Businesses subject to the California Consumer Privacy Act (“CCPA”) that have begun exploring the possibility of collecting data from visitors to their facilities to track potential coronavirus exposure and to allow/deny entry must take into consideration the fact that, by doing so, they would almost certainly be collecting data that would constitute personal information under the CCPA. For businesses subject to the CCPA, the question arises as to whether such a practice is permissible.
As an initial matter, businesses should ensure that they have provided adequate notice of the collection and usage. Depending on the nature of the business, that notice could be made through their online privacy policy or in-store (or facility) signage. If the business already collects this type of personal information and is using it for new purpose the coronavirus, Section 999.305(a)(5) of the California Attorney General’s proposed regulations may require the business to directly notify such individuals and obtain consent for the materially different use of the personal information.
Even with the proper notice, businesses must also consider what they will do if facility visitors seek to exercise their deletion rights—and whether deleting such information renders the any such screening program dangerously flawed. The CCPA provides nine exceptions that allow a business to “deny” a request for deletion. However, the CCPA does not include exceptions for public health crises or emergencies. Further, although it may depend on the locality, this type of usage would likely not constitute “complying with a legal obligation,” and therefore would not fall under the exception in Cal. Civ. Code § 1798.105(d)(8).
Accordingly, if a business wishes to deny a request for deletion and stay within the bounds of the CCPA, it must interpret another exception as encompassing using personal information to ensure the safety of employees and visitors and to curb the spread of a global pandemic. One possibility is that screening individuals constitutes an internal use that is “solely internal” and “reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.” Cal. Civ. Code § 1798.105(d)(7). Similarly, it could constitute an internal use “in a lawful manner that is compatible with the context in which the consumer provided the information.” Cal. Civ. Code § 1798.105(d)(9). While both of these exceptions could likely be read broadly enough to allow a colorable argument, both also require that the use be strictly internal. To the extent a business may use such information externally—such as in conjunction with governmental or health agencies when determining potential contamination connections—the exceptions may not apply.
Another possibility is that screening individuals could falls under the “detect[ing] security incidents” exception, which is not limited to strictly internal use. Cal. Civ. Code § 1798.105(d)(2). The security incidents exception traditionally applies to information used for information security and anti-fraud purposes. However, “security incident” is not defined in the CCPA, and it is therefore not statutorily limited to that context. Businesses could thus take the position that detecting visitors with coronavirus amounts to detecting a security incident.
Given the current crisis, it seems highly unlikely that the California Attorney General’s Office would focus its resources on businesses that are using information to try to prevent the spread of coronavirus—so long as businesses are not profiting from the information they are collecting. Further, the enforcement deadline is not set to commence until July 1, 2020. Nonetheless, businesses should still be trying to ensure that their practices during this crisis comply with applicable laws, including the CCPA. While none of the CCPA’s deletion exceptions directly fit using personal information to screen for coronavirus, they do provide some cover for businesses that feel that such steps are necessary to ensure the safety of its employees and patrons. So long as businesses are not using this data for other reasons, they likely have a defensible position in the unlikely event that the California Attorney General investigates the practice.