of Division 102 of the Health and Safety Code and Title 4.5 (commencing with Section 1924) of Part 4 of Division 3 of the Civil Code.
(2) The contractor shall not be required to comply with the reporting requirement imposed by subdivision (c) of Section 104004 of the Health and Safety Code if the report published by the public health entity accounts for the data collected, used, or disclosed by the contractor pursuant to the contract.
(c) Performance metrics for evaluation of the particular goods or services provided pursuant to the contract.
(d) (1) Subject to paragraph (2), the term of the contract shall not exceed one year.
(2) The contract may be renewed for increments of one year or less if the terms of the performance metrics described in subdivision (c) are substantially satisfied.
(e) Limitations on data collection and use.
(f) Security and data breach requirements, including both of the following:
(1) A contractor shall report a data breach to law enforcement and the public health entity.
(2) A contractor shall report a data breach pursuant to Section 1798.82 of the Civil Code.
(g) A contractor shall provide any source code created by the contractor pursuant to a TACT contract to both of the following:
(1) The public health entity.
(2) Any entity charged with oversight of the public health entity’s acquisitions, as required by Section 12100.
(h) A contract governed by this part shall be deemed a contract for the acquisition of information technology goods and services related to information technology projects for purposes of Section 12100.
22366.
 A TACT contract shall prohibit a contractor from all of the following:
(a) Collecting data that is not directly necessary for the public health purposes enumerated in the contract.
(b) Disclosing data collected, used, or maintained pursuant to the contract with any person or entity without the express written consent of the public health entity and the affirmative consent of any individual whose data would be disclosed.
(c) Using data for a purpose other than facilitating contact tracing for the immediate public health purpose or implementing TACT system improvements.
(d) Using data collected pursuant to the contract for a commercial purpose or to obtain anything of value apart from due compensation pursuant to the contract.
(e) Associating data collected pursuant to the contract in any way with data otherwise collected or maintained by the contractor for other purposes.
(f) Reidentifying or attempting to reidentify deidentified, anonymized, or aggregated data.
(g) Using or maintaining personal information collected pursuant to the contract for longer than 60 days from the time of collection.
(h) Maintaining data collected pursuant to the contract after the termination or expiration of the contract.
22368.
 (a) (1) A contractor that violates this part shall be subject to a judgment for reasonable attorney fees, injunctive relief, and the following:
(A) If the violation does not directly result in disclosure of data, the greater of the following:
(i) Actual damages.
(ii) Statutory damages in an amount not greater than one hundred dollars ($100) for each day that the violation occurred.
(B) If the violation is not a willful violation, but the violation directly results in disclosure of data, the greater of the following:
(i) Actual damages.
(ii) Statutory damages in an amount not greater than one hundred dollars ($100) for each violation.
(C) If the violation is a willful violation and directly results in disclosure of data, the greater of the following:
(i) Actual damages.
(ii) Statutory damages in an amount not greater than five hundred dollars ($500) for each violation.
(2) The Attorney General, a district attorney, a city attorney, or a member of the public may bring a civil action against a contractor for relief pursuant to this subdivision.
(b) (1) A public entity that violates this part shall be subject to a judgment for reasonable attorney fees, injunctive relief, and the following:
(A) If the violation does not directly result in disclosure of data, injunctive relief.
(B) If the violation is not a willful violation, but the violation directly results in disclosure of data, actual damages.
(C) If the violation is a willful violation and directly results in disclosure of data, the greater of the following:
(i) Actual damages.
(ii) Statutory damages in an amount not greater than five hundred dollars ($500) for each violation.
(2) (A) A civil action against a public entity for damages pursuant to this subdivision may be brought only by the Attorney General, a district attorney, or a city attorney.
(B) A member of the public may bring a civil action against a public entity to obtain relief pursuant to this subdivision only to obtain injunctive relief and reasonable attorney fees.