COVID-19 and the CCPA: The Privacy Implications of Temperature Checks
While the CCPA has been in effect for several months now, the COVID-19 pandemic has forced businesses to grapple with the law in a new light. In earlier posts, we provided a general overview of the new law and detailed the new consumer rights that it establishes. Companies are now looking for ways to keep their employees and customers safe. One way to help achieve this goal is to take the temperature of employees and customers. While temperature checks might not be able to effectively screen everyone who has COVID-19 (such as those who are asymptomatic or presymptomatic) the checks are one tool in the arsenal against the virus.
However, depending on how it is executed, temperature screenings can implicate the CCPA. If a business’ screening protocol allows data to be traced back to the individual customer or employee, the business should understand what its obligations are under the CCPA. This is especially true in light of the fact that many of the newly-emerging and heavily-marketed screening products offer not just temperature measurement, but also facial recognition technology.
Businesses and Customers
Businesses are trying to determine how to best continue their operations during the COVID-19 pandemic. Screening the temperatures of consumers before they enter the premises of a business is one of the most straightforward methods for reducing the possible spread of the virus. Depending on the business’ approach and whether the temperature records are retained, it may or may not have to address the requirements of the CCPA. For example, if a restaurant scans its patrons’ temperatures as they enter the building and does not retain a list of the temperatures, this should not implicate the CCPA. However, the restaurant may wish to keep a record of the temperatures for any variety of reasons, for example, to be able to prove its efforts in reducing risk of COVID-19 exposure for its patrons. If the restaurant keeps a record of temperatures alone, with no identifying information for the patrons whose temperatures were taken, the risk of implicating the CCPA would be lessened. No matter how a business approaches temperature screening, it should consult with an attorney before implementing any practice to ensure that it is in compliance with all applicable laws.
Employers and Employees
When an employer measures its employees’ body temperatures, a whole host of other laws are implicated compared to the business-customer relationship. To start, measuring an employee’s body temperature is usually not something an employer is allowed to do. However, the California Department of Fair Employment and Housing has stated that employers may do so for the time being in light of COVID-19:
“Generally, measuring an employee’s body temperature is a medical examination that may only be performed under limited circumstances. However, based on current CDC and local public health information and guidance, employers may measure employees’ body temperature for the limited purpose of evaluating the risk that employee’s presence poses to others in the workplace as a result of the COVID-19 pandemic.”
In addition, other issues arise if an employee’s temperature reading suggests a fever. Is the employee sent home with pay or without? Do other employees need to be notified that their coworker may have exposed them to the virus? What if an employee refuses to have his or her temperature taken? These questions are beyond the scope of this article, but employers must be mindful of the host of issues that can arise under these circumstances and consult an attorney to ensure compliance.
The CCPA’s “Employee Exception”
From the CCPA perspective, employers do enjoy some relief at the moment. Employees fall into the definition of “consumer” under the CCPA. But the CCPA contains a so-called “employee exception” that gives employers until January 1, 2021, to comply with most provisions of the Act as they pertain to employees. Specifically, personal information an employer collects about its employees and uses “within the context” of their roles as employees in the workplace is not subject to the CCPA’s requirements about requests for disclosure and deletion. Nevertheless, employers must still provide employees with notice of the information collection at or before the point of collection. Employers should be sure to make any temperature-scanning practice well-known to employees before implementation. Employers should also make every effort to ensure that the practice is as discreet as possible.
Required Notice of Information Collection
If a business retains records of individual temperatures that can be connected to the particular consumer, then the CCPA’s requirements are activated. Covered businesses must provide a notice of collection of personal information to both consumers and employees. This notice must explain the reason for the collection—e.g., reducing the risk of exposure to COVID-19 and to protect employees and customers—as well as the categories of personal information that are being collected—e.g., body temperature, symptoms connected to COVID-19 like sore throat and shortness of breath, recent travel to highly impacted areas, and recent contact with persons diagnosed with the virus. If the business only collects some but not all of these categories, it need only provide notice regarding those categories it does collect.
Facial Scanning Temperature Devices
Many businesses are considering implementing the use of devices that scan customer and employees’ faces and temperatures to conduct COVID-19 safe practices. This technology has the benefit of a virtually seamless process, since customers and employees do not have to line up in order to have their temperatures taken one at a time. It also helps reduce overall exposure, as it does not necessitate that someone be physically present to administer the temperature test to each person. However, this technology has inherent privacy implications. A facial scan falls squarely within the CCPA’s definition of “personal information,” and customers and employees may have qualms about businesses maintaining their facial scans, even if the scans are only used for this limited purpose. Additionally, if a business opts to use this technology, the notice it provides must specify that facial scans are one of the categories of information that are being collected.
Service Providers Conducting Temperature Scans
Businesses must also consider who will be taking the temperature scans. If a business plans to hire an outside vendor for the job, then it may be prudent to establish a service-provider agreement with the vendor to ensure that the vendor does not use the information it collects for any secondary purpose. This helps insulate the business from any liability down the line by reducing the risk that the vendor uses or otherwise discloses the personal information it collects.
The CCPA is multi-faceted, and it can add several wrinkles to the COVID-19 plans of any covered business. You should consult an attorney to make sure your safety plans are in compliance with all applicable laws.