STATE OF NEW YORK ________________________________________________________________________ 8448 IN SENATE June 3, 2020 ___________ Introduced by Sen. THOMAS -- read twice and ordered printed, and when printed to be committed to the Committee on Internet and Technology AN ACT in relation to the collection of emergency health data and the use of technology assisted contact tracing to aid during COVID-19; and providing for the repeal of such provision upon the expiration thereof The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. For the purposes of this act: 2 1. "Covered entity" means any person, including a government entity: 3 (a) that collects, uses, or discloses emergency health data, as 4 defined in this act, electronically or through communication by wire or 5 radio; or 6 (b) that develops or operates a website, web application, mobile 7 application, mobile operating system feature, or smart device applica- 8 tion for the purpose of tracking, screening, monitoring, contact trac- 9 ing, or mitigation, or otherwise responding to the COVID-19 public 10 health emergency. 11 2. "De-identified information" means information that cannot reason- 12 ably identify, relate to, describe, be capable of being associated with, 13 or be linked, directly or indirectly, to a particular individual. A 14 covered entity that uses de-identified information: 15 (a) has implemented technical safeguards that prohibit re-identifica- 16 tion of the individual to whom the information may pertain; 17 (b) has implemented business processes that specifically prohibit 18 re-identification of the information; 19 (c) has implemented business processes that prevent inadvertent 20 release of de-identified information; and 21 (d) makes no attempt to re-identify the information. 22 3. "Emergency health data" means data linked or reasonably linkable to 23 an individual or device, including data inferred or derived about the 24 individual or device from other collected data provided such data is 25 still linked or reasonably linkable to the individual or device, that 26 concerns the public COVID-19 health emergency. Such data includes: EXPLANATION--Matter in italics (underscored) is new; matter in brackets [] is old law to be omitted. LBD16478-01-0S. 8448 2 1 (a) Information that reveals the past, present, or future physical or 2 behavioral health or condition of, or provision of healthcare to, an 3 individual including: 4 (i) data derived from the testing or examination; 5 (ii) whether or not an individual has contracted or been tested for, 6 or an estimate of the likelihood that a particular individual may 7 contract, such disease or disorder; and 8 (iii) genetic data, biological samples and biometrics; and 9 (b) Other data collected in conjunction with other emergency health 10 data or for the purpose of tracking, screening, monitoring, contact 11 tracing, mitigation, or otherwise responding to the COVID-19 public 12 health emergency including: 13 (i) geolocation data, when such term means data capable of determining 14 the past or present precise physical location of an individual at a 15 specific point in time, taking account of population densities, includ- 16 ing cell-site location information, triangulation data derived from 17 nearby wireless or radio frequency networks and global positioning 18 system data; 19 (ii) proximity data, when such term means information that identifies 20 or estimates the past or present physical proximity of one individual or 21 device to another, including information derived from Bluetooth, audio 22 signatures, nearby wireless networks, and near field communications; 23 (iii) demographic data; 24 (iv) contact information for identifiable individuals or a history of 25 the individual's contacts over a period of time, such as an address book 26 or call log; and 27 (v) any other data collected from a personal device. 28 4. "Technology assisted contact tracing" means technology that sends a 29 steady supply of information, including location information, movement, 30 social encounters, phone numbers, and health data, to a central authori- 31 ty. 32 5. "Personal information" means information that identifies, relates 33 to, describes, is capable of being associated with, or could reasonably 34 be linked, directly or indirectly, with a particular consumer or house- 35 hold. 36 6. "Process" means any operation or set of operations that are 37 performed on personal data by either automated or not automated means. 38 § 2. Any entity creating, developing, or marketing technology assisted 39 contact tracing to aid during the COVID-19 public health emergency must 40 disclose the following information at a fourth grade reading level or 41 below and in the language the entity regularly uses to communicate with 42 the individual: 43 1. The individual's right to opt-in. (a) A covered entity shall obtain 44 freely given, specific, informed, and unambiguous opt-in consent from an 45 individual to: 46 (i) process the individual's emergency health data; and 47 (ii) make any changes in the processing of the individual's emergency 48 health data. 49 (b) It shall be unlawful for a covered entity to collect, use, or 50 disclose emergency health data unless: 51 (i) the individual to whom the data pertains has freely given, specif- 52 ic, informed, and unambiguous consent to such collection, use, or 53 disclosure; or 54 (ii) such collection, use, or disclosure is necessary and for the sole 55 purpose of:S. 8448 3 1 (A) protecting against malicious, deceptive, fraudulent, or illegal 2 activity; or 3 (B) detecting, responding to, or preventing security incidents or 4 threats; or 5 (iii) the covered entity is compelled to do so by a court order or 6 other legal obligation. 