Businesses who are subject to the California Consumer Privacy Act (CCPA) and are now screening employees for COVID-19, including taking temperatures as employees enter the property, need to be aware of the requirements that the CCPA places on employers regarding employee privacy.

Taking temperatures, even to prevent the spread of coronavirus, falls into the same category of collecting personal information as any other health information. As such, it requires a privacy notice given to employees before or at the time of screening. Such notice must conform to California code section 1798.100, and include the following information:

  • The categories of personal data being collected include name, date of collection, and type of information;
  • Sources of personal information;
  • Business or commercial purpose for the selection of the information;
  • Third parties with whom the information will or may be shared.

This notice must be easily read, readily available, and located at or near the information collection site.

Other Considerations

A business that is not retaining this information, but is only checking temperatures at the door, does not need to worry about such privacy notices; and customers, contractors, and applicants are not covered by this requirement. Also, this requirement only applies if the business is collecting information for "secondary purposes unrelated to job functions" and intends to pass the data to a third party for sale or scientific reasons.

In that case, the notice must provide an opt-out provision, so that the employee can decline to participate in the data collection. Currently, the law does not require consent merely to take temperatures, but a cautious business might consider obtaining such consent anyway.

The Evolving Law of Viruses

This exemption and requirement are set to expire on January 1, 2021, unless the California legislature acts sooner. There is every reason to believe that this will happen. Already Californians for Consumer Privacy (CCP), who originally authored the CCPA, have sought to place extensions to the Act on the November ballot.

The next part of this series will look at best practices a company can take to avoid violating the CCPA and potential revisions to the law.

The blog posts provided on this website do not, and are not intended to, constitute legal advice; instead, all information, content, and materials available on this blog are for general informational purposes only.