New privacy challenges await California businesses as they begin to develop plans to reopen after more than two months of lockdown due to the COVID-19 pandemic. Most businesses are required to fill out a county-specific safe reopening plan, which describes the measures that the business will take to protect the health of both employees and guests of the business. These measures often include, to varying degrees, temperature checks upon entrance and attestations to screening questions regarding the current and/or recent health history. In fact, many restaurants and retail establishments are either required to, or have stated that they voluntarily will, collect temperature information from all their employees on a daily basis. Businesses should be cognizant that the collection and use of such information may be subject to various privacy laws in California and may need to adjust their reopening policies and procedures to ensure compliance.
What is required under the CCPA?
The California Consumer Privacy Act of 2018 (“CCPA”) is a broad, generally applicable privacy law in California that applies to the collection and use of personal information from all California residents. It defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” This definition undoubtedly includes the type of information businesses seek to collect and process as part of their reopening plans. For businesses that are subject to the CCPA (i.e. more than $25M in revenue, process the personal data of more than 50K California consumers, or earn more than 50% of their annual revenue from the “sale” of personal information), the CCPA imposes obligations on how they collect and use this information. The obligations under the CCPA require that covered businesses be transparent with consumers by providing a them a privacy notice at or before the time the business collects the personal information as well as providing consumers the right to access their personal information, delete their personal information, and opt-out of the “sale” of their personal information. However, unlike the European GDPR that the CCPA is modeled after, the CCPA does not require consent to collect temperature and screening information. While the CCPA is not enforceable until July 1, 2020 (and the California State AG has indicated that he will not delay enforcement, even in light of the COVID-19 pandemic), the AG can bring enforcement retroactively for violations dating back to January 1, 2020, the effective date of the CCPA.
The CCPA has a temporary, partial exemption for personal information collected about job applicants, employees, owners, directors, officers, medical staff members, and contractors when that information is used in the context of that individual’s role within the business. This limited exemption eliminates California employees’ rights to access, delete, and opt-out of the “sale” of their personal information. However, the CCPA still requires employers to be transparent with their employees regarding its collection and use of personal information through a (limited) privacy notice and still provides a private right of action for an employee in the event of a data breach arising out of the employer’s failure to adequately protect the employee’s personal information.
The collection of temperature checks and answers to questions regarding the employee’s recent health and potential COVID-19 exposure likely fits into this exemption as long as the business limits its use to evaluating the risk that an employee who may be infected with the virus could potentially infect other employees or customers of the business. Therefore, businesses must provide the employee with a privacy notice at or before the time of collection that discloses what information will be collected and the purposes for which that information will be used. Businesses should ensure that this privacy notice also properly discloses any other personal information the business may collect or use as part of its COVID-19 reopening measures that were not previously disclosed to employees in its employee privacy notice, including any mandatory use of “contact tracing” applications or through any other sensors deployed at its facilities. Businesses may also wish to address other employee concerns related to the employees’ disclosure of sensitive personal information to the business when they return to the workplace, such as the retention and disposal of the sensitive personal information collected.
Businesses should also be aware that the temporary exemption for employee information expires on January 1, 2021. Unless the deadline is extended before it expires, after January 1, 2020 this information will be subject to the same requirements of the CCPA as information collected from visitors as discussed below.
Unlike employee information, temperature and visitor information is not subject to an exemption and a business must fully comply with the requirements of the CCPA with respect to this information. This includes providing a broad privacy notice that discloses, amongst other things, the information collected, the purpose of the collection, and notification regarding who the information may be disclosed or “sold” to (which may include regulators and other public health organizations). The business is also required to provide information in the privacy notice regarding the visitors’ rights to access, delete, and opt-out of the sale of their information and should be prepared to comply (with certain exceptions) with visitors’ requests to exercise those rights if it retains any of the collected information in an identifiable form.
Both employees and visitors must be provided with a privacy notice at or before the time of collection, although the form of this notice may vary depending on the methods used to collect the information. For example, the notice can be provided onscreen at the time of collection if the business uses a “screening” station where the employee or visitor operates a device that takes the individual’s temperature and collects his or her answers to the screening questions. Alternatively, prominent signage at the entrance to the business’s facility may be appropriate if the business deploys thermographic cameras to measure the temperature of everyone who enters the facility without direct interaction with the employee or visitor.
Businesses should also adopt measures designed to protect the personal information collected, whether from employees or visitors, against accidental disclosure or misuse. Businesses should consider the time in which this information is of value to the business and adopt appropriate policies and procedures to minimize its risk. These policies and procedures include:
For more information about a business’s privacy obligations when screening employees and visitors to your facility, please contact your Foley relationship partner. More information about a business’s obligations under the CCPA is available in Foley’s CCPA and GDPR guidebook, available here.
Foley has created a multi-disciplinary and multi-jurisdictional team, which has prepared a wealth of topical client resources and is prepared to help our clients meet the legal and business challenges that the coronavirus outbreak is creating for stakeholders across a range of industries. Click here for Foley’s Coronavirus Resource Center to stay apprised of relevant developments, insights and resources to support your business during this challenging time. To receive this content directly in your inbox, click here and submit the form.