Privacy

Keypoint: The use of no-contact temperature taking devices can be an important part of a company’s return-to-work program, but companies should fully vet these devices to ensure that they are not unintentionally violating privacy laws or exposing themselves to potential liabilities.

As U.S. companies start planning and implementing return-to-work plans, many are considering whether to use no-contact temperature taking devices.

The federal government has recognized that taking temperatures is a step that companies can take to mitigate the risk of spreading coronavirus. For example, the CDC interim guidance for critical infrastructure workers recommends that employers “measure the employee’s temperature and assess symptoms prior to them starting work.” EEOC return-to-work guidance also recognizes that employee screening “may include continuing to take temperatures . . . of all those entering the workplace.”

States and cities also have recommended taking temperatures. For example, in Colorado, the Governor’s office has encouraged large workplaces to implement symptom and temperature checks as part of the state’s gradual return-to-work strategy. New York Mayor Bill de Blasio has stated that temperature checks will be part of the City’s return-to-work program. New Jersey Governor Phil Murphy suggested that restaurants could check temperatures before allowing customers to enter.

However, the taking of temperatures creates logistical issues such as who should take the temperatures, what precautions should be in place, and when and where the temperatures should be taken. As with many other facets of this pandemic, companies have looked to technology to answer some of these questions, and there are many solutions – some old, some new – in the marketplace.

Depending on the type of device, the use of no-contact temperature taking devices can raise numerous privacy issues. As companies begin to vet and implement these devices, they will need to ensure that they do not unintentionally violate privacy laws or assume potential liabilities.

Keypoint: If properly deployed, the use of COVID-19 contact-tracing apps by employers, in combination with other measures, could be an effective way to return employees to the workforce. However, before deploying these apps, employers should take caution to fully vet the technologies being used to ensure that employee privacy is respected.

As the United States and Europe have started the process of returning to work, the development, deployment, and use of COVID-19 contact-tracing apps has become a focal point for how governments intend to mitigate risk. ChinaSingapore, and South Korea have already implemented national contact-tracing apps. European countries and Australia have been rapidly working towards their deployment.

In connection with the rapid development of governmental contact-tracing apps, tech companies have started to develop similar apps for employers. A handful of employer-focused contact-tracing apps are already on the market and many more are in development. Some employers are already planning to deploy these apps. For example, Ferrari recently announced that it will utilize a contact-tracing app as part of its “Back on Track” plan.

The use of these apps raises numerous privacy concerns for U.S. employers. As employers begin to vet these apps, they will need to ensure that they do not unintentionally violate privacy laws or assume liabilities by deploying them with their workforce.

Keypoint: After an active winter of proposed state privacy laws, it appears that all eyes will once again be on California for the remainder of the year as we wait for final CCPA regulations, the fate of the CCPA 2.0 ballot measure, and other privacy bills being considered by the California legislature.

Over the past few months, there has not been a lack of things to talk about as it relates to U.S. privacy law developments. Between the CCPA, Washington Privacy Act, CCPA 2.0, and numerous privacy bills proposed in state legislatures, practically every day brought a new story.  However, a lot has changed in a short period of time.

First, the Washington Privacy Act failed to pass (although Washington did enact a facial recognition bill). Then, the world changed with the Coronavirus pandemic.

Yet, there are still developments in U.S. privacy law. Below is an overview of the ones that we have been tracking over the past few weeks.

On Monday, the Chair of the European Data Protection Board (EDPB) issued a statement on the processing of personal data in the context of the COVID-19 outbreak. In that statement, the Chair acknowledged that although the EU General Data Protection Regulation (GDPR) provides broad and comprehensive privacy rights to individuals, it does have mechanisms in

Map of Wisconsin State in USA

Keypoint: The Wisconsin Data Privacy Act would create CCPA and GDPR-like rights for Wisconsin residents and would strengthen Wisconsin’s data security and breach notification requirements.

Lawmakers in Wisconsin have proposed three bills that, if enacted, would create privacy rights for Wisconsin residents and compliance burdens for entities that process or control consumer data. All three bills were introduced on February 10, 2020 and an initial public hearing was held on February 12, 2020.

