As clients confront reopening businesses and managing for risk of coronavirus exposure along with litigation risk, they may find themselves collecting more personal information from both employees and customers. Additionally, contact tracing apps and protocols are emerging to help with coronavirus containment. These developments are likely causing your clients to worry about the type of information they can collect, requirements for how they maintain that information, and whether they can or should provide that information to others.
Existing laws around data protection and data privacy may or may not apply to these questions. For example, the federal Health Insurance Portability and Accountability Act (HIPAA) applies to health plans, health care clearinghouses, and providers that conduct certain health care transactions electronically, as well as their business associates, as those terms are defined in HIPAA. Put another way, in general, an employer that does not meet the definition for covered entity or business associate is not subject to HIPAA. Consequently, it is unlikely that an employer collecting temperature data directly from employees to monitor for possible coronavirus exposure is subject to HIPAA. Similarly, most existing state data security laws, including those that include biometric information in their definition of personal identifying information, are geared toward protection of data to minimize risk of identity theft, meaning that a temperature reading alone likely does not trigger obligations to maintain reasonable security measures or breach protocols around storing that data.
That said, collecting and using someone’s location data could implicate privacy laws, such as the California Consumer Privacy Act, which encompasses geolocation data in its definition of “personal information.” Similarly, use of contact tracing protocols and devices could give rise to questions about whether employers are using that data for other purposes, and if they are, ensuring that app or device providers are adequately protecting the data being collected. Employers also have to navigate around privacy and Americans with Disabilities Act implications when disclosing a potential coronavirus exposure to their employees. Finally, both the Federal Trade Commission as well as state attorneys general are able to use unfair and deceptive acts and practices laws to address data collection and use practices that they deem to be potentially harmful to consumers.
Consequently, questions around the legality of data collection, maintenance and use are going to depend largely on the jurisdiction in which clients operate as well as the type of data being collected and shared. Contact the attorneys below for specific questions related to data protection and privacy obligations during the pandemic.