Financial Services

Fintech

Publications

Reopening Plans and Recommended Protocols Beg New Privacy Issues

May 20, 2020 Blog

While far from getting us back to any kind of normal that predated the COVID-19 pandemic, states have begun to relax lockdown requirements and some previously closed “nonessential” businesses are returning to operations. With such openings, governmental entities, trade organizations, and others are wisely recommending protocols, including using wellness screenings, in an effort to lower the risk that such reopenings result in a reversal of trends that have flattened the infection curve. While such protocols focus on ensuring the health and wellbeing of employees, customers, and others physically visiting the businesses and are necessary in any consideration of reopening, businesses implementing new data collection from their employees and customers need to consider the privacy implications of doing so.

Reopening and Personal Information

A common feature of reopening guidelines and plans is wellness screenings of employees and customers. Indeed, various federal agencies (e.g., the EEOC and the Centers for Disease Controls) and state, county, and city governments have issued or have long had guidance that encourage wellness screens of various levels including pre-entry symptom questionnaires and on-site and/or home temperature checks. In connection with contact tracing, restaurants are likely to collect emails and/or phone numbers. To the extent the company collects such information and ties it to an individual’s identity, this personal information would be protected under various privacy laws and thus would require companies to take specific actions to properly handle and protect such information. While the health and safety of employees and the public at large is of course of preeminent importance, the privacy requirements relating to the collection and use of personal data should not be taken lightly.

Laws Implicated

In addition to employment, health and safety, and various other laws that will apply to reopening businesses, there is no shortage of laws that could be implicated by the collection of wellness data. Aspects of the federal Health Insurance Portability and Accountability Act (HIPAA), California’s Consumer Privacy Act, Illinois’ Biometric Privacy Act and various other health and privacy-related laws address the collection and use of such data. Additionally, competing bills in the United States Senate—namely the Republican-introduced COVID-19 Consumer Data Protection Act and the Democrats’ Public Health Emergency Privacy Act—directly address the protection and use of data collected during and in efforts to address the current pandemic. To be sure, both federal and state law will play a key role in how such data is collected, used, and protected.

Addressing Privacy Requirements

No matter what the governing law, it is clear businesses will need to be very careful in collecting and using employee and customer data collected in connection with the companies’ efforts to prevent or at least limit further spreading of COVID-19 when reopening for business. The legal landscape, forward-facing and internal policies, and contractual relationships all require thoughtful examination sooner rather than later.

First, it will be necessary to determine exactly which laws apply to your business. As noted above, there are various federal and state laws that could apply depending on the nature of information collected and the jurisdiction covering such collection. No matter what laws apply, though, notice will likely be required before collecting any personal information from an individual. As such, businesses must work now to prepare appropriate disclosure documents detailing the information to be collected, how that information will be used, and with whom it will be shared. While actual consent is not usually required to collect personal data under current privacy laws in the United States, getting such consent for data collection and use should be considered.

Businesses must also create and implement internal policies and controls that limit the sharing of data arising from wellness screenings. To the extent such data includes COVID-19 status (i.e., recording whether an individual has tested positive for the disease), anonymizing and aggregating data will provide the best privacy protection and better insulate the company against potential privacy law violations.

To the extent personal data from such screenings is shared with third parties such as vendors, businesses must ensure that recipients have appropriate confidentiality and privacy controls in place to safeguard downstream protection.

Balancing Act

Data privacy considerations will necessarily have to be balanced against ensuring the safety of employees, customers, and other business visitors in connection with the reopening of businesses as lockdown restrictions are lifted. With advanced planning, companies can give appropriate weight to the competing sides of the scale.

Firm Highlights

Publication

Nonprofit Quick Tip: State Filings in North Carolina and South Carolina

Welcome to  EO Radio Show - Your Nonprofit Legal Resource . Episode 75 is the tenth in a series of Quick Tip episodes focusing on the details of state registration of nonprofit corporations. With...

Read More
Publication

Employment Law Update for Nonprofits With Holly Sutton

Welcome to  EO Radio Show - Your Nonprofit Legal Resource . Charities, foundations, and their founders often request help addressing employment practices and compliance questions. In this episode, host Cynthia Rowland is joined by Holly...

Read More
Publication

Insurance Market Crushes Wineries and Wine Country Homeowners

We keep hearing about how difficult it is for winery and vineyard owners to get property insurance these days, both for their homes and their wine businesses in California’s wildfire-prone areas. Those who have...

Read More
News

Scraping Battles: Meta Loses Legal Effort to Halt Harvesting of Personal Profiles

Alex Reese spoke to Matt Fleischer-Black of  Cybersecurity Law Report about the Meta v. Bright Data decision and its impact on U.S. scraping case law. Read the article here (paywall or trial).

Read More
News

North Coast Industry Insiders Weigh In on Why California Cannabis Tax Revenue Slipped in 2023

Jeff Hamilton spoke to Susan Wood with the North Bay Business Journal for the article "North Coast Industry Insiders Weigh In on Why California Cannabis Tax Revenue Slipped in 2023." Read the article with Jeff's...

Read More
Publication

Corporate Transparency Act: State of the Law and Beneficial Ownership Reporting Requirements

Key Points: Despite ongoing legal challenges, the Corporate Transparency Act (CTA) generally remains in effect and enforceable. Clients should continue to abide by its regulations. Initial reports for entities formed in 2024 are due within...

Read More
News

JPMorgan Chase Accuses TransUnion of Stealing 'Trade Secrets'

Intellectual property practice chair Eugene Mar provided expert commentary to American Banker for the article "JPMorgan Chase Accuses TransUnion of Stealing 'Trade Secrets'." In the article, he said: "By filing this as a trade...

Read More
Publication

Corporate Transparency Act: A Guide on Beneficial Ownership for Nonprofit Executives

The Corporate Transparency Act, enacted as part of the National Defense Authorization Act for Fiscal Year 2021, represents a significant shift in regulatory requirements for entities across the United States. This act, set to...

Read More
News

Farella Announces 2024 Leadership Council on Legal Diversity Pathfinders: Taylor Rottjakob and John Ugai

Farella Braun + Martel is proud to announce that senior associates  Taylor E. Rottjakob and John M. Ugai have been named 2024 Leadership Council on Legal Diversity (LCLD) Pathfinders. Pathfinders have been identified as...

Read More
News

Farella Braun + Martel Earns San Francisco Green Business Recertification

Read More