CCPA & COVID-19: A Practical Guide to Addressing Privacy and Data Security Implications of the Coronavirus
COVID-19 arrives just as the first omnibus privacy statute in the United States, the CCPA became effective. Since its January 1 effective date, we continue to wait for finalization of the CCPA regulations and enforcement that was slated for July 1. In a pandemic environment, companies, employers, and public institutions are grappling, outside the HIPAA context, with unique privacy, data security, and cybersecurity implications of their responses to the coronavirus. From a compliance perspective, businesses are considering under what circumstances they can disclose consumer or employee health conditions or geolocation information in the service of greater public health. Other companies —and governmental institutions at every level—are confronting the very real, and often opportunistic threats to data security posed by aggressive thieves who use crises as cover to commit an assortment of cybercrimes. Privacy and security requirements vary by jurisdiction, so businesses should be mindful of potentially divergent and overlapping approaches and responsibilities as the situation continues to evolve. We offer a few updates and practical tips for best practices to promote compliance with privacy and data security requirements. Guidance for Collecting and Sharing Health Information for Businesses That Are Not "Covered Entities" Under HIPAA As they respond to the coronavirus, companies need to address the legal implications of collecting and/or sharing health information regarding their employees and customers outside the HIPAA context. Employers are dealing with how to disclose an employee's coronavirus diagnosis to their workforce and public health authorities. Restaurants are considering whether they can assess customers presenting coronavirus symptoms before letting them into their establishments. Delayed supply chains require businesses to increase their communications with customers from remote operations. In the United States, the California Consumer Privacy Act (CCPA) governs the collection, disclosure, and sale of personal information--including health information such as medical symptoms and diagnoses. Best practices under the CCPA center on notice and security. Unlike the EU, the CCPA does not require a legal basis to process information. Under the CCPA, consent is required in limited circumstances (e.g. parental consent for children's data, adult opt-in, and authorized agents). The CCPA currently provides a qualified employer exemption. See Cal. Civ. Code §1798.145(h). However, employers are still subject to notice (1798.100(b)) and data security (1798.150)) requirements. Employers may reasonably use personal medical and health information to make internal decisions regarding remote work plans and business contingencies. However, the employer exemption applies to personal information of a job applicant or employee solely within the context of their employment. Disclosing personal information, including medical or health information, of employees, outside the employment context, is subject to notice and opt-out requirements. See 1798.100(b). Employers and companies should do the following before collecting or sharing health information:
- Update personnel and consumer-facing privacy policies to capture the category of personal information collected and the purposes for the same. If a company is considering collecting health information, including temperatures, symptoms, or diagnoses, it should ensure that employees and customers have notice at the time of collection. Likewise, if a company is considering sharing such information with its workforce, customers, or public health authorities, it should list those disclosures as a potential purpose in its policies. See 1798.100(b); 11 C.C.R. § 999.308(c).
- Consider offering an opt-in for collection and disclosure of sensitive medical information. Medical information, including medical history, treatment, and diagnosis, is considered presumptively sensitive under California law, increasing the compliance responsibilities of anyone collecting that data. See 999.323(b)(3)(a); 1798.81.5(d)(1)(A)(iv). Companies may offer individuals the opportunity to opt-in to the disclosure of such information. See 999.316.
- Do not disclose the identity of an employee with a coronavirus diagnosis. Employers should treat their employees' medical information with strict confidentiality. In accordance with the CDC's Interim Guidance for Business and Employers and the Americans with Disabilities Act (ADA), an employer should not disclose the identity of an employee or a coronavirus diagnosis unless disclosure to safety and first aid personnel is required for emergency treatment. See 42 U.S.C. §§12112(d)(3)(B), (4)(C).
- Update their privacy policies to give notice of collection of geolocation data and how it will be used. Ensure that all privacy policies which apply to the consumer/employee adequately disclose that the company will collect geolocation data and the purposes of the collection (to maintain a safe and healthy workplace; to share with public health authorities, to share with data aggregators, etc.). Giving adequate notice prevents the collection and/or disclosure of geolocation data from being considered "deceptive" by the Federal Trade Commission ("FTC"), and comports with the CCPA's requirement to provide notice of the purposes for collection of "personal information," which includes geolocation data. See 999.308(c).
- Obtain opt-in consent with a "just in time" notice to consumers. If employees are using company property, opt-in consent is not usually required for collection of geolocation data, so long as adequate advanced notice of collection and the purposes for collection have been provided. With respect to consumers, however, the collection of geolocation data is subject to additional requirements. Pursuant to FTC guidelines, companies are required to provide a "just in time" notice and obtain opt-in consent prior to collecting geolocation data of consumers, even if location is inferred from a wi-fi network. The most recent draft of the CCPA regulations also requires "just-in-time" notice prior to collecting location data, which should contain a link to the full notice in the company's privacy policy (999.305(a)(4)). The regulations give as an example the use of a pop-up window that contains the required notice when the consumer opens the application.
Immediately prior to the initial collection of or transmission of geolocation information, on a separate screen from any final "end user license agreement," "privacy policy," "terms of use page" or similar document, the following should be disclosed clearly and prominently:
-
- The application collects, transmits, or allows the transmission of geolocation information;
- How geolocation information may be used;
- Why the application is accessing geolocation information; and
- The identities or specific categories of third parties that receive geolocation information directly or indirectly from the application (i.e. the information may be shared with public health authorities)
The "just-in-time" notice should allow the user to affirmatively consent to the collection of geolocation data, such as with a check box, and should link to the full notice in the company's privacy policy in accordance with CCPA regulations.
- Only collect or infer geolocation information after confirming that:
- the consumer provided affirmative express consent;
- the consumer has not expressed that they do not consent to or revoked consent to collection; and
- the consumer has not expressed that the consent to collection of location information is limited to a level of accuracy that is less precise than the location information that is to be collected or inferred.
- Identify where sensitive data is stored and any technical controls regarding information security. Sensitive information (e.g. SSNs, credit card info) may be especially at risk to a data breach. If a company does not know where its sensitive information is stored, consider scheduling a meeting with the information security team soon.
- Ensure that contact information for all employees to verify identity is updated and that the business has access to such information. Updating employee contact information will ease the shift to remote operations and be essential for an emergency response.
- Consult the business's risk assessment (e.g. NIST or ISO) and identify any mitigation measures for high-risk processing. Companies should reacquaint necessary employees with their data assessment to ensure it is up-to-date regarding potential vulnerabilities and response plans.
- Review the business's remediation plan. Companies should ensure there is a way to reliably reach all essential personnel in the event of a data breach. Reduced staff may create additional vulnerabilities, so companies should verify that they have the necessary monitoring staff and technical controls for a remote work response to critical incidents.
- Update all internal and consumer facing privacy policies to provide notice of the types of data collected and purposes for which it will be used.
- Provide an opt-in mechanism for sensitive data such as medical data and geolocation data.
- Evaluate data processing activities in the EU and comply with applicable DPA and local Member State guidelines for processing data, especially location data.
- Collect and use data only in accordance with the notice given in your privacy policy and respect data minimization and proportionality principles.
- Secure the business's systems and its data against cyber threats with technical controls, risk assessments, and a remediation plan.
Print and share
Authors
Explore more in
Perkins on Privacy
Perkins on Privacy keeps you informed about the latest developments in privacy and data security law. Our insights are provided by Perkins Coie's Privacy & Security practice, recognized by Chambers as a leading firm in the field.