As the COVID-19 pandemic continues to spread across the globe, in an effort to reduce the risk of transmission of the illness, many companies are administering mandatory temperature screenings to all employees and visitors prior to permitting entrance to their facilities. On April 9, 2020, the US Equal Employment Opportunity Commission ("EEOC") issued updated guidance titled " What You Should Know About COVID-19 and the ADA, the Rehabilitation Act, and Other EEO Laws." In this updated guidance, the EEOC advised employers that they may implement employee temperature screenings in response to the COVID-19 pandemic without violating the Americans with Disabilities Act's ("ADA") "because the CDC and state/local health authorities have acknowledged community spread of COVID-19 and issued attendant precautions." The EEOC further explained that employers may maintain a log of the results of temperature screenings and may store such medical information in an employee's existing medical files, provided that it is stored separately from the employee's personnel file, thus limiting access to this confidential medical information, as required by the ADA.

However, businesses that administer temperature tests and who are subject to the California Consumer Privacy Act ("CCPA"), should also consider whether their screening practices trigger the CCPA's notice requirements. The CCPA, which took effect on January 1, 2020, protects the "personal information" of California residents. Despite recent requests from business organizations to delay enforcement of the CCPA until the emergency situation caused by the COVID-19 pandemic passes, the California Attorney General has declined to do so and has indicated that it is committed to begin enforcement of the CCPA on July 1, 2020.

Under the CCPA, a subject business1 that collects a California resident's "personal information" must inform that individual "at or before the point of collection" the categories of personal information being collected and the purposes for which the information will be used. The CCPA defines personal information as "information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household." It includes "biometric information", as well as "[a]udio, electronic, visual, thermal, olfactory, or similar information." Data that is collected regarding a consumer's body temperature thus likely qualifies as "personal information" subject to the CCPA if it is recorded in a manner that enables the body temperature information to be linked with or reasonably associated with a particular California resident.

While the passage of Assembly Bill 25 confirmed that job applicants and employees (and owners, directors, officers, medical staff members, or contractors) of a business will be (temporarily) excluded from most of the CCPA's protections, two obligations remain: (1) businesses must provide employees and job applicants notice of the categories of personal information collected by the business, including for each category the uses of the personal information, at or before the point of collection; and (2) businesses must maintain reasonable safeguards over employee/job applicant personal information (or else be vulnerable to a private right of action based on data breach. Further, the exemption only applies to personal information collected by a business about the job applicant, employee, owner, director, officer, medical staff member, or contractor to the extent the personal information is collected and used by the business solely within the context of the natural person's role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business.

Thus, if a company maintains a record of the name and temperature reading of each visitor or employee, the collection of that data will likely be subject to the CCPA. Moreover, such information may not fall within the scope of the "employee exception" created by AB 25 as it arguably is not being collected solely within the context of the individual's role as an employee. Collecting this information may subject businesses to the whole host of CCPA obligations, including, among others, providing appropriate notice, responding to California resident requests to know, opt-out of sale and delete the information (assuming the business meets the other threshold requirements). On the other hand, if the temperature reading is discarded without being recorded or stored, or if it recorded on a de-identified or aggregated basis, then it would not trigger the CCPA. Businesses should thus be cognizant of these distinctions in deciding whether and how to record the results of temperature screenings.

Footnotes

1 The CCPA applies to for-profit businesses that collect the personal information of California residents and meet at least one of the following thresholds: (1) have annual gross revenue of $25 million or more; (2) annually buy, receive, or share the personal information of 50,000 or more consumers for commercial purposes; or (3) derive 50 percent or more of their annual revenue from selling the personal information of California residents. Note that covered entities and business associates governed by the Health Insurance Portability and Accountability Act and providers of health care governed by Confidentiality of Medical Information Act are exempt from the CCPA, to the extent the provider or covered entity maintains the collected personal information in the same manner as medical information or protected health information.

Originally published 22 April, 2020

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2020. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.