Bill Text: CA AB1782 | 2019-2020 | Regular Session | Amended

NOTE: There are more recent revisions of this legislation. Read Latest Draft
Bill Title: Personal information: contact tracing.

Spectrum: Partisan Bill (Democrat 2-0)

Status: (Engrossed - Dead) 2020-08-20 - In committee: Held under submission. [AB1782 Detail]

Download: California-2019-AB1782-Amended.html

Amended  IN  Senate  June 18, 2020
Amended  IN  Assembly  May 24, 2019
Amended  IN  Assembly  April 30, 2019
Amended  IN  Assembly  April 10, 2019
Amended  IN  Assembly  March 25, 2019

CALIFORNIA LEGISLATURE— 2019–2020 REGULAR SESSION

Assembly Bill
No. 1782

Introduced by Assembly Member Chau
(Coauthor: Assembly Member Wicks)

February 22, 2019

An act to amend Sections 1798.90.5, 1798.90.51, and 1798.90.53 of the Civil Code, relating to personal information.An act to add Title 4.5 (commencing with Section 1924) to Part 4 of Division 3 of the Civil Code, to add Chapter 5 (commencing with Section 104000) to Part 2 of Division 102 of the Health and Safety Code, and to add Part 6 (commencing with Section 22360) to Division 2 of the Public Contract Code, relating to personal information.


LEGISLATIVE COUNSEL'S DIGEST


AB 1782, as amended, Chau. Automated license plate recognition information: usage and privacy policy. Personal information: contact tracing.
Existing law, the California Consumer Privacy Act of 2018 (CCPA), grants a consumer various rights with respect to personal information, as defined, that is collected or sold by a business, as defined, including the right to require a business to delete personal information about the consumer, as specified.
This bill would generally regulate public health entities and businesses that provide technology-assisted contact tracing (TACT), as defined, services. The bill would, among other things, require a business or public health entity offering TACT to provide a simple mechanism for a user to revoke consent for the collection, use, maintenance, or disclosure of data and permit revocation of consent at any time. The bill would require a business providing TACT services that is not affiliated with a public health entity to clearly and conspicuously disclose upon solicitation and provision of that service that the service is not affiliated with a public health entity. The bill would require a public health entity participating in TACT to require that any report of exposure be verified by a health care professional before notifying persons who have been or may have been in contact with the reporting individual or before publicly disclosing exposure data.
Existing law generally governs contracts entered into by a state or local agency.
This bill would, among other things, require data collected and maintained in the course of fulfilling the duties of a TACT contract to be encrypted to the extent practicable and would require certain provisions to be included in a TACT contract, including a provision creating performance metrics for evaluation of the particular goods or services provided pursuant to the contract.

Existing law authorizes the Department of the California Highway Patrol to retain license plate data captured by license plate reader technology, also referred to as an automated license plate recognition (ALPR) system, for not more than 60 days unless the data is being used as evidence or for the investigation of felonies. Existing law authorizes the department to share that data with law enforcement agencies for specified purposes and requires both an ALPR operator and an ALPR end-user, as those terms are defined, to implement a usage and privacy policy regarding that ALPR information, as specified. Existing law requires that the usage and privacy policy implemented by an ALPR operator and an ALPR end-user include the length of time ALPR information will be retained, and the process the ALPR operator and ALPR end-user will utilize to determine if and when to destroy retained ALPR information.

This bill would delete the requirement that the usage and privacy policy implemented by an ALPR operator and an ALPR end-user include the retention and destruction information described above, and would instead require those usage and privacy policies to include a procedure to ensure the destruction of all nonanonymized ALPR information no more than 60 days from the date of collection, except as provided. The bill would also require that the usage and privacy policy implemented by an ALPR operator and an ALPR end-user include a procedure to ensure that all ALPR information that is shared with an organization or individual, not including a law enforcement agency, outside of the entity that generated that information is anonymized, as defined, to protect the privacy of the license plate holder.

