As businesses begin to reopen and as we all continue to deal with the effects of the COVID-19 pandemic, businesses must be cautious with data that has been collected during this time. Many of the new privacy statutes require that consumers be given notice, at the point of collection, that personal information is being collected and that the consumers be given the right to “opt out” of data sharing without their consent. Importantly, part of what must be disclosed is the “commercial or business purpose” for the collection and use of the data. A business must be careful not to repurpose the data for other uses as time passes without providing new notices and potentially obtaining new consents. This is one of the dangers with health data collected from employees and consumers during the pandemic.

As an example, under Section 1798.100 of the California Consumer Privacy Act (“CCPA”), businesses that are subject to the Act must disclose to consumers the categories and specifics of any “personal information” that the business collects, maintains, sells or transfers. Generally, the notices can be provided on a website or via other posting mechanisms. Part of the disclosure must include the business purpose. Examples of business purposes include:

• Quality control
• Enabling completion of customer transaction
• Future marketing to the consumer and third parties
• Product development and testing
• And more

Under section 1798.110 of the CCPA, consumers can request that a business disclose what data has been collected on them in the past. A business must reply to the consumer requests and part of the reply must include information on the “business purpose” for collecting or selling the consumer’s personal information. Finally, under 1798.120 of the CCPA, under some circumstances, consumers can “opt out” of having their personal data sold, shared or transferred unless the consumer gives specific consent. But the consent given relates only to whatever “business purpose” has been provided in the disclosure.

Failure to comply with these notice and consent provisions can subject the business to administrative action and substantial penalties by the California Attorney General Office. Personal information under the CCPA includes health data. A similar set of notice and consent requirements can be found in the European Union’s General Data Protection Regulation.

As another example, privacy with respect to employee health data and information must be protected under the federal Health Insurance Portability and Accountability Act (“HIPAA”). Among other things, HIPAA requires that businesses must have commercially reasonable and appropriate safeguards to protect the privacy of personal health information (“PHI”). Such PHI would include data collected on employees and consumers during the pandemic such as results of coronavirus testing, self-reporting of symptoms, travel data, contact tracing data, and more.

As can be seen, data collection is now immensely complex and must be handled carefully. If certain employee and/or consumer COVID-19 health data was collected during the pandemic, businesses must be careful how that data is stored, shared and transferred. If health-related data was collected for the purpose of preventing the spread of the coronavirus, then such data cannot be used for other purposes and must be securely maintained.

If you have legal questions about data collection and privacy, contact the data privacy lawyers at Revision Legal at 231-714-0100.

The Purpose-Limitation Principle Under CCPA and GDPR

The California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and the European Union’s General Data Protection Regulation, Regulation (EU) 2016/679, both embed a principle that data collected for one purpose cannot be silently repurposed for a materially different purpose without new notice and, in some cases, new consent. Under GDPR Article 5(1)(b), personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

The CCPA’s analogous principle operates through its notice requirements. Businesses must disclose at the point of collection the business purpose for which data is being collected. Using collected data for a materially different business purpose than what was disclosed—without updating the privacy notice and providing new notice to consumers—violates the CCPA’s transparency requirements. The California Privacy Protection Agency has authority to investigate and fine businesses for these violations, with penalties up to $7,500 per intentional violation.

Health Data Collected During the Pandemic: Special Sensitivity

COVID-19 symptom screening data, vaccination records, test results, and temperature logs collected by employers and businesses represent some of the most sensitive categories of personal information. Under CCPA, medical information receives heightened protection under the 2023 amendments, including the right of consumers to opt out of its use for certain secondary purposes. HIPAA applies directly to covered entities and their business associates, but ambiguity about HIPAA’s application to employer-collected COVID health data has not been fully resolved.

The FTC has indicated that collecting health data under one stated purpose—such as workplace safety compliance—and then using that data to make employment decisions, sell it to third parties, or incorporate it into customer profiles would raise serious unfairness concerns under the FTC Act, Section 5. Several state attorneys general have announced investigations into how businesses handled COVID screening data post-pandemic.

Biometric Data and COVID Screening

Temperature scanning with thermal cameras implicates biometric privacy statutes in Illinois, Texas, and Washington. If temperature data was collected using facial recognition or thermal imaging technology that captured a biometric identifier uniquely associated with a specific person, the collection may have required separate notice and consent under the Illinois Biometric Information Privacy Act or its state equivalents. Businesses that collected this data during the pandemic and are now repurposing or retaining it should evaluate whether initial consent covered the proposed new use.

Building a Data-Lifecycle Governance Program

• Map all data collected during the pandemic and classify it by sensitivity level, applicable law, and the stated purpose at collection.
• Evaluate each proposed new use against the original collection purpose and document the analysis in writing.
• Update privacy notices before implementing any new use case that is materially different from the original disclosed purpose.
• Obtain affirmative consent for uses of health or biometric data that go beyond the original collection purpose.
• Implement a data-retention schedule and delete COVID-related health data when the retention period expires—retaining data longer than necessary creates ongoing liability.
• Ensure employee and consumer data is stored in separate silos with access controls that prevent commingling or unauthorized cross-referencing.

If your business is managing legacy data collected during the pandemic and wants to evaluate what uses are permissible, or if you have received an inquiry from a regulatory agency, contact the privacy lawyers at Revision Legal at 231-714-0100.