Keypoint: The use of no-contact temperature taking devices can be an important part of a company’s return-to-work program, but companies should fully vet these devices to ensure that they are not unintentionally violating privacy laws or exposing themselves to potential liabilities.
As U.S. companies start planning and implementing return-to-work plans, many are considering whether to use no-contact temperature taking devices.
The federal government has recognized that taking temperatures is a step that companies can take to mitigate the risk of spreading coronavirus. For example, the CDC interim guidance for critical infrastructure workers recommends that employers “measure the employee’s temperature and assess symptoms prior to them starting work.” EEOC return-to-work guidance also recognizes that employee screening “may include continuing to take temperatures . . . of all those entering the workplace.”
States and cities also have recommended taking temperatures. For example, in Colorado, the Governor’s office has encouraged large workplaces to implement symptom and temperature checks as part of the state’s gradual return-to-work strategy. New York Mayor Bill de Blasio has stated that temperature checks will be part of the City’s return-to-work program. New Jersey Governor Phil Murphy suggested that restaurants could check temperatures before allowing customers to enter.
However, the taking of temperatures creates logistical issues such as who should take the temperatures, what precautions should be in place, and when and where the temperatures should be taken. As with many other facets of this pandemic, companies have looked to technology to answer some of these questions, and there are many solutions – some old, some new – in the marketplace.
Depending on the type of device, the use of no-contact temperature taking devices can raise numerous privacy issues. As companies begin to vet and implement these devices, they will need to ensure that they do not unintentionally violate privacy laws or assume potential liabilities.
Overview of Available Devices
Based on our research, there are three categories of no-contact temperature taking devices that are currently available and that can be utilized by companies for employee or customer screening.
The simplest type of device are no-contact infrared scanners. To operate these devices, an individual places the scanner a few inches from an individual’s forehead and pushes a button.
The second type of device uses facial recognition to identify the faces of individuals walking past the device and thermal scanning to take their temperatures. Depending on the sophistication of the device, they can be used to take temperatures of one person at a time or groups of people. These devices can be used to scan employees, customers or even larger gatherings of people in airports and train stations. Typically, these devices can be placed a few feet away from the individual and still accurately take their temperature.
The third type of device is categorized as “wearables.” These devices include watches, rings, and stick on sensors. Depending on the sophistication of the device, they can collect not only temperatures but also heart rate, sleep information, steps, calories, and altitude, among other information. Some of these devices can be paired with smart phone apps.
U.S. Privacy Law Implications for Using These Devices
State Biometric Privacy Laws
Although the use of simple no-contact infrared scanners likely will not implicate state biometric privacy laws, the use of any temperature-taking device that deploys facial recognition to identify individuals could violate some states’ biometric privacy laws. For example, Illinois’ Biometric Information Privacy Act (BIPA) requires private entities that collect, retain, or disclose biometric information to follow detailed requirements to ensure that any individual providing biometric identifiers or biometric information has consented to the private entity’s collection of such information. The law defines “biometric identifiers” to include a “scan of . . . face geometry.”
Moreover, BIPA requires private entities in possession of biometric information to develop a publicly-available written policy establishing a retention schedule and guidelines for permanently destroying biometric information when the initial purpose of collecting or obtaining the information has been satisfied, or within three years of the individual’s last interaction with the private entity, whichever occurs first.
Persons “aggrieved by a violation” of BIPA have a private right of action and may seek statutory remedies, including the greater of actual or liquidated damages of $1,000 (for each negligent violation) or $5,000 (for each intentional or reckless violation). Over the past few years, plaintiffs’ attorneys have been aggressively pursuing BIPA class action lawsuits.
Both Texas and Washington have enacted similar biometric information laws governing the capture and use of individuals’ biometric information. However, both of these statutes do not create a private right of action – enforcement may only be brought by the Attorney General. To date, BIPA is the only state biometric statute that includes a private right of action.
State Breach Notification and Information Security Statutes
Companies must be aware that no-contact temperature taking devices could be collecting personal information that is potentially subject to state breach notification laws. In general, these statutes require entities to notify affected individuals if there is a loss of personal information. The definitions of personal information vary by statute; however, several statutes include biometric information and medical information as covered data elements. The definitions of biometric information and medical information also vary, such that it is important to analyze each statute to determine if it is applicable.
It is important to note that many of these breach notification statutes are limited to the collection of computerized data. Thus, the handwritten collection of individuals’ temperatures may not be subject to these breach notification statutes.
Further, companies may be subject to liability under state information security and document retention statutes. These statutes generally require businesses to implement and maintain reasonable security procedures and practices to protect personal information and to dispose of personal information when there is no longer a business purpose for keeping it. Several states have incorporated biometric and medical information into their statutes. Although these statutes are enforceable by state Attorneys General, class action litigants often use them as a basis for negligence per se claims against companies that have suffered a data breach.
Because of the number of states that have incorporated either biometric information or medical information into their definition of personal information, companies should consider the risks associated with deploying no-contact temperature taking devices into their return-to-work strategy. Primarily, companies should consider the implications of a potential data breach. For example, should a company collect and store individuals’ medical or biometric information and be subject to a data breach, the company may be required to notify every affected individual of the breach and potentially notify state Attorneys General. Those notifications could trigger class action lawsuits and/or state attorney general investigations. Notably, as discussed more fully below, California law allows litigants to seek statutory damages of between $100 and $750 per consumer, per incident for data breaches caused by a company’s failure to implement and maintain reasonable security procedures.
