Contact Tracing. Local health departments, with the support of the Department of Health (DOH) and its partners, perform case investigations and contact tracing to help slow and prevent the spread of infectious diseases like COVID-19. These practices have been used for decades and entail an interviewer reaching out to persons who have tested positive for infectious disease, asking them pre-approved questions, entering information into secure systems, and connecting people with appropriate resources. Information collected during these interviews is only used by public health agencies.
Washington Exposure Notification Technology. In December 2020, DOH launched an exposure notification technology known as WA Notify. This new tool works through smartphones, without sharing any personal information, to notify users if they may have been exposed to COVID-19. Notifications have a link to information about what to do next to protect themselves and others. Notifications do not contain any information about who tested positive or where the exposure may have happened.
Consumer Protection Act. The Consumer Protection Act (CPA) prohibits unfair methods of competition or unfair or deceptive practices in the conduct of any trade or commerce. The statutory maximum civil penalty for a violation of such provisions is $2,000 for each violation. The attorney general (AG) and consumers are can bring actions to enforce violations of the CPA.
Scope. Covered organizations, service providers, and third parties that collect, use, or disclose COVID-19 health data for a good-faith COVID-19 health purpose must meet specified obligations and follow specified restrictions.
Certain Definitions Summarized. Collect means acquiring COVID-19 health data in any manner by a covered organization, including passively or actively observing the behavior of an individual.
A covered organization means any person, including a government entity, that:
It does not include specified entities such as a health care provider, a health care facility, and a public health agency.
COVID-19 health data means data that is collected, used, or disclosed in connection with COVID-19 or the related public health response and is linked to an individual or device such as symptom data, biometric data, geolocation data, proximity data, or demographic data. Exemptions are specified.
A service provider means a person that collects, uses, or discloses COVID-19 health data on behalf of a covered organization.
A third party is a person to whom the covered organization discloses COVID-19 health data, excluding certain entities such as a public health agency.
Use means processing, employment, application, utilization, examination, or analysis of COVID-19 health data by a covered organization.
Obligations. When collecting, using, or disclosing COVID-19 health data for a good-faith COVID-19 health purpose, a covered organization must:
Security. A covered organization or service provider must establish and implement procedures to protect the security and confidentiality of the COVID-19 health data. A covered organization may not disclose identifiable COVID-19 health data to a third party unless the third party is contractually bound to meet the same data security obligations as the covered organization.
Data Retention. Unless retention is required by state or federal law, COVID-19 health data must be destroyed or rendered unlinkable to an individual no later than 30 days after collection.
Contracts. A covered organization may not disclose identifiable COVID-19 health data to service providers or third parties unless the service provider or third party is contractually bound to meet the same privacy obligations as the covered organization.
Restrictions. Consent. A covered organization may not collect, use, or disclose COVID-19 health data unless an individual gives affirmative express consent to the collection, use, or disclosure. This requirement does not apply for notifying an employee or consumer of potential exposure to COVID-19 while on a covered organization's premises, or through an interaction with an employee or person acting on behalf of the covered organization.
A covered organization must provide an effective mechanism for an individual to revoke consent. After an individual revokes consent, a covered organization must comply within seven days, take prescribed steps to destroy the COVID-19 health data, and notify the individual under certain circumstances.
Additional Restrictions. A covered organization may not collect, use, or disclose COVID-19 health data for any purpose not authorized in this act, including:
A general authority Washington law enforcement agency officer or limited authority Washington law enforcement agency, as defined in current law, or a federal immigration authority may not collect, use, or disclose COVID-19 health data for enforcing criminal or civil law .
Exemptions. Several exemptions are provided for specified purposes such as current public health agency contacting tracing practices, certain scientific and public health research, or complying with legal processes. COVID-19 health data is exempt from public disclosure.
Report Requirement. A covered organization that collects, uses, or discloses COVID-19 health data of at least 30,000 individuals over 60 calendar days must issue a public report, including specified information such as aggregate data, at least once every 90 days. A copy of the report must be provided to DOH. DOH must publish reports on its public website.
Enforcement. The AG has sole enforcement authority under the CPA. Nothing in this act prohibits the Medicaid Fraud Division of Washington Attorney General's Office from collecting, using, or disclosing, as legally permitted, COVID-19 health data for the enforcement of criminal and/or civil law.
Expiration. This act expires on December 31, 2022.
The committee recommended a different version of the bill than what was heard. PRO: Technology can assist efforts to stop the spread of infectious disease; however, it needs to preserve consumer privacy. The biggest barrier to the use of these tools is the lack of trust in the government and big technology. We need to instill trust in these tools to open up the economy. This bill provides a careful balance between privacy and the use of data for contact tracing purposes.
OTHER: In order to ensure the safety of corrections facilities, we think the bills need to include a narrow exemption for correction officers. This is consistent with other federal laws. We hope to bring agreed-upon language to the committee.
The committee recommended a different version of the bill than what was heard. None.