Vote: MAJORITY   Appropriation: NO   Fiscal Committee: YES   Local Program: NO  

The people of the State of California do enact as follows:


SECTION 1.

 Title 4.5 (commencing with Section 1924) is added to Part 4 of Division 3 of the Civil Code, to read:

TITLE 4.5. TECHNOLOGY-ASSISTED CONTACT TRACING PUBLIC ACCOUNTABILITY AND CONSENT TERMS ACT (TACT-PACT).

1924.
 For purposes of this title:
(a) “Data” means measurements, transactions, determinations, locations, or other information, whether or not that information can be associated with a specific natural person.
(b) “Personal information” means data capable of being associated with a specific natural person.
(c) “Public health entity” means a state or local public entity that is responsible for public health matters as part of its official mandate.
(d) “Technology-assisted contact tracing (TACT)” means the use of a digital application or other electronic or digital platform offered to individuals for the purpose of identifying and monitoring individuals, through data collection and analysis, who may have had contact with an infectious person as a means of controlling the spread of a communicable disease.

1924.1.
 A business or public health entity offering TACT services to individual users shall do all of the following:
(a) Ensure that a request for an individual’s consent for the collection, use, maintenance, or disclosure of data includes the public health purpose for which that individual’s data will be collected, used, maintained, or disclosed, and the party or parties to whom that data will be disclosed.
(b) Provide a simple mechanism for a user to revoke consent for the collection, use, maintenance, or disclosure of data and permit revocation of consent at any time.
(c) Disclose to the user the categories of data collected, used, or disclosed and the specific public health purposes for which each category will be collected, used, or disclosed.
(d) Provide users with an effective mechanism by which to correct or delete personal information.
(e) Ensure that any component created for individual use shall be capable of being temporarily disabled and shall be removable by the user in a manner that is clear, simple, and does not include any unnecessary steps.
(f) Clearly and conspicuously disclose that the absence of an exposure notice does not ensure that the individual has not been exposed to the condition of public health concern.

1924.3.
 A business or public health entity shall not do any of the following:
(a) Collect, use, maintain, or disclose data for the purpose of providing TACT services without the affirmative consent of the individual to whom that data pertains.
(b) Collect, use, or disclose personal information that is not reasonably necessary to provide a service or conduct an activity that a user has requested.
(c) Discriminate on the basis of participation in TACT or any behavior or disclosure pursuant thereto.
(d) Impose a penalty on the basis of participation in TACT or any behavior or disclosure pursuant thereto.
(e) Require an employee or contractor to participate in TACT or any behavior or disclosure pursuant thereto.

1924.5.
 (a) A business providing TACT services that is not affiliated with a public health entity shall clearly and conspicuously disclose upon solicitation and provision of a TACT service that the service is not affiliated with a public health entity.
(b) A business described in subdivision (a) shall not hold itself out to be affiliated with a public health entity.

SEC. 2.

 Chapter 5 (commencing with Section 104000) is added to Part 2 of Division 102 of the Health and Safety Code, to read:
CHAPTER  5. Technology-Assisted Contact Tracing Public Accountability And Consent Terms Act (Tact-Pact).

104000.
 For purposes of this chapter:
(a) “Data” means measurements, transactions, determinations, locations, or other information, whether or not that information can be associated with a specific natural person.
(b) “Personal information” means data capable of being associated with a specific natural person.
(c) “Public health entity” means a state or local public entity that is responsible for public health matters as part of its official mandate.
(d) “Technology-assisted contact tracing (TACT)” means the use of a digital application or other electronic or digital platform offered to individuals for the purpose of identifying and monitoring individuals, through data collection and analysis, who may have had contact with an infectious person as a means of controlling the spread of a communicable disease.

