Insights
Publications

Reopening Businesses Must Consider Employee and Consumer Privacy

June 3, 2020 Articles
Wine Business Monthly

While we’re far from returning to the “normal” that predated the COVID-19 pandemic, states have begun to relax lockdown requirements and some previously “nonessential” businesses are returning to operations. Along with these openings, governmental entities, trade organizations, and others are wisely recommending protocols to reduce the risk of a spike in COVID-19 cases. Such protocols include customer and employee wellness screenings, contact tracing, and questionnaires about compliance with public health orders.

Although these protocols are designed to ensure the health and well-being of employees, customers, and others physically visiting the businesses, businesses collecting data from employees and customers must consider the privacy implications of doing so. This includes compliance with myriad state and federal laws and regulations.

Employee Privacy Considerations

As a result of the COVID-19 pandemic, employers are permitted to make various medical inquiries that were previously impermissible. To assess whether an employee can safely enter the workplace, employers may take the employee’s temperature, ask if they are experiencing COVID-19 symptoms, require the employee to undergo a COVID-19 test, or require the employee to provide medical certification of fitness to return to work. However, consistent with the Health Information Portability and Accountability Act (HIPAA) and the Americans with Disabilities Act (ADA), employers must maintain this information as a confidential medical record separate from the employee’s personnel file, with precautions taken to protect the information.

Although guidance from the U.S. Equal Employment Opportunity Commission (EEOC) expressly permits employers to require COVID-19 testing, the EEOC cautions that the tests must be “accurate and reliable” and such testing must be “job related and consistent with business necessity.” Employers should avoid requiring antibody testing, which could be deemed an unlawful medical history inquiry rather than an assessment of an employee’s present fitness to enter the workplace.

Some employers have begun mandating employees’ use of contact tracing applications. Other employers are administering employee surveys to gauge compliance with public health orders and to assess the risk that an employee has been exposed to COVID-19. Employers must also maintain any information collected through such applications or surveys as a confidential medical record in accordance with the guidelines above. Moreover, employers should narrowly tailor such inquiries for the purpose of assessing risk, and avoid infringing on third parties’ privacy rights (by, for example, asking about family members’ medical conditions or activities).

Finally, employers that are covered by California’s Consumer Privacy Act (CCPA) should review and, if necessary, update their employee privacy policies to ensure that all COVID-19-related inquiries and data uses are disclosed in compliance with the CCPA.

Consumer Privacy Considerations

A common feature of reopening guidelines and plans is wellness screenings of customers. Indeed, various federal agencies (such as the Centers for Disease Control) and state, county, and city governments have issued guidance encouraging consumer wellness screens, including pre-entry symptom questionnaires and on-site and/or home temperature checks.

In connection with contact tracing, businesses are likely to collect email addresses or phone numbers. To the extent a company collects such information and ties it to an individual’s identity, this personal information would be protected under various privacy laws and thus would require companies to take specific actions to properly handle and protect such information. While the health and safety of employees and the public at large is of course of preeminent importance, the privacy requirements relating to the collection and use of personal data should not be taken lightly.

There is no shortage of laws that could be implicated by the collection of customer wellness or contact tracing data. Aspects of the federal Health Insurance Portability and Accountability Act (HIPAA), California’s Consumer Privacy Act, Illinois’ Biometric Privacy Act and various other health and privacy-related laws address the collection and use of such data. Additionally, competing bills in the United States Senate—namely the Republican-introduced COVID-19 Consumer Data Protection Act and the Democrats’ Public Health Emergency Privacy Act—directly address the protection and use of data collected during and in efforts to address the current pandemic. To be sure, both federal and state law will play a key role in how such data is collected, used, and protected.

Guidance for Businesses

No matter the jurisdiction, businesses must exercise caution in collecting and using employee or customer data in their efforts to prevent or limit further spreading of COVID-19 when reopening for business. The legal landscape, forward-facing and internal policies, and contractual relationships all require thoughtful examination sooner rather than later.

