AB 2688: Bad Health ‘Privacy’ Bill Would Unleash Information Sharing

SACRAMENTO – Consumer advocates called for the Senate Judiciary Committee to reject AB 2688 (Gordon), which would establish rules for health data information sharing. The Committee will hear AB 2688 at 9 a.m. on Tuesday, June 28.

The bill would place into law broad industry controls over the sharing of confidential health information by so-called “commercial health monitoring programs” including Fitbit, Apple Watch, First Response ovulation monitors, blood glucose monitors, and a host of other wearable health devices, apps and online health data programs.

“In its proposed form, AB 2688 allows online businesses to punish consumers who request that their personal health records remain private,” stated Richard Holober, Executive Director of the Consumer Federation of California.

Organizations opposing AB 2688 include Consumer Federation of California, CALPIRG, Consumer Action, Consumer Watchdog, California Alliance for Retired Americans, California ACLU, World Privacy Forum and UFCW Western States Council. (WPF and UFCW opposed AB 2688 as amended on April 11, which granted consumers more control than the current set of proposed amendments, including an opt-in authorization for information sharing.)

At an Assembly hearing on May 3, Assemblyman Gordon committed to work with consumer groups to strengthen consumer controls over sensitive health information. Instead, the proposed June 21 amendments:

  • Replace a required clearly written information sharing opt-in authorization form with an opt-out process that can be concealed from consumers,
  • Eliminate non-discrimination language, enabling companies to charge fees or penalties on those consumers who figure out that they can stop the sharing of personal information, or ban these consumers from using a device or online program that they purchased,
  • Remove many online health information platforms from the bill’s meager privacy provisions, and
  • Allow a health monitoring program to hand a worker, policy holder or other consumer’s personal health information to an employer, insurer or other corporation if it is “relevant” to a grievance, arbitration or other non-judicial “claim or challenge” without consent, subpoena, warrant or other due process rights.