We’ve written a lot about the adoption and implementation of CCPA, California’s state privacy law. We’ve told you about industry’s attempt to water the law down and the successful fight of privacy advocates to keep that from happening. We’ve told you about the loopholes that remain in this game-changing law.
Now, the novel coronavirus is raising the stakes once again. Sorely needed contact tracing is a service big tech is rushing to provide, and privacy protections are a seeming inconvenience.
But long after the spread of COVID-19 is contained, the data trove collected of our movements and associations will remain as an asset of great value to the companies, and a threat to our control over our personal information.
Right now, much of this conversation is being framed as promises from industry about what will and won’t happen to the data they collect for public health purposes.
Promises are nice. We appreciate that the public dialogue about contact tracing applications has touched on privacy concerns and that accommodations, including an opt-in protocol and Bluetooth-based alerts, will be decentralized.
But the central premise of our privacy and transparency-based work has always been that promises are not enough. We’ve seen too often that data collected for one purpose ends up being used for other purposes down the line as time passes and old promises are forgotten.
There’s a law for that. Or there could be.
Although it is a mouthful, the term “data minimization” is actually pretty easy to understand. It means collecting only what is needed for a specific purpose, keeping it only for as long as is needed to fulfill that purpose, and then eliminating it.
It is the opposite of the framework often embraced by data collectors, from law enforcement agencies to Amazon CEO Jeff Bezos, which could be called “data hoarding,” or the belief that everything collected should be kept indefinitely just in case it proves useful later on for some currently undreamed of application or purpose.
The problems with data hoarding are simple. Breaches or mishandling becomes considerably graver when data stocks are indefinite. The more data points reside in a collection, the easier it is to pair up data points to amplify personal profiles. And regulatory policies designed to protect privacy rights for one purpose can be negligible or completely useless for another purpose.
Data minimization is not currently enshrined into state privacy law, but here in California, it could be.
Assembly Bill 3119, the Minimization of Consumer Data Processing Act, takes a weed whacker to the data hoarding habit and makes sure users agree explicitly to the surrender of their personal data for a specific purpose.
The Act, authored by Berkely/Oakland assemblymember Buffy Wicks, ties the retention and collection of personal information to a) providing a product or service the user has requested or b) preventing fraud. Moreover, that retained information may not be shared with another entity without the explicit consent of the owner. This removes the overly narrow definition of “sale” in the CCPA which exempted non-monetary data sharing.
Californians, if AB 3119 becomes law, could use a contact-tracing application to keep themselves and their loved ones safe, without having their location data and associations mined afterwards for commercial or surveillance purposes.
And they would not have to rely on Google, Facebook or other tech companies producing COVID-19 related apps, promising them that such a thing could never, ever happen – and find out later that it did.
If public health depends on stepping up contact-tracing efforts, then the success of these efforts depends on mass user opt-in and public faith that health measures are not a veiled marketing bonanza or worse, a tool for surveillance down the line.
California politicians and tech companies have an opportunity to demonstrate that public health measures are, only and exclusively, public health measures. They should support AB 3119 to demonstrate that they mean it.