CCPA
Companies that do business in California and have in excess of $25 million in annual gross revenues (commonly understood to mean globally, not just in California) or otherwise possess or sell a significant amount of personal information of California residents, have additional obligations and risks to consider under the California Consumer Privacy Act (CCPA).
The CCPA covers a business’s collection of “personal information” both online and offline. Personal information is defined to mean “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”
Categories of personal information protected by the CCPA include both “medical information” and “biometric information.” Biometric information is broadly defined to include physiological characteristics, including imagery of the face and health data that contains identifying information. Medical information is not defined in the statute. Whether temperature and related information falls within these categories of personal information is unclear; however, facial scans would be covered as would much of the information collected by smart phone apps.
Assuming the CCPA applies, businesses will have certain obligations with respect to their collection and use of this information. At or before the point of collecting this information, a business needs to provide notice to California residents, whether prospective or current employees or customers, of the information to be collected and the purpose(s) for which it will be used. However, unlike BIPA and the other biometric information laws discussed above, consent is not required under the CCPA.
Further, a business is prohibited from using the information collected for any purpose other than as disclosed in the notice at collection. The notice can be provided to California residents electronically (e.g., by email to employees), orally, in hard copy, or via prominent signage that contains the notice or a web address where the notice may be found online. The notice must be accessible to individuals with disabilities.
Additionally, assuming the business maintains this information, it must set up designated methods by which California residents may exercise their right to know, delete, and opt out of the sale of this information. As it concerns current and prospective employees from which this information is collected, the CCPA only requires a business to provide the notice at collection – a business does not need to provide the right to, or comply with requests to, know, delete or opt-out of sales. However, unless amended, this exemption is set to expire January 1, 2021, after which time current and prospective employees’ personal information will be subject to consumer requests.
The California attorney general is authorized to enforce the CCPA beginning July 1, 2020, and the office has stated that its enforcement actions can cover activities between January 1 and July 1. Intentional violations of the CCPA may result in civil penalties of up to $7,500 for each violation.
Further, the CCPA provides a private right of action where a breach occurs as a result of failure to implement and maintain reasonable security procedures and practices. There is no exemption for current and prospective employee personal information as with consumer requests.
California’s breach notification law includes medical information and, in 2019, was expanded to include biometric information. If a breach occurs, a business risks facing a class action lawsuit seeking statutory damages under the CCPA ranging from $100 to $750 per consumer, per incident.
Other Considerations
The EEOC has provided guidance on maintaining the confidentiality of employee temperature information. According to the EEOC, this information must remain confidential. Additionally, the EEOC guidance notes that the Americans with Disabilities Act “requires that all medical information about a particular employee be stored separately from the employee’s personnel file.”
Best Practices for Implementing These Devices
Understand the Device
Companies should approach selecting a no-contact temperature taking device based on what information is necessary for the company to collect to protect the health and safety of its employees and/or customers. Some of the devices discussed at the outset of this post may provide a company with more information than necessary. For example, some devices may simply collect temperature readings, while others involve identity recognition capabilities. If there is not a business need for the collection of certain information, companies should avoid doing so.
Further, to analyze the risks associated with using the device, companies should thoroughly understand what information the device collects, how that information is stored, and if that information may be shared with the product developer or others (particularly as it concerns wearable devices). Only after a company answers those questions, can it begin to analyze whether the use of the device could expose the company to unnecessary liability.
Vet the Company Selling the Device
COVID-19 has created a new demand for these devices. Many new companies are entering the market and existing companies are shifting their focus to take advantage of this business opportunity. Before investing in a no-contact temperature taking device, it is important to conduct due diligence on the company, particularly those that are new to the market.
While the website marketing the product may look impressive, companies should investigate things such as whether the company has an existing and updated privacy policy with thorough and complete disclosures as to what personal information the company’s device collects, how it is used, and how it is shared. Further, companies should read and understand the company’s terms of service to determine how the company approaches notice and liability in the event of a data breach.
Understand the Device’s Information Security Protections
As we have seen with many of the new products popularized in this new economy, the security of these new devices is going to be tested by hackers. Therefore, having your information security department analyze the device and identify vulnerabilities is a crucial step in vetting the product.
The device itself is not the only security risk. Consideration should also be given to a company’s own security measures. For example, who will be conducting these screenings on behalf of the company, how and where will the company record the information (paper versus electronic), and who within the company will be notified and/or have access to this information?
Prepare Employee and Customer Notices
Perhaps the most significant hurdle for implementing these devices is to make sure that your employees and customers are comfortable with them. That is particularly true with devices that collect and store sensitive data such as facial recognition scans.
In that respect, it is crucial for companies to be transparent about what information they are collecting, why, and how that information will be used. Companies should develop written policies explaining why they are using these devices, the types of information that will be collected, how that information will be used and shared, and the information security measures in place to protect the information.
Conclusion
The use of no-contact temperature taking devices can be an important (or even government-mandated) part of a company’s return-to-work strategy. However, before deploying these devices, companies should fully vet them to avoid violating privacy laws or assuming unnecessary potential liabilities.