As cities and states gradually open up, companies have begun to assess under what circumstances they can re-open the workplace – and in particular, what health-related personal information can and should be collected. When it comes to monitoring employees, generally speaking, privacy and employment law are increasingly overlapping as more stringent laws are adopted, and COVID-19 has brought this overlap to the forefront. Our employment team at Hopkins & Carley has provided a number of resources and webinars on the employment-related issues of COVID-19 and what can and cannot be done (available here). Here we will focus on the intertwined privacy implications of allowing individuals – employees and non-employees – back into offices and facilities, particularly with respect to the California Consumer Privacy Act (CCPA).
What are the CCPA’s notice requirements?
The CCPA has been in effect since January 1, 2020, and applies to many businesses across all industries, from tech companies to traditional brick and mortar retailers. To find out if your business is subject to CCPA, please see our prior post available here. Businesses that are subject to the CCPA have certain notice-related obligations to fulfill where they collect and retain certain health-related information. If a covered business measures the temperatures of employees, or otherwise assesses health-related symptoms prior to entry into a facility or office, and collects and retains this information, it must provide notice at the time of collection. These practices will no doubt also apply to visitors and guests who enter the premises. In each case, a notice of collection must be provided. However, depending on whether the individual is an employee or a visitor, this notice (and the related rights) will differ.
- Employees. In 2019, the CCPA, still in the legislative process, was amended on several fronts. In particular, Amendment AB25 provided some limitations on employee-related information by carving out from certain obligations under the CCPA any information collected “about a natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of [a covered] business” but only to the extent that the covered business’ collection and use of the information is solely within the employment context. What does this mean? A business’ compliance obligations with respect to employment-related information are limited because employees and job applicants may not exercise their rights to know, to request deletion and to opt-out out of sales. However, the business must still provide notice of collection of the different categories of information collected in the employment context. Importantly, this exemption has a one-year moratorium, meaning that unless the exemption is extended or the CCPA is further amended, beginning January 1, 2021, employees and job applicants will be able to exercise their rights to know, to request deletion and to opt-out of sales under CCPA.
- Visitors. For visitors, this employee specific moratorium does not apply, and any visitor whose information is collected will be able to exercise his/her rights under CCPA. This means that the notice to be provided at the time of collection must, in addition to disclosing what is collected and why, explain how the visitor may exercise his/her right to know and deletion (opt-out presumably will not apply unless a company is actually selling the information it collects, and one would hope that this scenario never unfolds).
In practice, we recommend that a covered business provide a notice at or prior to collection – one for visitors and one for personnel. Note that if the information is collected but not retained or otherwise stored (e.g., the temperature is taken but not recorded), no notice is required. We recommend providing the notice at the entrance of each facility or office, as well as obtaining a signature from the employee or visitor acknowledging receipt and ensuring that a copy is provided to each individual. This will be helpful to comply with documentation requirements in the event of an audit. Whomever administers the collection of information should also be trained on CCPA as required, and if any service providers have access to the information, even if they are not engaged to actively use the data, care must also be taken to ensure that the relevant service provider agreements are in place. Lastly, businesses must consider how long this information should be retained. If there is no legitimate need to retain the information once the pandemic is behind us, the information should be securely deleted.
What security measures should businesses consider?
Leaving aside notice obligations (and rights), it’s also important to remember that health information is considered sensitive information under virtually all data protection laws. What this means in the United States (at least) is that an organization that collects and stores this type of identifiable data must ensure that it has commensurate security measures in place. While many states do not have overarching privacy laws like the CCPA, all have “security incident” rules that trigger data breach notifications to regulators and/or affected individuals where the unauthorized access or loss concerns certain types of personal information, including health information. Moreover, certain laws like the CCPA or the NY SHIELD Act specifically require preventative measures be taken by organizations that collect and process this type of information. Notably, the CCPA provides for limited consumer actions where a data breach affects health information. Since the CCPA’s effective date, we have seen an uptick in class action lawsuits under this limited right of action. Most of these do not include an unauthorized access to the types of information that are singled out by CCPA, but this increase is a clear indicator that class action litigators have the CCPA on their radars. NY’s SHIELD Act does not carry a private right of action, but fines are sure to be steep where companies are found not to have implemented proper security measures. In sum, the more sensitive the information, the greater the exposure. All companies should take steps to ensure that their security measures reasonably protect the personal information that they collect. But where health information is collected and retained, the risks increase and what may appear as reasonable security measures for the collection of a name and IP addresses, for instance, may not suffice. The risk is all the greater for companies subject to CCPA.
When it comes to any personal information, compliance with the various laws that may apply requires a comprehensive review of outward-facing and internal policies, both as to transparency and security. Ensuring that notices are provided at the time of collection, maintaining adequate security measures and evaluating data retention procedures are some of the key components of protecting data. This also requires businesses to monitor service providers that may have access to personal information. When it comes to sensitive health information, these steps are all the more important in order to ensure that individuals understand what is being collected and why it is collected, who may have access to it, and of course that the data is properly secured.