Column: This California bill would protect our medical data from Big Tech (Hi, Amazon!)
There’s a race on between the tech industry and lawmakers over your medical privacy.
Big Tech is moving as fast as it can to embed its increasingly intrusive devices into people’s homes before policymakers can summon the political will to put much-needed consumer protections into place.
The latest example of such intrusiveness, as I reported last week, is Amazon receiving federal approval to equip its Alexa devices with radar sensors capable of “capturing motion in a three-dimensional space.”
The idea, according to the company, is to monitor your sleep “with a higher degree of resolution and location precision than would otherwise be achievable” using a wearable device such as an Apple Watch or Fitbit.
Andrew Guthrie Ferguson, a law professor at American University who focuses on privacy issues, told me this unprecedented level of bedroom surveillance is “as creepy as Silicon Valley gets.”
It’s also exactly what California Assemblyman Ed Chau (D-Arcadia) is hoping to rein in with a bill now making its way through the state Senate.
His legislation, AB 1436, would amend California’s Confidentiality of Medical Information Act to require that any business collecting and receiving health-related data receive upfront written permission from customers.
“These tech companies are after all sorts of personal medical information — your heart rate, your blood pressure, your sleep habits,” Chau told me. “As it stands, they’re circumventing medical privacy laws.”
That’s because existing laws apply to “healthcare providers,” which the likes of Amazon, Apple and Google are not, even though they’re among the businesses most eager to latch on to, and make use of, your medical data.
Chau, who has been trying to get variations of AB 1436 passed for years, originally wrote the latest iteration of his bill to explicitly designate any company collecting medical information as a healthcare provider.
This simple change would instantly place all such companies under existing state and federal medical privacy rules.
Chau told me he had to drop that provision amid strong pushback from the tech industry and its friends in Sacramento.
Now the legislation focuses on requiring an explicit opt-in for any collection and transmission of medical information.
While that’s a more modest goal, Chau acknowledged: “I think the net effect is the same. These companies would need your permission.”
He said his bill, if passed, “would place guardrails around these technologies.”
That would be a good thing.
Technologies that pry into your well-being have become so ubiquitous, there’s a name for the sector: mHealth, as in “mobile health.”
The World Health Organization defines mHealth as the “use of mobile and wireless technologies to support the achievement of health objectives.” The National Institutes of Health says it’s “the use of mobile and wireless devices … to improve health outcomes, healthcare services and health research.”
Grand View Research predicts the market for these technologies will be worth nearly $150 billion by 2028.
Yet there’s precious little regulatory oversight for how these software and hardware companies operate, or what they do with people’s medical information.
Will they use it to sell people products? Will they share the data with insurers, employers or companies that do background checks? Will this treasure trove of health information be stockpiled in anticipation of future technological advances?
Medical tech is the most glaring example of how Silicon Valley’s relentless commitment to innovation far outpaces the nation’s laws and regulatory structure.
Amazon, for example, was once merely a bookstore. The company’s vast array of offerings now include an online pharmacy, over-the-counter drugs and supplements, and, with its radar upgrade to Alexa, a device that will watch you all night as you sleep — and share that stream of data with Amazon.
I asked the company last week for some details about how the radar technology will work and what Amazon will do with the information. No one responded.
I asked again this week and also requested some comment on Chau’s medical-data bill. No one responded.
Chau, on the other hand, said he read my column about the radar technology and found the idea “creepy.”
“The tech industry keeps coming up with technologies that are more and more intrusive to consumers,” he said.
Chau’s bill says that any company offering “a personal health record system” to consumers “shall not knowingly use, disclose, or permit the use or disclosure of personal health record information without a signed authorization.”
“The bill would also prohibit a recipient of personal health record information … from further disclosing the health record information unless in accordance with a new authorization,” it says, making clear your medical info couldn’t be shared with others at a future time without your say-so.
Chau said it’s been an uphill battle advancing this bill in the Legislature amid intense lobbying by the tech industry to kill it.
“Big Tech is in opposition, big time,” he said.
That’s putting it mildly. The California Chamber of Commerce, speaking on behalf of about a dozen top tech organizations, says Chau’s bill is “overbroad” and would “drastically expand” the types of business and products subject to the state’s medical privacy law.
This, in turn, would have the effect of “significantly disrupting the market, availability and cost of everyday health products for Californians,” the chamber says.
For the Apples and Amazons of this world, that’s not ideal. For the rest of us, well, a little disruption is precisely what’s needed.
Chau also suspects a larger purpose at work among opponents of AB 1436.
He observed that if California passes a law making tech companies accountable for people’s medical data, this could prompt Congress to similarly amend the main federal medical privacy law, the Health Insurance Portability and Accountability Act.
The federal law, known as HIPAA, is embarrassingly out of date. Amazon was still just a startup bookseller when the law was enacted in 1996. Apple was on the ropes, its sales plummeting. Google wouldn’t show up for two years.
Now each of these companies has microphones and cameras in millions of homes, and each has made clear that medical technology is a big part of their respective futures.
Chau isn’t a Luddite. He accepts the importance of medical technology. He just wants to ensure consumers are protected as these powerful, privately controlled capabilities reshape society.
“Technologies like this are valuable,” Chau said. “But when information like this is collected and transmitted, you need to give people a say.”
That’s not a lot to ask for. Our lawmakers should ignore Big Tech’s lobbyists and pass AB 1436.