New privacy challenges await California businesses as they begin to develop plans to reopen after more than two months of lockdown due to the COVID-19 pandemic. Most businesses are required to fill out a county-specific safe reopening plan, which describes the measures that the business will take to protect the health of both employees and guests of the business. These measures often include, to varying degrees, temperature checks upon entrance and attestations to screening questions regarding the current and/or recent health history. In fact, many restaurants and retail establishments are either required to, or have stated that they voluntarily will, collect temperature information from all their employees on a daily basis. Businesses should be cognizant that the collection and use of such information may be subject to various privacy laws in California and may need to adjust their reopening policies and procedures to ensure compliance.
What is required under the CCPA?
- Provide a notice of what is being collected and for what purpose it is being collected at or before the time of collection.
- Provide a notice of what is being collected, for what purpose it is being collected, and to who the information may be disclosed or “sold” to at or before the time of collection.
- Provide notice of the visitors’ rights to access, delete, and opt-out of the “sale” of personal information and be prepared to comply with the visitors’ requests to exercise these rights.
- Take measures to protect the information collected against unauthorized access or use, including through retaining the information for a short a time as necessary or deidentifying or aggregating the information.
The California Fair Employee and Housing Act (“FEHA”) and the Federal Americans with Disabilities Act (“ADA”) would normally prohibit the use of “medical examinations” in the employment context unless they are job related and consistent with business necessities. The collection of temperature information as well as answers to the health screening questions could be considered a “medical examination” for the purposes of these laws. However, both the Federal Equal Employment Opportunity Commission (“EEOC”) and the Center for Disease Control (“CDC”) have provided guidance that the collection and use of this information is acceptable for the limited purpose of evaluating the risk that an employee may pose to others if they had the virus. This comports with an employer’s legal obligation to provide a safe workplace.
The California Consumer Privacy Act of 2018 (“CCPA”) is a broad, generally applicable privacy law in California that applies to the collection and use of personal information from all California residents. It defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This definition undoubtedly includes the type of information businesses seek to collect and process as part of their reopening plans. For businesses that are subject to the CCPA (i.e. more than $25M in revenue, process the personal data of more than 50K California consumers, or earn more than 50% of their annual revenue from the “sale” of personal information), the CCPA imposes obligations on how they collect and use this information. The obligations under the CCPA require that covered businesses be transparent with consumers by providing a them a privacy notice at or before the time the business collects the personal information as well as providing consumers the right to access their personal information, delete their personal information, and opt-out of the “sale” of their personal information. However, unlike the European GDPR that the CCPA is modeled after, the CCPA does not require consent to collect temperature and screening information. While the CCPA is not enforceable until July 1, 2020 (and the California State AG has indicated that he will not delay enforcement, even in light of the COVID-19 pandemic), the AG can bring enforcement retroactively for violations dating back to January 1, 2020, the effective date of the CCPA.
The CCPA has a temporary, partial exemption for personal information collected about job applicants, employees, owners, directors, officers, medical staff members, and contractors when that information is used in the context of that individual’s role within the business. This limited exemption eliminates California employees’ rights to access, delete, and opt-out of the “sale” of their personal information. However, the CCPA still requires employers to be transparent with their employees regarding its collection and use of personal information through a (limited) privacy notice and still provides a private right of action for an employee in the event of a data breach arising out of the employer’s failure to adequately protect the employee’s personal information.
The collection of temperature checks and answers to questions regarding the employee’s recent health and potential COVID-19 exposure likely fits into this exemption as long as the business limits its use to evaluating the risk that an employee who may be infected with the virus could potentially infect other employees or customers of the business. Therefore, businesses must provide the employee with a privacy notice at or before the time of collection that discloses what information will be collected and the purposes for which that information will be used. Businesses should ensure that this privacy notice also properly discloses any other personal information the business may collect or use as part of its COVID-19 reopening measures that were not previously disclosed to employees in its employee privacy notice, including any mandatory use of “contact tracing” applications or through any other sensors deployed at its facilities. Businesses may also wish to address other employee concerns related to the employees’ disclosure of sensitive personal information to the business when they return to the workplace, such as the retention and disposal of the sensitive personal information collected.
Businesses should also be aware that the temporary exemption for employee information expires on January 1, 2021. Unless the deadline is extended before it expires, after January 1, 2020 this information will be subject to the same requirements of the CCPA as information collected from visitors as discussed below.
Unlike employee information, temperature and visitor information is not subject to an exemption and a business must fully comply with the requirements of the CCPA with respect to this information. This includes providing a broad privacy notice that discloses, amongst other things, the information collected, the purpose of the collection, and notification regarding who the information may be disclosed or “sold” to (which may include regulators and other public health organizations). The business is also required to provide information in the privacy notice regarding the visitors’ rights to access, delete, and opt-out of the sale of their information and should be prepared to comply (with certain exceptions) with visitors’ requests to exercise those rights if it retains any of the collected information in an identifiable form.
Both employees and visitors must be provided with a privacy notice at or before the time of collection, although the form of this notice may vary depending on the methods used to collect the information. For example, the notice can be provided onscreen at the time of collection if the business uses a “screening” station where the employee or visitor operates a device that takes the individual’s temperature and collects his or her answers to the screening questions. Alternatively, prominent signage at the entrance to the business’s facility may be appropriate if the business deploys thermographic cameras to measure the temperature of everyone who enters the facility without direct interaction with the employee or visitor.
Protecting Information from Unauthorized Collection and Use
Businesses should also adopt measures designed to protect the personal information collected, whether from employees or visitors, against accidental disclosure or misuse. Businesses should consider the time in which this information is of value to the business and adopt appropriate policies and procedures to minimize its risk. These policies and procedures include:
- Promptly removing actual temperature readings after measurement and survey answers after collection if no longer needed. A business can consider storing “pass” or “no pass” if any record keeping is required, but promptly destroying the information after collection can help the business minimize its risks.
- Anonymizing information collected so that the information collected can no longer be associated with any particular individual.
- Disabling sound, indicator lights, and other secondary indicators that could indicate to other nearby people that a particular employee may be ill.
- If an individual temperature or screening answers indicate a potential health risk with the individual remaining on the premises, remove the individual from the work facility as discretely as possible to minimize disclosure of the individual’s condition from others who may be nearby. If an announcement to the individual’s contacts must be made, the business should ensure that this is done in a manner that does not identify the individual to the extent possible.