7 (c) To the extent that a covered entity must process internet protocol 8 addresses, system configuration information, URLs of referring pages, 9 locale and language preferences, keystrokes, and other personal informa- 10 tion in order to obtain individuals' freely given, specific, informed, 11 and unambiguous opt-in consent, the entity: 12 (i) shall only process the personal information necessary to request 13 freely given, specific, informed, and unambiguous opt-in consent; 14 (ii) shall process the personal information solely to request freely 15 given, specific, informed, and unambiguous opt-in consent; and 16 (iii) shall immediately delete the personal information if consent is 17 withheld. 18 2. The individual's right to privacy. (a) All data collected for the 19 purpose of tracking, screening, monitoring, contact tracing, or miti- 20 gation, or otherwise responding to the COVID-19 public health emergency 21 shall be collected at a minimum level of identifiability reasonably 22 needed for tracking COVID-19. For a covered entity using proximity trac- 23 ing or exposure notification this includes changing pseudonyms or tempo- 24 rary anonymous identifiers at least once in a twelve hour period. 25 (b) A covered entity shall not process personal information beyond 26 what is adequate, relevant, and necessary for the completion of the 27 transaction disclosed to, affirmatively consented to, and requested by 28 the individual. 29 (c) A covered entity shall not collect, use, or disclose emergency 30 health data for any purpose not authorized under this act, including: 31 (i) commercial advertising, recommendation for e-commerce, or the 32 training of machine learning algorithms related to, or subsequently for 33 use in, commercial advertising and e-commerce; 34 (ii) soliciting, offering, selling, leasing, licensing, renting, 35 advertising, marketing, or otherwise commercially contracting for 36 employment, finance, credit, insurance, housing, or education opportu- 37 nities in a manner that discriminates or otherwise makes opportunities 38 unavailable on the basis of data; or 39 (iii) segregating, discriminating in, or otherwise making unavailable 40 the goods, services, facilities, privileges, advantages, or accommo- 41 dations of any place of public accommodation (as such term is defined in 42 section 301 of the Americans with Disabilities Act of 1990), except as 43 authorized by a state or federal government entity for a public health 44 purpose. 45 3. Covered entity privacy policy. (a) A covered entity shall provide 46 to the individual a privacy policy, prior to or at the point of 47 collection of emergency health data: 48 (i) detailing how and for what purpose the covered entity collects, 49 uses, and discloses emergency health data; 50 (ii) describing the covered entity's data retention and data security 51 policies and practices for emergency health data; and 52 (iii) describing how an individual may exercise rights under this 53 section. 54 (b) A covered entity must develop a written policy, made available to 55 the public, establishing a retention schedule and guidelines for perma- 56 nently destroying emergency health data when the initial purpose forS. 8448 4 1 collecting or obtaining such data has been satisfied or within two years 2 of the individual's last interaction with the covered entity, whichever 3 occurs first. A covered entity in possession of emergency health data 4 must comply with its established retention schedule and destruction 5 guidelines. 6 (c) A covered entity shall create transparency reports, at least once 7 every 90 days, that include: 8 (i) the number of individuals whose emergency health data the covered 9 entity collected or used; 10 (ii) the categories of emergency health data collected, used, or 11 disclosed; 12 (iii) the purposes for which each category of emergency health data 13 was collected, used, or disclosed; 14 (iv) the number of requests for individuals emergency health data, 15 including information on who the emergency health data was disclosed to; 16 and 17 (v) the number of instances where emergency health data was produced, 18 in whole or in part, without prior, explicit consents by the individuals 19 specified in the request. 20 4. Time limitation on retention. (a) Emergency data collected for the 21 purpose of tracking, screening, monitoring, contact tracing, or miti- 22 gation, or otherwise responding to the COVID-19 public health emergency 23 shall be deleted within 30 days, except that proximity tracing or expo- 24 sure notification data which shall be automatically deleted every 14 25 days. 26 (b) A covered entity that stores data for longer than 30 days must 27 re-engage consent every 30 days. Data shall automatically delete in 30 28 days unless consent is properly re-engaged. 29 (c) This subdivision shall not apply to de-identified information. 30 5. Access rights. (a) Emergency health data shall be shared only as 31 necessary to provide the service requested by an individual. 