COVID-19: Privacy Practices and CCPA Enforcement During a Pandemic
In the true spirit of Arent Fox, we are working to be Smart in Your World as many of us are doing the best we can to stay safe in our own communities (i.e., social distancing). With this in mind, we want to provide an update and guidance on some of the privacy concerns that are facing us today surrounding COVID-19 and CCPA.
COVID-19: Privacy Still Matters
In efforts to quickly manage and address COVID-19, many companies have quickly begun sending out notices and questionnaires to employees and are looking to gather more information on travel history, symptoms, and potentially more detailed contact-tracing. More than ever, COVID-19 shows that data and information-gathering presents advantages and even life-saving help. But data protection laws, regulations, and guidelines still apply, as does the Americans with Disabilities Act and employment law. So, what can be done?
Facility protection and employment concerns:
- Question format. We recommend restricting health and travel-related questions to align with guidance provided by the Center for Disease Control. Where asking questions tied to travel and health, questions should end with a statement such as “do any of the above apply to you, YES or NO” as opposed to asking for detailed responses to individualized questions.
- Taking temperatures. Taking temperatures of those entering facilities is allowed under the ADA, for the limited purpose of evaluating an individual’s risk to others in the workplace. Testing should be conducted in a nondiscriminatory manner by an individual with medical training, or by a medical professional where possible.
- Sending employees home. If an employee has a high temperature or shows other COVID-19 related symptoms, employers may send these employees home. Currently, the symptoms reported by the Center for Disease Control include fever, cough, and shortness of breath.
Remember good privacy practices:
- Notice. Companies should provide clear notice when collecting COVID-19 related information. Not only should companies review and consider their consumer and employee-facing privacy policies to ensure adequacy, they should also provide a separate notice at the time of collection. This separate notice should disclose why the information is being collected, what the company will do with the information, how long it will be retained, when information may be shared with a third party (such as a government agency), and who employees can contact with any questions.
- Obtain consent. It is best practice to obtain some form of consent or acknowledgment of the questions and how the information will be used. Individuals should also be given, and acknowledge, an opportunity to decline.
- Remember confidentiality and data retention practices. Review the company’s data retention policy and take this opportunity to address data retention practices for information collected due to emergency health situations, like the COVID-19 pandemic. Ensure that data collected to address COVID-19 is not retained for longer than necessary. Data should only be shared with those who need to access it. In the case that a company needs to inform other employees or customers about potential exposure from an individual who has tested positive, only share the information necessary for employees and customers to assess their own potential exposure and medical needs. For example, to the extent possible, refrain from using names and other information that identifies the particular individual who has test positive.
CCPA: July 1 is still July 1
In the midst of COVID-19, many wondered if the Attorney General’s enforcement deadline for the California Consumer Privacy Act (“CCPA”) would be pushed back. In short: no. The Office of the Attorney General has indicated that it will not extend the deadline for companies to comply with CCPA and the enforcement deadline. That means, in the midst of the pandemic, companies must still get prepared. To do this, we suggest:
- Ensuring that privacy policies adequately provide information about data use, data subject rights, and provide necessary contact methods, such as toll-free numbers. This includes reviewing the company’s public-facing privacy policy, as well as internal privacy policies for employees, to ensure that data collection, use, and sharing with third parties is adequately disclosed.
- Reviewing vendor contracts to ensure that service providers are contractually restricted from using data outside of providing service to you.
- Finalizing any tweaks to data subject processing procedures. Companies should have procedures in place to process data subject requests, including requests to know, requests to delete, and requests to opt-out of sales.
- Training employees. All individuals responsible for handling inquiries about privacy practices or the company’s compliance with CCPA must receive training. These individuals should be informed of the CCPA requirements and know how to direct data subjects to exercise their CCPA rights.
- Related Practices