Businesses are developing and implementing new safety protocols as they prepare to reopen and enter the next phase of the COVID-19 era. When they do so, businesses must keep employees’ privacy at the top of their mind. This is particularly true for businesses that have employees in California and are subject to the California Consumer Privacy Act (CCPA).
Temperature Data and the "Employee Exception"
If your business is subject to the CCPA, any health-related information you collect about employees—including their temperature—will be personal information protected by the statute. While the CCPA provides an exemption from some obligations related to employees, job applicants, contractors, and certain staff, it does not exempt a business from providing privacy disclosures as required by Section 1798.100.
Therefore, CCPA-covered businesses must provide employees the following information in a privacy notice (which should be easy to read and readily available) at or before the time the business collects their temperatures or distributes health questionnaires:
- Categories of personal information collected.
- Categories of sources of personal information.
- Business or commercial purpose for collecting or selling personal information.
- Categories of third parties with whom the business shares personal information.
It is important to understand the limitations of this "employee exception." It applies only if the business collects and uses employees’ personal information “within the context” of their roles.
Thus, businesses intending to check temperatures should ensure that neither they, nor any service providers acting on their behalf, intend to use the information for a secondary purpose unrelated to employees’ job functions. If a business were to use temperatures for secondary purposes, that use would fall outside the employee exception and the business would be required to, for example, enable employees to access, delete, or opt out of the sale of that data.
Furthermore, the exemption is time-limited, expiring on January 1, 2021, which means that unless the California legislature takes action before then, businesses will have additional responsibilities with respect to temperature data they collect (and retain) about their employees beginning on that date.
Recently, the Californians for Consumer Privacy—the organization behind the original ballot initiative that led to the CCPA in 2018—announced that it had sufficient signatures to certify the California Privacy Rights Act (CPRA) for California’s November 2020 ballot. Among other things, this draft ballot initiative would extend the CCPA’s employee exemption until January 1, 2023.
At the time of this writing, it is not clear whether the CPRA will become law, so it would be prudent to assume that the full set of CCPA obligations will apply (e.g., access, deletion, and opt-out of sale rights) to employee data starting next January. California businesses should also be aware that California might be incentivized to pass legislation that separately regulates use and disclosure of employees’ personal information to overcome the sunset provisions in the CCPA and CPRA.
Other Important CCPA-Related Considerations
There is a common misconception that the CCPA requires consent to collect temperature data. The CCPA requires a business to obtain consent from a consumer in two limited circumstances:
- If the business intends to sell personal information collected from children under 16; or
- Offers a financial incentive in exchange for personal information.
Neither of those circumstances is likely to apply in the course of recording employee temperatures.
Please be aware, however, that other laws might require employers to obtain consent to collect temperature information because, for example, temperature-taking could be considered a medical examination. And even if applicable law does not require a business to obtain consent, it may be prudent to do so. Obtaining consent is a best practice because it ensures that the employee accepted the business’s data collection and use practices – it thus can reduce legal risk should a dispute occur.
Finally, if a business intends to use a vendor to take employees’ temperatures or collect their health information, the employer should consider whether to put a “service provider” agreement in place.
As a service provider, the vendor would not be able to use the information it collects for any secondary purposes. This would reduce the risk that the vendor could use or disclose the employees’ personal information in unexpected ways.
Even though its applicability is limited with respect to employees, the CCPA is still an important consideration for covered businesses, and, because California law is fluid in this area, businesses should follow CCPA and CPRA updates vigilantly to ensure they understand evolving obligations and applicable deadlines. Employers should also be conscious that privacy laws could move quickly to provide more protections for employee data. For example, groups of Republican and Democratic U.S. Senators are drafting legislation that would regulate information collected to monitor the spread of and protect against COVID-19.
The facts, laws, and regulations regarding COVID-19 are developing rapidly. Since the date of publication, there may be new or additional information not referenced in this advisory. Please consult with your legal counsel for guidance.
DWT will continue to provide up-to-date insights and virtual events regarding COVID-19 concerns. Our most recent insights, as well as information about recorded and upcoming virtual events, are available at www.dwt.com/COVID-19.
This article was originally featured as a privacy and security advisory on DWT.com on May 13, 2020. Our editors have chosen to feature this article here for its coinciding subject matter.