As the COVID-19 pandemic continues to spread across the globe, in an effort to reduce the risk of transmission of the illness, many companies are administering mandatory temperature screenings to all employees and visitors prior to permitting entrance to their facilities. On April 9, 2020, the US Equal Employment Opportunity Commission (“EEOC”) issued updated guidance titled “What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws.” In this updated guidance, the EEOC advised employers that they may implement employee temperature screenings in response to the COVID-19 pandemic without violating the Americans with Disabilities Act’s (“ADA”) “because the CDC and state/local health authorities have acknowledged community spread of COVID-19 and issued attendant precautions.” The EEOC further explained that employers may maintain a log of the results of temperature screenings and may store such medical information in an employee’s existing medical files, provided that it is stored separately from the employee’s personnel file, thus limiting access to this confidential medical information, as required by the ADA.
However, businesses that administer temperature tests and who are subject to the California Consumer Privacy Act (“CCPA”), should also consider whether their screening practices trigger the CCPA’s notice requirements. The CCPA, which took effect on January 1, 2020, protects the “personal information” of California residents. Despite recent requests from business organizations to delay enforcement of the CCPA until the emergency situation caused by the COVID-19 pandemic passes, the California Attorney General has declined to do so and has indicated that it is committed to begin enforcement of the CCPA on July 1, 2020.
Under the CCPA, a subject business that collects a California resident’s “personal information” must inform that individual “at or before the point of collection” the categories of personal information being collected and the purposes for which the information will be used. The CCPA defines personal information as “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” It includes “biometric information”, as well as “[a]udio, electronic, visual, thermal, olfactory, or similar information.” Data that is collected regarding a consumer’s body temperature thus likely qualifies as “personal information” subject to the CCPA if it is recorded in a manner that enables the body temperature information to be linked with or reasonably associated with a particular California resident.
While the passage of Assembly Bill 25 confirmed that job applicants and employees (and owners, directors, officers, medical staff members, or contractors) of a business will be (temporarily) excluded from most of the CCPA’s protections, two obligations remain: (1) businesses must provide employees and job applicants notice of the categories of personal information collected by the business, including for each category the uses of the personal information, at or before the point of collection; and (2) businesses must maintain reasonable safeguards over employee/job applicant personal information (or else be vulnerable to a private right of action based on data breach. Further, the exemption only applies to personal information collected by a business about the job applicant, employee, owner, director, officer, medical staff member, or contractor to the extent the personal information is collected and used by the business solely within the context of the natural person’s role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business.
Thus, if a company maintains a record of the name and temperature reading of each visitor or employee, the collection of that data will likely be subject to the CCPA. Moreover, such information may not fall within the scope of the “employee exception” created by AB 25 as it arguably is not being collected solely within the context of the individual’s role as an employee. Collecting this information may subject businesses to the whole host of CCPA obligations, including, among others, providing appropriate notice, responding to California resident requests to know, opt-out of sale and delete the information (assuming the business meets the other threshold requirements). On the other hand, if the temperature reading is discarded without being recorded or stored, or if it recorded on a de-identified or aggregated basis, then it would not trigger the CCPA. Businesses should thus be cognizant of these distinctions in deciding whether and how to record the results of temperature screenings.
 The CCPA applies to for-profit businesses that collect the personal information of California residents and meet at least one of the following thresholds: (1) have annual gross revenue of $25 million or more; (2) annually buy, receive, or share the personal information of 50,000 or more consumers for commercial purposes; or (3) derive 50 percent or more of their annual revenue from selling the personal information of California residents. Note that covered entities and business associates governed by the Health Insurance Portability and Accountability Act and providers of health care governed by Confidentiality of Medical Information Act are exempt from the CCPA, to the extent the provider or covered entity maintains the collected personal information in the same manner as medical information or protected health information.
If you wish to receive periodic updates on this or other topics related to the pandemic, you can be added to our COVID-19 “Special Interest” mailing list by subscribing here. For any other legal questions related to this pandemic, please contact the Firm’s COVID-19 Core Response Team at FW-SIG-COVID-19-Core-Response-Team@mayerbrown.com.
The post Temperature Screenings May Trigger the California Consumer Privacy Act’s Notice Requirements appeared first on COVID-19 Response Blog.