TITLE 4.5. TECHNOLOGY-ASSISTED CONTACT TRACING PUBLIC ACCOUNTABILITY AND CONSENT TERMS (TACT-PACT)
1924.
For purposes of this title:(a) “Business” means a sole proprietorship, partnership, corporation, association, or other group, including, but not limited to, a nonprofit entity.
(b) (1) “Consent” means an affirmative act by an individual that is both of the following:
(A) Clearly and conspicuously communicates the individual’s authorization of an act or practice.
(B) Made in the absence of any mechanism in a user interface that has the purpose or substantial effect of obscuring,
subverting, or impairing decisionmaking or choice to obtain consent.
(2) Consent shall not be inferred from inaction.
(c) “Data” means measurements, transactions, determinations, locations, or other information, whether or not that information can be associated with a specific natural person.
(d) “Personal information” means data that identifies, relates to, describes, is reasonably capable of being associated, or could reasonably be linked, directly or indirectly, with a specific natural person or household.
(e) “Public health entity” means a state or local public entity that is responsible for public health matters as part of its official mandate.
health department or a public university health center.
(f) (1) “Technology-assisted contact tracing (TACT)” means the use of a digital application or other electronic or digital platform that is capable of independently transmitting information and is offered to individuals for the purpose of identifying and monitoring individuals, through data collection and analysis, who may have had contact with an infectious person as a means of controlling the spread of a communicable disease.
(2) “Technology-assisted contact tracing (TACT)” does not include the use of a device
issued at a general acute care hospital, acute psychiatric hospital, or skilled nursing facility, as defined in Section 1250 of the Health and Safety Code, that is used only within the issuing health facility’s campus.
1924.1.
A business or public health entity offering TACT to individual users shall do all of the following:(a) Ensure that a request for an individual’s consent for the collection, use, maintenance, or disclosure of data includes the public health purpose for which that individual’s data will be collected, used, maintained, or disclosed, and the party or parties to whom that data will be disclosed.
(b) Provide a simple mechanism for a user to revoke consent for the collection, use, maintenance, or disclosure of data and permit revocation of consent at any time.
(c) Disclose to
the user the categories of data collected, used, or disclosed and the specific public health purposes for which each category will be collected, used, or disclosed.
(d) Provide users with an effective mechanism by which to access, correct, and delete their personal information.
(e) Delete any personal information collected pursuant to TACT within 60 days from the time of collection.
(f) (1) Delete any data collected pursuant to TACT within 60 days from the time of collection.
(2) This subdivision
shall not apply to data that is maintained and used solely for the purpose of research, as defined in Part 46 (commencing with Section 46.101) of Title 45 of the Code of Federal Regulations, and is subject to the regulations pursuant to that part.
(f)
(g) Ensure that all components of TACT are capable of being temporarily disabled and removed by the user in a manner that is clear, simple, and does not include any unnecessary steps.
(h) Encrypt any data collected and
maintained pursuant to TACT to the extent practicable.
(g)
(i) Clearly and conspicuously disclose that the absence of an exposure notice does not ensure that the individual has not been exposed to the condition of public health concern.
(h)
(j) Issue a public report, at
least once every 90 days, containing all of the following information:
(1) The number of individuals whose personal information was collected, used, or disclosed pursuant to TACT.
(2) The categories of data collected, used, or disclosed and the specific public health purposes for which each category was collected, used, or disclosed pursuant to TACT.
(3) The recipient to whom any of the information described in paragraphs (1) and (2) was disclosed.
(i)
(k) Implement and maintain reasonable security procedures and practices, appropriate to the nature of the data and the purposes for which that data will be used, to protect that data from unauthorized use, disclosure, access, destruction, or modification, including all of the following:
(1) Administrative safeguards.
(2) Physical safeguards.
(3) Technical safeguards.
1924.3.
A business or public health entity offering TACT to individual users shall not do any of the following:(a) Collect, use, maintain, or disclose data for the purpose of providing TACT without the affirmative consent of the individual to whom that data pertains.
(b) Collect, use, maintain, or disclose personal information that is not reasonably necessary to provide a service or conduct an activity that a user has requested. TACT services.
1924.4.
A business or public entity shall not do any of the following:(a) Discriminate on the basis of participation or nonparticipation in TACT or any behavior or disclosure pursuant thereto.
(b) Impose a penalty on the basis of participation or nonparticipation in TACT or any behavior or disclosure pursuant thereto.
(c) Require any person, including, but not limited to, an employee or independent contractor, to participate in TACT or any behavior or disclosure pursuant thereto.
1924.5.
(a) A business providing TACT that is not affiliated with a public health entity shall clearly and conspicuously disclose upon solicitation and provision of a TACT service that the service is not affiliated with a public health entity.(b) A business described in subdivision (a) shall not hold itself out to be affiliated with a public health entity.
(c) A business described in subdivision (a) shall not associate data collected from a user pursuant to TACT in any way with data otherwise collected or maintained for other purposes without that user’s consent.
(d) A business described in subdivision (a) shall not use data collected from a user pursuant to TACT for a purpose other than facilitating contact tracing for the immediate public health purpose or implementing TACT system improvements.
(e) A business described in subdivision (a) shall not reidentify or attempt to reidentify deidentified, anonymized, or aggregated data collected pursuant to TACT.
1924.6.
This title shall not be construed to limit or prohibit a public health entity or its agent from administering programs to identify individuals who have contracted, or may have been exposed to, a public health condition through traditional means intended to monitor and mitigate the transmission of a disease or disorder, including, but not limited to, interviews, outreach, case investigation, and other recognized investigatory measures.1924.8.
(a) (1) A business that violates this title shall be subject to a civil judgment for reasonable attorney fees, injunctive relief, and the following:(A) If the violation does not directly result in disclosure of data, the greater of the following:
(i) Actual damages.
(ii) Statutory damages in an amount not greater than one hundred dollars ($100) for each day that the violation occurred.
(B) If the violation is not a willful violation, but the violation directly results in disclosure of data, the greater of the following:
(i) Actual damages.
(ii) Statutory damages in an amount not greater than one hundred dollars ($100) for each violation.
(C) If the violation is a willful violation and directly results in disclosure of data, the greater of the following:
(i) Actual damages.
(ii) Statutory damages in an amount not greater than five hundred dollars ($500) for each violation.
(2) The Attorney General, a district attorney, a city attorney, or a member of the public may bring a civil action against a business for relief pursuant to this subdivision.
(b) (1) A
public entity that violates this title shall be subject to a civil judgment for reasonable attorney fees, injunctive relief, and the following:
(A) If the violation does not directly result in disclosure of data, injunctive relief.
(B) If the violation is not a willful violation, but the violation directly results in disclosure of data, actual damages.
(C) If the violation is a willful violation and directly results in disclosure of data, the greater of the following:
(i) Actual damages.
(ii) Statutory damages in an amount not greater than five hundred dollars ($500) for each violation.
(2) (A) A civil
action against a public entity for damages pursuant to this subdivision may be brought only by the Attorney General, a district attorney, or a city attorney.
(B) A member of the public may bring a civil action against a public entity to obtain relief pursuant to this subdivision only to obtain injunctive relief and reasonable attorney fees.