The COVID-19 pandemic has changed all manner of business procedures over the course of this past year, but one area you may not immediately recognize that needs to be immediately addressed relates to mandatory privacy notifications under California state law – perhaps even if you don’t have employees in the state. If you have not yet adjusted your business practices as it relates to COVID-19, you need to add this important assignment to your end-of-the-year to-do list.

Introduction

Over the last couple of years, California has established the most stringent and significant privacy law in the country: the California Consumer Privacy Act (CCPA). Just recently, California voters passed the California Privacy Rights Act of 2020 (CPRA) which further expands the breadth of the CCPA. For a detailed explanation of the new CPRA, click here.

In general, policies and procedures such as employee handbooks should ideally be reviewed and revised each year. This is particularly important where policies or procedures may have greatly shifted over time, as has been the case in recent years. The CCPA went into effect for covered businesses nearly a year ago and since then there have been multiple new versions of the Attorney General’s regulations on the CCPA, providing additional guidance and requirements for employers.

CCPA Employee Notices

When drafting CCPA employee notices in the fourth quarter of 2019, or even in early 2020, the COVID-19 pandemic and everything it would lead to was not on the minds of employers or their attorneys who assisted in drafting such notices. But with the significant changes and challenges 2020 has brought, it is time for employers subject to the CCPA to revamp and revise their compliance measures. In particular, CCPA employee and consumer notices drafted a year ago are unfortunately already out of date. While this blog post will focus on employee notices, the suggested revisions should be made to consumers visiting your offices and storefronts as well.

The Collection of Personal Information Pre-COVID

As a brief reminder, under the CCPA, covered employers are required to provide a notice to all employees (and consumers where applicable) of the personal information collected by the company. Personal information is defined as any information that could identify, relate to, describe, be associated with, or be reasonably capable of being associated with a particular employee, consumer, or household. In the employment context, this requires covered employers to issue a notice (and possible acknowledgement) to employees that informs them of all the personal information collected from them throughout their employment.

Some of the basic personal information collected is easy to determine: name, address, SSN, birthdate, and physical characteristics. Upon a deeper dive, most employers also learn they collected less-intuitive personal information such as: education history, organization association, family information, and internet search history.

The Collection of Personal Information Post-COVID

When the COVID-19 pandemic hit the U.S. in March, and throughout the remainder or 2020, employers have struggled to implement policies and procedures to ensure a safe work environment in the midst of a pandemic. In addition to the personal information described above, it is now common for employers to collect information such as:

• An employee’s temperature;
• Medical information of the employee:
• Medical information of the employee’s friends and family;
• Travel information; and
• Other COVID-related information.

While employers collect this information under the direction of state and local authorities and in an effort to protect their workforce, what many employers may not realize is that all of this collected information meets the CCPA definition of “personal information.” Thus, it is possible that any CCPA employee notice, likely sent out at the beginning of 2020, omits information that must be disclosed to employees.

Revamping And Revising CCPA Employee Notices

Employers who collect this and similar COVID-related personal information from employees must revise and reissue their CCPA employee notice to disclose the collection of this information. The notice must list each piece of COVID-related personal information being collected. To ensure this occurs, you should conduct an audit of your newly implemented COVID procedures to determine the extent of the personal information collected. For example, if you ask employees to fill out a pre-work questionnaire inquiring as to whether they have symptoms, have been exposed to an individual with COVID-19, or have recently travelled out of the state/country, all of those items of information collected from the questionnaire should be listed in the notice.

Another example of often-collected COVID-related information that needs to be listed on the CCPA disclosure is an employee’s temperature. It is important to keep in mind the method by which your company is taking an employee’s temperature – are you screening employees with the traditional forehead temperature-taker, or screening employees’ temperatures through use of facial recognition technology? If the former, the employee’s name and their temperature should be listed in the notice as information being collected. If the latter, the collection and use of facial recognition technology (a form of biometric information) needs to be listed on the notice along with the employee’s name and their temperature.

Finally, don’t forget to review and revise the “business purposes” reason for which you are collecting information on the employee notice. Business purposes such as complying with state and local orders, identifying potential COVID-19 symptoms, and protecting the workplace are all business purposes for collecting the COVID-related personal information employers have started collecting during the pandemic.