![Photo of David Stauss [Former Attorney]](https://lexblogplatform.com/wp-content/uploads/sites/631/userphoto/7147-1572288796.jpg)
Keypoint: Advocates seem certain that they have done enough to qualify CCPA 2.0 for the November ballot.
On May 4, 2020, the Californians for Consumer Privacy advocacy group announced that they were submitting over 900,000 signatures to qualify the California Privacy Rights Act (CPRA, commonly referred to as “CCPA 2.0”) for the November 2020 ballot.
Keypoint: Although it is unclear whether the forthcoming bill has any chance of becoming law, it is further evidence that companies need to consider the significant privacy issues and risks associated with implementing COVID-19-related technology.
On April 30, 2020, a group of four Republican Senators announced their plan to introduce federal privacy legislation that would regulate the collection and use of personal information relating to the fight against the Coronavirus pandemic. The four Senators are U.S. Sens. John Thune (R-S.D), chairman of the Subcommittee on Communications, Technology, Innovation, and the Internet; Roger Wicker (R-Miss.), chairman of the Senate Committee on Commerce, Science, and Transportation; Jerry Moran (R-Kan.), chairman of the Subcommittee on Consumer Protection, Product Safety, Insurance and Data Security; and Marsha Blackburn (R-Tenn.).
Keypoint: The use of no-contact temperature taking devices can be an important part of a company’s return-to-work program, but companies should fully vet these devices to ensure that they are not unintentionally violating privacy laws or exposing themselves to potential liabilities.
As U.S. companies start planning and implementing return-to-work plans, many are considering whether to use no-contact temperature taking devices.
The federal government has recognized that taking temperatures is a step that companies can take to mitigate the risk of spreading coronavirus. For example, the CDC interim guidance for critical infrastructure workers recommends that employers “measure the employee’s temperature and assess symptoms prior to them starting work.” EEOC return-to-work guidance also recognizes that employee screening “may include continuing to take temperatures . . . of all those entering the workplace.”
States and cities also have recommended taking temperatures. For example, in Colorado, the Governor’s office has encouraged large workplaces to implement symptom and temperature checks as part of the state’s gradual return-to-work strategy. New York Mayor Bill de Blasio has stated that temperature checks will be part of the City’s return-to-work program. New Jersey Governor Phil Murphy suggested that restaurants could check temperatures before allowing customers to enter.
However, the taking of temperatures creates logistical issues such as who should take the temperatures, what precautions should be in place, and when and where the temperatures should be taken. As with many other facets of this pandemic, companies have looked to technology to answer some of these questions, and there are many solutions – some old, some new – in the marketplace.
Depending on the type of device, the use of no-contact temperature taking devices can raise numerous privacy issues. As companies begin to vet and implement these devices, they will need to ensure that they do not unintentionally violate privacy laws or assume potential liabilities.
Keypoint: If properly deployed, the use of COVID-19 contact-tracing apps by employers, in combination with other measures, could be an effective way to return employees to the workforce. However, before deploying these apps, employers should take caution to fully vet the technologies being used to ensure that employee privacy is respected.
As the United States and Europe have started the process of returning to work, the development, deployment, and use of COVID-19 contact-tracing apps has become a focal point for how governments intend to mitigate risk. China, Singapore, and South Korea have already implemented national contact-tracing apps. European countries and Australia have been rapidly working towards their deployment.
In connection with the rapid development of governmental contact-tracing apps, tech companies have started to develop similar apps for employers. A handful of employer-focused contact-tracing apps are already on the market and many more are in development. Some employers are already planning to deploy these apps. For example, Ferrari recently announced that it will utilize a contact-tracing app as part of its “Back on Track” plan.
The use of these apps raises numerous privacy concerns for U.S. employers. As employers begin to vet these apps, they will need to ensure that they do not unintentionally violate privacy laws or assume liabilities by deploying them with their workforce.
Keypoint: The AG’s office again signals that the CCPA’s July 1 enforcement deadline will not be extended.
In another sign that the California Attorney General has no plans to delay the CCPA’s July 1, 2020, enforcement deadline, on Friday April 10, 2020, the AG’s office issued a press release reminding California residents of their data privacy rights during the COVID-19 pandemic.
Keypoint: After an active winter of proposed state privacy laws, it appears that all eyes will once again be on California for the remainder of the year as we wait for final CCPA regulations, the fate of the CCPA 2.0 ballot measure, and other privacy bills being considered by the California legislature.
Over the past few months, there has not been a lack of things to talk about as it relates to U.S. privacy law developments. Between the CCPA, Washington Privacy Act, CCPA 2.0, and numerous privacy bills proposed in state legislatures, practically every day brought a new story. However, a lot has changed in a short period of time.
First, the Washington Privacy Act failed to pass (although Washington did enact a facial recognition bill). Then, the world changed with the Coronavirus pandemic.
Yet, there are still developments in U.S. privacy law. Below is an overview of the ones that we have been tracking over the past few weeks.
Keypoint: Individuals and businesses should take steps to prevent against becoming victims of the rapid rise in Coronavirus-related hacking scams.
On March 20, 2020, the FBI issued an alert warning that cyber thieves are actively trying to exploit the Coronavirus pandemic to steal money, commit identity theft, and engage in other hacking-related activity. The Cybersecurity and Infrastructure Security Agency (CISA) issued a similar alert earlier this month.
Keypoint: The California Attorney General’s office does not currently plan to extend the CCPA’s enforcement deadline but left the door open to reconsider its position as the coronavirus crisis unfolds.
As we previously reported, on March 17, 2020, over thirty trade associations, companies, and organizations sent a letter to California Attorney General Becerra requesting that, in light of the coronavirus crisis and unfinished status of the regulations, he “forebear from enforcing the CCPA until January 2, 2021 so businesses are able to build processes that are in line with the final regulations before they may be subject to enforcement actions for allegedly violating the law’s terms.”
Keypoint: The California Attorney General’s office has not addressed whether businesses may delay responding to CCPA requests due to the Coronavirus pandemic; however, businesses can look to the CCPA’s 45-day extension for relief, at least with respect to responding to requests to know and delete.
To state the obvious, businesses subject to the California Consumer Privacy Act (CCPA) may have more urgent matters to handle these days than responding to CCPA consumer requests.
Yet, the California Attorney General’s office – the CCPA’s enforcement arm – has been silent on whether it will take into account these extenuating circumstances when exercising its enforcement authority come July 1. This may be due to the unique circumstance in which the Attorney General finds itself – i.e., stuck between the CCPA’s effective date and enforcement date.
Before the Coronavirus pandemic, the Attorney General publicly stated that CCPA enforcement actions can cover activities between January 1 and July 1 (see here and here). Whether or not that position is ultimately legal, it places businesses in a difficult situation when balancing Coronavirus-related business disruptions and responding to CCPA consumer requests in a timely manner.
Keypoint: For the second year in a row, the Washington Privacy Act has failed to become law.
Yesterday afternoon, on the final day of the Washington legislative session, Senator Reuven Carlyle issued a statement announcing the failure of the Senate and House to reach a compromise on the Washington Privacy Act (WPA) (SB 6281). Senator Carlyle’s statement identified one insurmountable obstacle – enforcement.