As businesses begin to reopen and as we all continue to deal with the effects of the COVID-19 pandemic, businesses must be cautious with data that has been collected during this time. Many of the new privacy statutes require that consumers be given notice, at the point of collection, that personal information is being collected and that the consumers be given the right to “opt out” of data sharing without their consent. Importantly, part of what must be disclosed is the “commercial or business purpose” for the collection and use of the data. A business must be careful not to repurpose the data for other uses as time passes without providing new notices and potentially obtaining new consents. This is one of the dangers with health data collected from employees and consumers during the pandemic.

As an example, under Section 1798.100 of the California Consumer Privacy Act (“CCPA”), businesses that are subject to the Act must disclose to consumers the categories and specifics of any “personal information” that the business collects, maintains, sells or transfers. Generally, the notices can be provided on a website or via other posting mechanisms. Part of the disclosure must include the business purpose. Examples of business purposes include:

• Quality control
• Enabling completion of customer transaction
• Future marketing to the consumer and third parties
• Product development and testing
• And more

Under section 1798.110 of the CCPA, consumers can request that a business disclose what data has been collected on them in the past. A business must reply to the consumer requests and part of the reply must include information on the “business purpose” for collecting or selling the consumer’s personal information. Finally, under 1798.120 of the CCPA, under some circumstances, consumers can “opt out” of having their personal data sold, shared or transferred unless the consumer gives specific consent. But the consent given relates only to whatever “business purpose” has been provided in the disclosure.

Failure to comply with these notice and consent provisions can subject the business to administrative action and substantial penalties by the California Attorney General Office. Personal information under the CCPA includes health data. A similar set of notice and consent requirements can be found in the European Union’s General Data Protection Regulation.

As another example, privacy with respect to employee health data and information must be protected under the federal Health Insurance Portability and Accountability Act (“HIPAA”). Among other things, HIPAA requires that businesses must have commercially reasonable and appropriate safeguards to protect the privacy of personal health information (“PHI”). Such PHI would include data collected on employees and consumers during the pandemic such as results of coronavirus testing, self-reporting of symptoms, travel data, contact tracing data, and more.

As can be seen, data collection is now immensely complex and must be handled carefully. If certain employee and/or consumer COVID-19 health data was collected during the pandemic, businesses must be careful how that data is stored, shared and transferred. If health-related data was collected for the purpose of preventing the spread of the coronavirus, then such data cannot be used for other purposes and must be securely maintained.

If you have legal questions about data collection and privacy, contact the data privacy lawyers at Revision Legal at 231-714-0100.