First, it will be necessary to determine exactly which laws apply to your business. As noted above, there are various federal and state laws that could apply depending on the nature of information collected and the jurisdiction. Under most of these laws, notice will likely be required before collecting any personal information from an individual. As such, businesses must work now to prepare appropriate disclosure documents detailing the information to be collected, how that information will be used, and with whom it will be shared. While actual consent is not usually required to collect personal data under current privacy laws in the United States, getting such consent for data collection and use should be considered.

Businesses must also create and implement internal policies and controls that limit the sharing of data arising from wellness screenings. To the extent such data includes COVID-19 status (i.e., recording whether an individual has tested positive for the disease), anonymizing and aggregating data will provide the best privacy protection and better insulate the company against potential privacy law violations.

To the extent personal data from such screenings is shared with third parties such as vendors, businesses must ensure that recipients have appropriate confidentiality and privacy controls in place to safeguard downstream protection.

Balancing Act

Data privacy considerations will necessarily have to be balanced against ensuring the safety of employees, customers, and other business visitors in connection with the reopening of businesses as lockdown restrictions are lifted. With advanced planning, companies can give appropriate weight to the competing sides of the scale.

Firm Highlights

Publication

Enforcement of CPRA Regulations Delayed

Shortly before the California Privacy Right Act (CPRA) modifications to the California Consumer Privacy Act (CCPA) were set to become enforceable on July 1, 2023, a Sacramento Superior Court judge issued a ruling on...

Read More
Publication

California Appeals Court Empowers Privacy Agency to Immediately Enforce CCPA Regulations

In  California Privacy Protection Agency et al. v. The Superior Court of Sacramento County  (case number C099130), the Third Appellate District of the California Court of Appeal returned authority to the California Privacy Protection...

Read More
Publication

BIPA Liability: Existing CGL Coverage May Provide a Lifeline for Policyholders

Developments in the law have increased the potential liability that companies could face under the Illinois Biometric Information Privacy Act (BIPA), but fortunately for policyholders, Illinois case law has also solidified coverage for BIPA...

Read More
Publication

Nonprofits’ Use of Artificial Intelligence Systems: Intellectual Property and Data Privacy Concerns

In today's rapidly changing technological landscape, artificial intelligence (AI) is making headlines and being discussed constantly. To be sure, AI provides a powerful tool to nonprofits in creating content and exploiting for countless cost-effective...

Read More
Publication

California Proposes New AI & Automated Decision-Making Technology Regulations

The California Privacy Protection Agency (CPPA) released its draft  regulatory framework for automated decision-making technology (ADMT) on November 27. These regulations are a preview of what new requirements may look like for companies currently...

Read More
Publication

Major Decision Affects Law of Scraping and Online Data Collection, Meta Platforms v. Bright Data

On January 23, 2024, the court in Meta Platforms Inc. v. Bright Data Ltd. , Case No. 3:23-cv-00077-EMC (N.D. Cal.), issued a summary judgment ruling with potentially wide-ranging ramifications for the law of scraping and...

Read More
News

Scraping Battles: Meta Loses Legal Effort to Halt Harvesting of Personal Profiles

Alex Reese spoke to Matt Fleischer-Black of  Cybersecurity Law Report about the Meta v. Bright Data decision and its impact on U.S. scraping case law. Read the article here (paywall or trial).

Read More
Publication

It Wasn’t Me, It Was the AI: Intellectual Property and Data Privacy Concerns With Nonprofits’ Use of Artificial Intelligence Systems

In today's rapidly changing technological landscape, artificial intelligence (AI) is making headlines and being discussed constantly. To be sure, AI provides a powerful tool to nonprofits in creating content and exploiting for countless cost-effective...

Read More
Publication

California AI Proposal Rethinks Consumer Scope and Recordkeeping

The California Privacy Protection Agency will revisit its  draft  regulations for automated decision-making technology on March 8, including use of artificial intelligence to process personal information. Comment periods should be coming soon in 2024...

Read More
Publication

Thomson Reuters v. Ross Intelligence: AI Copyright Law and Fair Use on Trial

On Sept. 25, 2023, Judge Stephanos Bibas (sitting by designation in the District of Delaware), determined that fact questions surrounding issues of fair use and tortious interference required a jury to decide media conglomerate...

Read More