Managing COVID-19 Privacy Issues—A Checklist for Mitigating Legal Risk
March 31, 2020
The COVID‑19 pandemic is challenging businesses and their advisors in unprecedented ways. To protect their employees, workplaces, customers, and operations, companies must take dramatic new steps, which may include testing and collection of information about the medical condition of employees and customers, sharing of information with public health authorities, responding to government requests for information, and implementing procedures for social distancing and telecommuting or working remotely.
These changes raise unique issues regarding the application of existing privacy laws and policies. Some governmental regulators are issuing guidance to help companies balance the need for public health and workplace safety with individual privacy rights, while others make clear that they do not see the pandemic as lowering the need for complete adherence to privacy laws. The following is a checklist of issues, resources for companies to consider, and steps companies can take to mitigate legal risks and ensure compliance with privacy regulations.
General Privacy Considerations
- To the extent your business is considering whether to collect or examine information from individuals (employees, customers, or others) regarding COVID-19 risks, first examine your existing privacy policies to evaluate how they treat the collection of information relating to a person’s medical condition. Determine the scope of what those policies permit and how information is to be handled in light of those policies. Companies may need to amend or supplement policies to cover information relating to pandemics or COVID-19.
- Evaluate the key privacy laws that apply to your company and any particular requirements or limitations on the collection and use of information. We highlight certain specific privacy laws below, but a thorough review is required. The following briefly discusses key issues that are likely to apply to many companies:
- Most privacy laws, including the California Consumer Privacy Act (CCPA) that took effect on January 1, 2020, require that a business provides individuals notice of the information being collected, the purpose of collecting that information, and to whom it is disclosed.1 Other statutes require companies to comply with their stated, published polices. Companies need to evaluate existing notices and policies to determine if they provide adequate notice, and if not, develop practical ways of complying with applicable notice requirements. Companies need to be careful to update their notices, practices, and procedures as they adjust to the COVID-19 crisis. A failure to provide notice or use personal information in a manner that complies with the notices given can give rise to class action claims. A class action was filed today in the Northern District of California against the video conferencing app Zoom, which has become widely used since the crisis began, alleging violations of the CCPA, California’s Unfair Competition Law, and the California Legal Remedies Act.2
- Consider data minimization principles and structure any requests for information such that only information essential to the public health and safety is being collected—other information should be optional.
- Consider the application of data subject rights under applicable data privacy laws. For example, both the CCPA, which applies to California consumers, and the EU’s Global Data Protection Regulation (GDPR) provide individuals the right to request access to personal information.
- Consider how to structure the manner and format of preventative measures, such as workplace screenings if permitted at all, to reduce undue risk to individual privacy and comply with applicable privacy requirements. For example, a company may not want to force screenings or temperature readings in public places if there are other practical ways to get the same information. In addition, particular rules that apply to employees are discussed below.
- Consider whether certain exemptions might apply to existing privacy law requirements and how they might cover information collection and disclosures. For example, many privacy policies allow disclosure to “protect” persons or property and, therefore, might permit limited disclosures to protect other persons. In addition, privacy laws may provide exceptions for certain disclosures that could apply in the context of the COVID-19 pandemic. For example, the CCPA does not prevent a company from making disclosures of information that are required by law or in response to civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities.3
- Where required by applicable law, ensure there is a legitimate basis and need for the information being collected, particularly if you are operating in the European Union (EU). The GDPR requires a lawful basis for collecting personal information, and companies operating in the EU need to balance the need for public and workplace safety against individual data protection rights.4 This includes consulting the guidance issued by particular data protection authorities regarding the handling of personal information in light of this crisis.
- Develop policies and procedures for disclosure of any COVID-19 information. This is important because an unauthorized disclosure of personal information could trigger security breach notification requirements or potential claims under applicable privacy laws; at the same time, disclosures are often necessary to protect the health of others and the safe operation of the business. For example, if a particular employee has tested positive for the virus, it may be necessary to disclose certain information to other employees who may have been exposed and limit the infected employee’s access to the workplace. In general, the disclosure should not identify any specific individual without that individual’s consent or a recognized legal basis for disclosure.
- Develop procedures for responding to governmental requests for information. Public health agencies worldwide are requesting information from private companies to assist with containing or mitigating the spread of the virus. For example, governmental agencies may seek information about a person’s recent interactions to conduct contact tracing of an infected person. Although public health agencies, generally, have broad information-gathering authorities, companies need to evaluate whether these laws overcome privacy laws (such as CCPA) that restrict disclosures of personal or other sensitive information. Companies may need to consider how to mitigate these legal risks before responding, particularly where more detailed information is requested. One approach is to see if information can be provided in an aggregate or de-identified form to avoid privacy law restrictions.