104002.
 (a) Notwithstanding any other law, a public entity that is not a public health entity shall not deploy or cause the deployment of TACT.
(b) Participation in TACT, and any behavior or furnishing of information or consent for the purpose of effectuating TACT, shall be entirely voluntary.
(c) (1) Personal information collected, used, or maintained by a public health entity for the purpose of TACT shall not be used for any purpose other than facilitating the response to the immediate public health purpose.
(2) For purposes of this subdivision, “facilitating the response to the immediate public health purpose” does not include enforcement of laws or orders pertaining to the public health purpose or created in response to the public health purpose, or investigations into violations of those orders and laws.

104004.
 A public health entity participating in TACT shall do all of the following:
(a) Purge any personal information collected pursuant to TACT within 60 days from the time of collection.
(b) Require that any report of exposure be verified by a health care professional before notifying persons who have been or may have been in contact with the reporting individual or before publicly disclosing exposure data.
(c) Issue a public report, at least once every 90 days, stating all of the following:
(1) The number of individuals whose personal information the public health entity collected, used, or disclosed pursuant to TACT.
(2) The categories of data collected, used, or disclosed and the specific public health purposes for which each category was collected, used, or disclosed pursuant to TACT.
(3) The recipient to whom any of the information described in paragraphs (1) and (2) was disclosed.
(d) Comply with other applicable laws, including Title 4.5 (commencing with Section 1924) of Part 4 of Division 3 of the Civil Code.

104006.
 A public health entity participating in TACT shall not charge a user fee for participation in TACT.

104008.
 This chapter shall not be construed to limit or prohibit a public health entity or its agent from administering programs to identify individuals who have contracted, or may have been exposed to, a public health condition through traditional means intended to monitor and mitigate the transmission of a disease or disorder, including interviews, outreach, case investigation, and other recognized investigatory measures.

SEC. 3.

 Part 6 (commencing with Section 22360) is added to Division 2 of the Public Contract Code, to read:

PART 6. TECHNOLOGY-ASSISTED CONTACT TRACING PUBLIC ACCOUNTABILITY AND CONSENT TERMS ACT (TACT-PACT).

22360.
 For purposes of this part:
(a) “Data” means measurements, transactions, determinations, locations, or other information, whether or not that information can be associated with a specific natural person.
(b) “Personal information” means data capable of being associated with a specific natural person.
(c) “Public health entity” means a state or local public entity that is responsible for public health matters as part of its official mandate.
(d) “Technology-assisted contact tracing (TACT)” means the use of a digital application or other electronic or digital platform offered to individuals for the purpose of identifying and monitoring individuals, through data collection and analysis, who may have had contact with an infectious person as a means of controlling the spread of a communicable disease.

22362.
 (a) Notwithstanding any other law, a public entity that is not a public health entity shall not enter into a TACT contract.
(b) Any data collected by, and any inventions, discoveries, intellectual property, technical communications, and records originated or prepared by, the contractor, including papers, reports, charts, computer programs, and other documentation shall be the public health entity’s exclusive property.
(c) Any data collected and maintained in the course of fulfilling the duties of a TACT contract shall be encrypted to the extent practicable.