32 (b) A covered entity may share aggregate, de-identified data with 33 public health authorities solely for the limited purposes for which 34 information can be collected in the first place. No information shall be 35 shared with law enforcement without a valid court order, subpoena, or 36 search warrant. 37 (c) A covered entity shall not disclose emergency health data to a 38 third party unless that third party is contractually bound to the 39 covered entity to meet the same privacy and security obligations as the 40 covered entity. 41 (d) No covered entity in possession of emergency health data may 42 disclose, redisclose, or otherwise disseminate an individual's emergency 43 health data unless: 44 (i) the subject of the personal information or the subject's legally 45 authorized representative consents in writing to the disclosure or 46 redisclosure; 47 (ii) the disclosure or redisclosure is required by state or federal 48 law; or 49 (iii) the disclosure is required pursuant to a valid warrant, court 50 order, or subpoena issued by a court of competent jurisdiction. 51 (e) Individuals shall have the right to access the emergency health 52 data collected on them and correct any inaccuracies. 53 (i) A covered entity must comply with an individual's request to 54 correct emergency health data not later than 30 days after receiving a 55 verifiable request from the individual or, in the case of a minor, the 56 individual's parent or guardian.S. 8448 5 1 (ii) Where the covered entity has reasonable doubts or cannot verify 2 the identity of the individual making a request under this paragraph, 3 the covered entity may request additional information necessary for the 4 specific purpose of confirming the identity of the individual. In such 5 cases, the additional information shall not be processed for any purpose 6 other than verifying the identity of the individual and must be deleted 7 immediately upon verification or failure to verify the individual. 8 § 3. 1. A covered entity shall implement reasonable measures to ensure 9 confidentiality, integrity, and availability of data. 10 2. A covered entity that collects an individual's emergency health 11 data shall implement and maintain reasonable security procedures and 12 practices, including administrative, physical, and technical safeguards, 13 appropriate to the nature of the information and the purposes for which 14 that information will be used, to protect that information from unau- 15 thorized use, disclosure, access, destruction, or modification. 16 3. A covered entity shall limit access to emergency health data to 17 authorized essential personnel whose use of the data is reasonably 18 necessary to operate the program and record who has accessed emergency 19 health data, the date of access, and for what purposes. 20 § 4. 1. All covered entities shall be subject to data protection 21 audits evaluating the technology assisted contact tracing utilized and 22 the development processes, including the design and training data, for 23 statistical impacts on classes protected under section 296 of article 15 24 of the executive law, as well as for impacts on privacy, and security 25 that includes at a minimum: 26 (a) a detailed description of the technology assisted contact tracing, 27 its design, its training, data, and its purpose; 28 (b) an assessment of the relative benefits and costs of the technology 29 assisted contact tracing in light of its purpose, taking into account 30 relevant factors including data minimization practices; the duration for 31 which personal information and the results of the data analysis are 32 stored; what information about the technology assisted contact tracing 33 is available to the public; and the recipients of the results of the 34 technology assisted contact tracing; 35 (c) an assessment of the risk of harm posed by the technology assisted 36 contact tracing and the risk that the technology assisted contact trac- 37 ing may result in or contribute to inaccurate, unfair, biased, or 38 discriminatory decisions impacting individuals; and 39 (d) The measures the state agency will employ to minimize the risks 40 described in paragraph (c) of this subdivision, including technological 41 and physical safeguards. 42 2. The audits required by this subdivision shall be made available to 43 the public. 44 § 5. 1. An individual may bring a private right of action in a court 45 of competent jurisdiction to enforce any right under this act or to 46 enjoin any violation of this act. 47 2. The attorney general may bring an action in the name of the state, 48 or as parens patriae on behalf of persons residing in the state, to 49 enforce the provisions of this act. In an action brought by the attorney 50 general, the court may award injunction relief, including preliminary 51 injunctions, to prevent further violations of and compel compliance with 52 this act; civil penalties up to twenty-five thousand dollars per 53 violation or up to four percent of annual revenue; other appropriate 54 relief, including restitution, to redress harms to individuals or to 55 mitigate all substantial risk of harm; and any other relief the court 56 determines.S. 8448 6 1 § 6. This act shall take effect on the thirtieth day after it shall 2 have become a law and shall expire and be deemed repealed January 1, 3 2023.