- Ensure that any COVID-19 information pertaining to individuals is maintained in a safe and secure environment, and limit access to those who need to know. Information relating to a person’s medical condition is, generally, deemed to be information deserving of a higher level of security because there is a risk of harm to the individual due to improper use or disclosure.
Considerations in the Workplace
Employers confront additional regulatory requirements, including the application of Title I of the Americans with Disabilities Act (ADA) and similar state laws, before requiring tests or making inquiries into an employee’s medical condition. The ADA imposes relevant restrictions, including limiting when employers may make inquiries or conduct “medical examinations” of employees and protecting confidential medical information obtained in connection with any such inquiry or examination. The US Equal Employment Opportunity Commission (EEOC) and California Department of Fair Employment and Housing (DFEH) have provided the following guidance regarding COVID-19:
- Employers may send home employees with COVID-19 or symptoms associated with it (i.e., fever, chills, cough, shortness of breath, or sore throat).
- Employers may ask employees who report feeling ill at work, or who call in sick, questions about their symptoms to determine if they have or may have COVID-19.
- Employers may not make disability-related inquiries or require medical examinations of employees except under limited circumstances. One circumstance in which these actions are permissible is when employees pose a “direct threat” to themselves or others in the workplace.
- The EEOC and DFEH have concluded that because the US Center for Disease Control (CDC) and state/local health authorities have acknowledged community spread of COVID-19 and issued attendant precautions as of March 2020, employers may measure employees’ body temperature even though doing so is considered a medical examination.
- The EEOC has also suggested that employers may make disability-related inquiries of asymptomatic employees to identify those at higher risk of COVID-19 complications.
Nonetheless, measuring employees’ body temperatures and making decisions based on employees’ high-risk status involve complicated legal issues, such as whether employees pose a “direct threat” to themselves or others. Guidance from the EEOC and California’s DFEH—though informative and persuasive authorities—is not binding on courts. Companies should seek legal advice before moving forward with these types of actions.
As with all medical information, the fact that an employee has a fever, other symptoms, or a preexisting condition is subject to ADA confidentiality requirements. This type of information must be collected and maintained on separate forms in separate medical files and be treated as a confidential medical record.
In connection with travel during the COVID-19 pandemic, employers may follow the advice of the CDC and state/local public health authorities regarding information needed to permit an employee’s return to the workplace after visiting a specified location, whether for business or personal reasons.
Different rules may apply outside the United States. Companies should review the rules in each jurisdiction in which they have operations to determine what procedures they should follow with employees in that jurisdiction.4
1 Section 1798.100(b) of the CCPA provides that a “business that collects a consumer’s personal information shall, at or before the point of collection, inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. A business shall not collect additional categories of personal information or use personal information collected for additional purposes without providing the consumer with notice consistent with this section.”
2 See Cullen v. Zoom Video Communications Inc., case number 5:20-cv-02155, in the US District Court for the Northern District of California.
3 See, e.g., Cal. Civ. Code §§1798.145(a)(1) and (2).
4 See Statement by the European Data Protection Board Chair on the processing of personal data in the context of the COVID-19 outbreak (March 16, 2020). (“Data protection rules (such as GDPR) do not hinder measures taken in the fight against the coronavirus pandemic. However, I would like to underline that, even in these exceptional times, the data controller must ensure the protection of the personal data of the data subjects. Therefore, a number of considerations should be taken into account to guarantee the lawful processing of personal data.”)
5 See, e.g., (French CNIL Directive dated March 6, 2020). Under the French data protection agency directive, employers should not conduct mandatory readings of the body temperature of each employee or mandatory questionnaires on symptoms, but can educate and invite their employees to self-check and provide means for reporting symptoms. Employees must inform their employer of any suspected contact with the virus. If an employee reports an illness, an employer may record the date and identity of the person and the organizational measures taken (confinement, teleworking, and contact with doctor). In addition, health authorities may collect health data, including exposure to COVID-19.
This memorandum is a summary for general information and discussion only and may be considered an advertisement for certain purposes. It is not a full analysis of the matters presented, may not be relied upon as legal advice, and does not purport to represent the views of our clients or the Firm. Randall W. Edwards an O’Melveny partner licensed to practice law in California, Adam P. KohSweeney, an O’Melveny partner licensed to practice law in California and New York, and Scott W. Pink, an O’Melveny partner licensed to practice law in California, contributed to the content of this newsletter. The views expressed in this newsletter are the views of the authors except as otherwise noted.
© 2020 O’Melveny & Myers LLP. All Rights Reserved. Portions of this communication may contain attorney advertising. Prior results do not guarantee a similar outcome. Please direct all inquiries regarding New York’s Rules of Professional Conduct to O’Melveny & Myers LLP, Times Square Tower, 7 Times Square, New York, NY, 10036, T: +1 212 326 2000.