22364.
 A TACT contract shall include, but not be limited to, all of the following provisions:
(a) Participation in TACT, and any behavior or furnishing of information or consent for the purpose of effectuating TACT, shall be entirely voluntary.
(b) (1) Except as provided in paragraph (2), the contractor shall comply with the requirements imposed on public health entities pursuant to Chapter 5 (commencing with Section 104000) of Part 2 of Division 102 of the Health and Safety Code.
(2) The contractor shall not be required to comply with the reporting requirement imposed by subdivision (c) of Section 104004 of the Health and Safety Code if the report published by the public health entity accounts for the data collected, used, or disclosed by the contractor pursuant to the contract.
(c) Performance metrics for evaluation of the particular goods or services provided pursuant to the contract.
(d) (1) Subject to paragraph (2), the term of the contract shall not exceed one year.
(2) The contract may be renewed for increments of one year or less if the terms of the performance metrics described in subdivision (c) are substantially satisfied.
(e) Limitations on data collection and use.
(f) Security and data breach requirements, including the following:
(1) A contractor shall report a data breach to law enforcement and the public health entity.
(2) A contractor shall report a data breach pursuant to Section 1798.82 of the Civil Code.
(g) A contractor shall provide any source code created by the contractor pursuant to a TACT contract to both of the following:
(1) The public health entity.
(2) (A) Any entity charged with oversight of the public health entity’s acquisitions, as required by Section 12100.
(B) A contract governed by this part shall be deemed a contract for the acquisition of information technology goods and services related to information technology projects for purposes of Section 12100.
22366. A TACT contract shall prohibit a contractor from all of the following:
(a) Collecting data that is not directly necessary for the public health purposes enumerated in the contract.
(b) Disclosing data collected, used, or maintained pursuant to the contract with any person or entity without the express written consent of the public health entity and the affirmative consent of any individual whose data would be disclosed.
(c) Using data for a purpose other than facilitating contact tracing for the immediate public health purpose.
(d) Using data collected pursuant to the contract for a commercial purpose or to obtain anything of value apart from due compensation pursuant to the contract.
(e) Associating data collected pursuant to the contract in any way with data otherwise collected or maintained by the contractor for other purposes.
(f) Attempting to reidentify deidentified, anonymized, or aggregated data.
(g) Using or maintaining personal information collected pursuant to the contract for longer than 60 days from the time of collection.
(h) Maintaining data collected pursuant to the contract after the termination or expiration of the contract.

SECTION 1.Section 1798.90.5 of the Civil Code is amended to read:
1798.90.5.

The following definitions shall apply for purposes of this title:

(a)“Anonymize” means to redact the images of the registration plates and the characters they contain from the ALPR information so that the ALPR information does not identify, or does not provide a reasonable basis from which to identify, an individual.

(b)“Automated license plate recognition end-user” or “ALPR end-user” means a person that accesses or uses an ALPR system, but does not include any of the following:

(1)A transportation agency when subject to Section 31490 of the Streets and Highways Code.

(2)A person that is subject to Sections 6801 to 6809, inclusive, of Title 15 of the United States Code and state or federal statutes or regulations implementing those sections, if the person is subject to compliance oversight by a state or federal regulatory agency with respect to those sections.

(3)A person, other than a law enforcement agency, to whom information may be disclosed as a permissible use pursuant to Section 2721 of Title 18 of the United States Code.

(c)“Automated license plate recognition information,” or “ALPR information” means information or data collected through the use of an ALPR system.

(d)“Automated license plate recognition operator” or “ALPR operator” means a person that operates an ALPR system, but does not include a transportation agency when subject to Section 31490 of the Streets and Highways Code.

(e)“Automated license plate recognition system” or “ALPR system” means a searchable computerized database resulting from the operation of one or more mobile or fixed cameras combined with computer algorithms to read and convert images of registration plates and the characters they contain into computer-readable data.

(f)“Person” means any natural person, public agency, partnership, firm, association, corporation, limited liability company, or other legal entity.

(g)“Public agency” means the state, any city, county, or city and county, or any agency or political subdivision of the state or a city, county, or city and county, including, but not limited to, a law enforcement agency.

SEC. 2.Section 1798.90.51 of the Civil Code is amended to read:
1798.90.51.

An ALPR operator shall do all of the following:

(a)Maintain reasonable security procedures and practices, including operational, administrative, technical, and physical safeguards, to protect ALPR information from unauthorized access, destruction, use, modification, or disclosure.

(b)(1)Implement a usage and privacy policy in order to ensure that the collection, use, maintenance, sharing, and dissemination of ALPR information is consistent with respect for individuals’ privacy and civil liberties. The usage and privacy policy shall be available to the public in writing, and, if the ALPR operator has an internet website, the usage and privacy policy shall be posted conspicuously on that internet website.

