The California Consumer Privacy Act (CCPA), the nation’s first foray into mandating privacy practices, was enacted on January 1st and enforced as of July 1st, giving affected companies a six-month grace period. While this grace period was unrelated to COVID-19, most companies are now facing the double impact of both re-opening businesses or integrating into a “new normal” and ensuring they comply with the law.
California Attorney General (AG), Xavier Becerra has noted explicitly that despite COVID-19, “…our office is committed to enforcing the law, starting July 1”. The AG office has made it clear to businesses that they should not expect extra time to make sense of, or comply with, the new law, in light of the COVID-19 pandemic. As a result, companies must not delay their implementation of compliance programs for CCPA any further.
CCPA through the first half of 2020
Under CCPA, consumers have the right to request that businesses:
- Do not sell their personal information.
- Delete any personal information already collected.
- Provide relevant details regarding the personal information they have collected, used, shared or sold.
Even before the COVID-19 pandemic, organizations and businesses around the world were braced for the consequences of CCPA. Regardless of the existing uncertainty around how to comply and the general understanding of the law, the courts had already received private class-action lawsuits brought under the CCPA filed in February, each presenting thought-provoking and legal questions about the new law.
But the world now is much different from what it was in February 2020. A post-COVID-19 world brings with it new realities, risks and issues around compliance with the CCPA. Privacy teams and business operations must work with legal counsel to ensure that operations and operating documents are aligned with the legal strategies of the business. Some of the effects are obvious. For example, Zoom video conferences became ubiquitous as remote work became the norm in March. By mid-March, the public learned that Zoom was allegedly sharing its customer data with Facebook, without getting customer consent. Though Zoom swiftly released a new version of the app within a week, a class-action lawsuit was filed in California on March 31.
Other issues are not as obvious. For example, as consumers return to retail outlets, bars, restaurants and sporting events, there may be a rise in the need for businesses to screen and collect physiological data of their patrons (as well as employees). We must now consider the privacy implications for data points like body temperature, prior testing results (including antibody data) and individual whereabouts (from personal movement tracking based on cell phone information or contact tracing apps).
Re-opening business during the COVID-19 pandemic: How to consider privacy
As businesses physically re-open to the public, they need to address two equally important considerations: They have a responsibility for the health and safety of their patrons, first and foremost, but they must also ensure the privacy of the data they collect, either on-premises or through potential contact tracing information.
While not covered by CCPA, very similar considerations apply to businesses re-opening their offices after months of following shelter-in-place orders, with regards to the health and safety of their employees, as well as the maintenance of privacy of employee health records and other sensitive data.
Below are some recommendations to assist companies in maintaining an appropriate balance:
Questioning individuals: Many companies, especially those in the hospitality, events and retail industries, ask their patrons health and travel-related questions. We recommend limiting such questions to those that support the best practices and directions provided by the Center for Disease Control (CDC). In asking about travel and health, questions should not be open ended, but instead limited to a selection of generic answers with yes/no responses. For instance, it’s not necessary to ask for detailed travel information. A major privacy concern is that an individual’s health information is not kept private and that unauthorized personnel may have access to the individual’s health data. This could open businesses up to potential lawsuits. By limiting the questions’ answers, businesses only collect the information they need to make an informed decision regarding business operations.
Checking individuals’ temperature: Taking temperatures of potential patrons, prior to their entering a place of business, is not explicitly covered by CCPA. The main concern would be if information about a person is collected for medical purposes but is eventually used for marketing purposes without the express consent for it to be used in that manner. The simplest recommendation is to not do this action. Aside from CCPA, taking temperatures of employees or visitors entering the workplace is allowed under the Americans with Disabilities Act (ADA) for the limited purpose of assessing an individual’s risk to others in the workplace. Temperature checks should be conducted in a nondiscriminatory manner by an individual with appropriate training, or by a medical professional, if possible. In addition, it is recommended that businesses do not retain this information to minimize privacy risks and compliance concerns.
Turning away individuals: If an individual has a high temperature or shows other COVID-19-related symptoms, a business may send the individual away from its property. Currently, the symptoms reported by the CDC include fever, cough and shortness of breath. While the privacy of the individual should still be considered, other individuals who came in direct contact with the affected individual should be notified and alerted. Privacy concerns related to the removal of individuals that appear exhibit COVID-19 symptoms should be handled by trained and authorized individuals with all the due care and confidentiality expected of a medical situation.
In summary, when re-opening a business to the public or an office to employees in an environment with widespread health concerns, CCPA should not be an afterthought. Businesses will have to meet CCPA requirements, and by collecting health information, you may be required to comply with the Health Insurance Portability and Accountability Act (HIPAA).
Remember the following good practices for privacy:
Customer and employee notices: Businesses must provide clear notice when collecting COVID-19-related information. Not only should businesses review and consider their consumer and employee-facing privacy policies to ensure adequacy, but they should also provide a separate health-specific notice at the time of collection.
Consent: It is best practice to obtain some form of consent or acknowledgment of the travel and health questions asked of individuals and how the information will be used. These also include COVID-19-related questions. Individuals should be given, and acknowledge, an opportunity to decline.
Confidentiality and data retention practices: Stakeholders should review the business’ data retention policy and take this opportunity to address practices for information collected for emergency health situations, like the COVID-19 pandemic. Businesses should ensure that these practices follow state and federal health record retention guidelines.
Summary
CCPA is here to stay, and it is providing a blueprint for other states and the federal government. It is wide-reaching legislation with severe potential impact to those who run afoul of it. It is therefore important for organizations to comply with CCPA if they conduct business with California residents. CCPA enforcement will not be suspended due to COVID-19, and so due care must be taken to avoid fines and penalties. Businesses should not relax their efforts to obtain or maintain compliance with CCPA, and it is recommended they enhance their existing privacy programs to take into account new activities and data collection procedures.
COVID-19 has impacted the global economy and the operations of many businesses. Those changes that impact privacy cannot be ignored, as privacy laws remain present and growing in importance and reach. Now is the time to ensure compliance.
If you are struggling with where to start, need assistance implementing your program, or would like to ensure your program meets the requirements of the law, call CFGI for an introductory discussion today.