Privacy Considerations for Businesses Screening Employees and Visitors as They Reopen in California

29 May 2020 Blog
Authors: Eileen R. Ridley Steven M. Millendorf Samuel D. Goldstick
Published To: Coronavirus Resource Center:Back to Business Privacy, Cybersecurity & Technology Law Perspectives

New privacy challenges await California businesses as they begin to develop plans to reopen after more than two months of lockdown due to the COVID-19 pandemic. Most businesses are required to fill out a county-specific safe reopening plan, which describes the measures that the business will take to protect the health of both employees and guests of the business. These measures often include, to varying degrees, temperature checks upon entrance and attestations to screening questions regarding the current and/or recent health history. In fact, many restaurants and retail establishments are either required to, or have stated that they voluntarily will, collect temperature information from all their employees on a daily basis. Businesses should be cognizant that the collection and use of such information may be subject to various privacy laws in California and may need to adjust their reopening policies and procedures to ensure compliance. 

 What is required under the CCPA?

For Employees:

  • Provide a notice of what is being collected and for what purpose it is being collected at or before the time of collection.

For Visitors:

  • Provide a notice of what is being collected, for what purpose it is being collected, and to who the information may be disclosed or “sold” to at or before the time of collection.
  • Provide notice of the visitors’ rights to access, delete, and opt-out of the “sale” of personal information and be prepared to comply with the visitors’ requests to exercise these rights. 

For Everyone:

  • Take measures to protect the information collected against unauthorized access or use, including through retaining the information for a short a time as necessary or deidentifying or aggregating the information.
The California Fair Employee and Housing Act (“FEHA”) and the Federal Americans with Disabilities Act (“ADA”) would normally prohibit the use of “medical examinations” in the employment context unless they are job related and consistent with business necessities. The collection of temperature information as well as answers to the health screening questions could be considered a “medical examination” for the purposes of these laws. However, both the Federal Equal Employment Opportunity Commission (“EEOC”) and the Center for Disease Control (“CDC”) have provided guidance that the collection and use of this information is acceptable for the limited purpose of evaluating the risk that an employee may pose to others if they had the virus.  This comports with an employer’s legal obligation to provide a safe workplace.

The California Consumer Privacy Act of 2018 (“CCPA”) is a broad, generally applicable privacy law in California that applies to the collection and use of personal information from all California residents. It defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This definition undoubtedly includes the type of information businesses seek to collect and process as part of their reopening plans. For businesses that are subject to the CCPA (i.e. more than $25M in revenue, process the personal data of more than 50K California consumers, or earn more than 50% of their annual revenue from the “sale” of personal information), the CCPA imposes obligations on how they collect and use this information. The obligations under the CCPA require that covered businesses be transparent with consumers by providing a them a privacy notice at or before the time the business collects the personal information as well as providing consumers the right to access their personal information, delete their personal information, and opt-out of the “sale” of their personal information. However, unlike the European GDPR that the CCPA is modeled after, the CCPA does not require consent to collect temperature and screening information. While the CCPA is not enforceable until July 1, 2020 (and the California State AG has indicated that he will not delay enforcement, even in light of the COVID-19 pandemic), the AG can bring enforcement retroactively for violations dating back to January 1, 2020, the effective date of the CCPA.  

Employee Information

The CCPA has a temporary, partial exemption for personal information collected about job applicants, employees, owners, directors, officers, medical staff members, and contractors when that information is used in the context of that individual’s role within the business. This limited exemption eliminates California employees’ rights to access, delete, and opt-out of the “sale” of their personal information. However, the CCPA still requires employers to be transparent with their employees regarding its collection and use of personal information through a (limited) privacy notice and still provides a private right of action for an employee in the event of a data breach arising out of the employer’s failure to adequately protect the employee’s personal information. 

The collection of temperature checks and answers to questions regarding the employee’s recent health and potential COVID-19 exposure likely fits into this exemption as long as the business limits its use to evaluating the risk that an employee who may be infected with the virus could potentially infect other employees or customers of the business. Therefore, businesses must provide the employee with a privacy notice at or before the time of collection that discloses what information will be collected and the purposes for which that information will be used. Businesses should ensure that this privacy notice also properly discloses any other personal information the business may collect or use as part of its COVID-19 reopening measures that were not previously disclosed to employees in its employee privacy notice, including any mandatory use of “contact tracing” applications or through any other sensors deployed at its facilities. Businesses may also wish to address other employee concerns related to the employees’ disclosure of sensitive personal information to the business when they return to the workplace, such as the retention and disposal of the sensitive personal information collected. 

Businesses should also be aware that the temporary exemption for employee information expires on January 1, 2021. Unless the deadline is extended before it expires, after January 1, 2020 this information will be subject to the same requirements of the CCPA as information collected from visitors as discussed below. 

Visitor Information

Unlike employee information, temperature and visitor information is not subject to an exemption and a business must fully comply with the requirements of the CCPA with respect to this information. This includes providing a broad privacy notice that discloses, amongst other things, the information collected, the purpose of the collection, and notification regarding who the information may be disclosed or “sold” to (which may include regulators and other public health organizations).  The business is also required to provide information in the privacy notice regarding the visitors’ rights to access, delete, and opt-out of the sale of their information and should be prepared to comply (with certain exceptions) with visitors’ requests to exercise those rights if it retains any of the collected information in an identifiable form.

Both employees and visitors must be provided with a privacy notice at or before the time of collection, although the form of this notice may vary depending on the methods used to collect the information. For example, the notice can be provided onscreen at the time of collection if the business uses a “screening” station where the employee or visitor operates a device that takes the individual’s temperature and collects his or her answers to the screening questions. Alternatively, prominent signage at the entrance to the business’s facility may be appropriate if the business deploys thermographic cameras to measure the temperature of everyone who enters the facility without direct interaction with the employee or visitor.

Protecting Information from Unauthorized Collection and Use

Businesses should also adopt measures designed to protect the personal information collected, whether from employees or visitors, against accidental disclosure or misuse. Businesses should consider the time in which this information is of value to the business and adopt appropriate policies and procedures to minimize its risk. These policies and procedures include:

  • Promptly removing actual temperature readings after measurement and survey answers after collection if no longer needed. A business can consider storing “pass” or “no pass” if any record keeping is required, but promptly destroying the information after collection can help the business minimize its risks.   
  • Anonymizing information collected so that the information collected can no longer be associated with any particular individual. 
  • Disabling sound, indicator lights, and other secondary indicators that could indicate to other nearby people that a particular employee may be ill. 
  • If an individual temperature or screening answers indicate a potential health risk with the individual remaining on the premises, remove the individual from the work facility as discretely as possible to minimize disclosure of the individual’s condition from others who may be nearby. If an announcement to the individual’s contacts must be made, the business should ensure that this is done in a manner that does not identify the individual to the extent possible. 

For more information about a business’s privacy obligations when screening employees and visitors to your facility, please contact your Foley relationship partner. More information about a business’s obligations under the CCPA is available in Foley’s CCPA and GDPR guidebook, available here

Foley has created a multi-disciplinary and multi-jurisdictional team, which has prepared a wealth of topical client resources and is prepared to help our clients meet the legal and business challenges that the coronavirus outbreak is creating for stakeholders across a range of industries. Click here for Foley’s Coronavirus Resource Center to stay apprised of relevant developments, insights and resources to support your business during this challenging time. To receive this content directly in your inbox, click here and submit the form.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.

Related Services