Companies planning to conduct pandemic-related temperature checks for California employees and visitors to their premises should consider their compliance obligations under the California Consumer Privacy Act (“the CCPA”). If the CCPA applies, companies should review existing CCPA employee and contractor/visitor notices, or consider providing an additional notice before engaging in temperature screening resulting in the collection of personal information. In this context, “personal information” includes recording an individual’s name and temperature, or recording any health or other symptoms along with the name. Any additional CCPA notice should be specific to the method chosen. As a result, if a business implements a third-party solution, a mobile solution, an electronic questionnaire, or other means of health screening in California where any personal information is collected or stored, the business needs to disclose this fact to its employees (and to visitors or contractors) at or before the point that the screening that results in the collection of personal and health data takes place.
The CCPA became effective on January 1, 2020, and its enforcement is set to begin on July 1, 2020. As we previously discussed in our blog post and in this video, the CCPA applies to businesses if one of more of the following is true relating to any California business activities: the business obtains the personal information of at least 50,000 consumers, households, or devices per year (which on average, is equivalent to about 135 separate interactions with California residents per day over a year); and the business generates gross revenues in excess of $25 million per year globally; or the business derives 50% or more of its annual revenues from “selling” consumers’ personal information. Stated in simple terms, all California employers should ensure compliance with the CCPA if they plan to screen employees or visitors for elevated temperatures or similar health-related screenings. The business should supply the individual subject to that screening with a CCPA-compliant privacy notice at the time of the screening and prior to collecting any health or personal data. Moreover, if a business has a COVID-19-related visitor policy, contact tracing policy, or health screening policy, then additional CCPA disclosures may be warranted if any steps are being taken beyond merely checking someone’s temperature, without recordation.
Businesses should not deem themselves CCPA-compliant merely because they provided comprehensive privacy notices to their employees and contractors earlier this year. Many pre-pandemic notices provided back in January do not cover contact tracing, COVID-19 health screenings, and on-site temperature checks. In sum, these health-related checks may expand data collection and additional notices should be considered.
Because the content of the CCPA notice that COVID-19 may necessitate will likely vary from business to business (depending on what is actually being collected and how), a one-size-fits-all policy can pose compliance issues. Our Mintz privacy team is available to help evaluate whether the CCPA applies to your business and what any applicable CCPA policy should include. But businesses should not assume that the pre-pandemic notices provided to employees and contractors as of January 1 will automatically suffice.