Conceptual image about how a laptop computer with internet open a virtual door to worldwide information sharing.Keypoint: Maryland lawmakers have introduced a bill that would allow Maryland residents to opt-out of certain types of personal information transfers but that would stop far short of creating CCPA-like rights for Maryland residents.

On January 17, 2020, Maryland House Delegates Courtney Watson and Ned Carey introduced HB0249. If enacted in its current form, the bill would allow Maryland residents to opt-out of certain types of transfers of their personal information to third parties. However, it would not create other CCPA-like privacy rights such as the right to deletion and would not require businesses to make disclosures regarding their privacy practices.

Maryland joins a growing list of states considering consumer privacy legislation, including Florida, Illinois, Virginia, Washington state, Nebraska, New Jersey, New Hampshire, and Hawaii. Members of Husch Blackwell’s privacy and data security practice group will be hosting a webinar on February 4 at noon CST to discuss these proposed laws and to provide an update on the CCPA. To register, click here.

Below is our analysis of the Maryland legislation (as introduced).

Conceptual image about how a laptop computer with internet open a virtual door to worldwide information sharing.Keypoint: The Virginia Privacy Act would create CCPA-like rights for Virginia residents while the Sale of Personal Data Act would create rights vis-à-vis “data sellers.”

Lawmakers in Virginia have proposed two bills that, if enacted, would create a number of privacy rights for Virginia residents and compliance burdens for covered entities.

The first bill – the Virginia Privacy Act (HB 473) – was prefiled on January 3, 2020, and offered on January 8, 2020. It would create CCPA-like rights for Virginia residents and new obligations on businesses such as a requirement to conduct risk assessments.

The second bill – which is unnamed but for our purposes will be referred to as the Sale of Personal Data Act (SB 641) – was prefiled on January 7, 2020, and offered on January 8, 2020. Among other things, it would require data sellers to implement reasonable security measures to protect personal data, respond to certain types of privacy requests, and notify Virginia residents of data breaches.

In addition to Virginia, lawmakers have proposed consumer privacy legislation in Florida, Illinois, Washington state, Nebraska, New Jersey, New Hampshire, and Hawaii. Members of Husch Blackwell’s privacy and data security practice group will be hosting a webinar on February 4 at noon CST to discuss these proposed laws and to provide an update on the CCPA. To register, click here.

Below is our analysis of Virginia’s proposed legislation (as introduced). We will first analyze the Virginia Privacy Act and then separately analyze the Sale of Personal Data Act.

Keypoint: Florida lawmakers have proposed legislation that would require certain operators of websites to make online disclosures and accept requests to opt-out of sales of personal data but that would stop far short of creating CCPA-like privacy rights for Florida residents.

Florida lawmakers have introduced companion bills in the Florida House (HB 963) and Senate (SB 1670) that would create limited online privacy rights and obligations in the state. The legislation – which is yet to be named but for our purposes will be referred to as the 2020 Florida Consumer Privacy Act (Act) – appears to be very similar to the Nevada Online Privacy Protection Act, which was amended last year to add a right to opt-out of sales of covered information. The Act is therefore distinguishable from the California Consumer Privacy Act (CCPA) and more akin to the California Online Privacy Protection Act (CalOPPA).

Florida joins a number of other states considering consumer privacy legislation, including Illinois, Washington state, Nebraska, New Jersey, New Hampshire, Virginia, and Hawaii. Members of Husch Blackwell’s privacy and data security practice group will be hosting a webinar on February 4 at noon CST to discuss these proposed laws and to provide an update on the CCPA. To register, click here.

Below is our analysis of the Florida legislation (as introduced).

Conceptual image about how a laptop computer with internet open a virtual door to worldwide information sharing.Keypoint: Illinois lawmakers have proposed legislation that would create CCPA-like privacy rights for Illinois residents.

On January 8, 2020, Illinois state Senator Thomas Cullerton introduced the Illinois Data Transparency and Privacy Act (SB2330). This comes on the heels of last year’s legislative session in which two consumer privacy bills failed to pass.

Below is our analysis of the proposed legislation (as introduced).