(2)The usage and privacy policy shall, at a minimum, include all of the following:

(A)The authorized purposes for using the ALPR system and collecting ALPR information.

(B)A description of the job title or other designation of the employees and independent contractors who are authorized to use or access the ALPR system, or to collect ALPR information. The policy shall identify the training requirements necessary for those authorized employees and independent contractors.

(C)A description of how the ALPR system will be monitored to ensure the security of the information and compliance with applicable privacy laws.

(D)The purposes of, process for, and restrictions on, the sale, sharing, or transfer of ALPR information to other persons.

(E)The title of the official custodian, or owner, of the ALPR system responsible for implementing this section.

(F)A description of the reasonable measures that will be used to ensure the accuracy of ALPR information and correct data errors.

(G)A procedure to ensure the destruction of all nonanonymized ALPR information no more than 60 days from the date of collection, except as authorized pursuant to Section 2413 of the Vehicle Code or if the ALPR operator is a law enforcement agency and the ALPR information is being used as evidence or for the investigation of a felony.

(H)A procedure to ensure that all ALPR information that is shared with an organization or individual, not including a law enforcement agency, outside of the entity that generated that information is anonymized to protect the privacy of the license plate holder.

SEC. 3.Section 1798.90.53 of the Civil Code is amended to read:
1798.90.53.

An ALPR end-user shall do all of the following:

(a)Maintain reasonable security procedures and practices, including operational, administrative, technical, and physical safeguards, to protect ALPR information from unauthorized access, destruction, use, modification, or disclosure.

(b)(1)Implement a usage and privacy policy in order to ensure that the access, use, sharing, and dissemination of ALPR information is consistent with respect for individuals’ privacy and civil liberties. The usage and privacy policy shall be available to the public in writing, and, if the ALPR end-user has an internet website, the usage and privacy policy shall be posted conspicuously on that internet website.

(2)The usage and privacy policy shall, at a minimum, include all of the following:

(A)The authorized purposes for accessing and using ALPR information.

(B)A description of the job title or other designation of the employees and independent contractors who are authorized to access and use ALPR information. The policy shall identify the training requirements necessary for those authorized employees and independent contractors.

(C)A description of how the ALPR system will be monitored to ensure the security of the information accessed or used, and compliance with all applicable privacy laws and a process for periodic system audits.

(D)The purposes of, process for, and restrictions on, the sale, sharing, or transfer of ALPR information to other persons.

(E)The title of the official custodian, or owner, of the ALPR information responsible for implementing this section.

(F)A description of the reasonable measures that will be used to ensure the accuracy of ALPR information and correct data errors.

(G)A procedure to ensure the destruction of all nonanonymized ALPR information no more than 60 days from the date of collection, except as authorized pursuant to Section 2413 of the Vehicle Code or if the ALPR end-user is a law enforcement agency and the ALPR information is being used as evidence or for the investigation of a felony.

(H)A procedure to ensure that all ALPR information that is shared with an organization or individual, not including a law enforcement agency, outside of the entity that generated that information is anonymized to protect the privacy of the license plate holder.

LegiScan Search

View Top 50 Searches

Select area of search.
Find an exact bill number.
Search bill text and data. [help]
Reset

LegiScan Trends

View Top 50 National

WY HB0318 Maintenance of voter lists.
WY HB0337 Prohibiting foreign funding of ballot measures.
LA HB11 Provides relative to sentencing for certain offenses
IN HB1423 Wake boarding and wake surfing.
NH HB572 Establishing the "partners in housing" program, a low-interest loan and...
NM SB510 Public Safety Changes
FL H0845 Veterans Affairs
VA HB2627 Automated driving systems etc; requirement for operation of autonomous...
OH SCR5 Urge Presidential support for Medicaid work requirements
NJ S4043 Increases access to substance use disorder treatment; Requires Medicaid...
feedback