September 28, 2020

Volume X, Number 272

September 28, 2020

Subscribe to Latest Legal News and Analysis

Up Close & Personal: Contact-Tracing Apps & Employee Privacy

Our proximity and “close contact” with other humans is on the front lines in the war against coronavirus.  Yet tracking 6 feet of distance from every human we encounter for a 14 day period is nearly impossible without the help of technology like contact-tracing apps.  Although many privacy and employment laws designed to protect employee rights have been temporarily relaxed during the pandemic, employers must consider and resolve employee privacy issues created by contact-tracing apps.  As businesses forge roadmaps to reopen, these apps offer innovative solutions to meet legal requirements imposed by OSHA and Centers for Disease Control.  This article explores what employers need to know about contact-tracing apps including how they work, the laws that govern, the impact to employee privacy, consent, and ways to mitigate risk associated with contact-tracing apps.

What Are Contact-Tracing Apps?

At their core, contact-tracing apps are mobile applications that track physical proximity between individuals to alert them if they have been in “close contact” with someone who later tests positive for COVID-19.  The Centers for Disease Control and Prevention (“CDC”) has actively been providing guidance and recommends employers notify other employees that may have been in close contact with an employee that tests positive for COVID-19.  When an individual using the app reports a positive test result, others who have come into close contact with that individual will receive notice.  The purpose is to identify those who may have been exposed to COVID-19 so they may self-isolate and take measures to protect the health and safety of others.

Some solutions also allow employees to self-report symptoms of COVID-19, including whether they have a cough, fever, chills, headache, sore throat, lost sense of smell/taste, or been in close contact with somebody else that tested positive.  If employees self-report no symptoms, then they are permitted to report to work.  If employees self-report they have symptoms or a temperature of more than 100.4 then they are not permitted to go to work.  Used in this manner, employee self-assessments constitute an employment record that includes medical information.

How Do Contact-Tracing Apps Work?

Different contact-tracing apps utilize different types of technology to operate.

  • Bluetooth or WiFi signals: Users install the app on their personal or business mobile devices or the technology is embedded in a wearable chip, wristband or badge. The app uses Bluetooth or WiFi signals that transmit an anonymous ID to other mobile devices in close proximity.  These low energy Bluetooth signals perform a digital “handshake” when two users come into close contact.  The data stored on each device is typically anonymized data.  When an individual reports they have tested positive for COVID-19, any users who have matching tokens or digital handshakes receive alerts that they may have come into contact with someone who tested positive.  The identity of the individual who reports testing positive is not identified in the push notification.

  • Geolocation: Some apps also use geolocation to determine where individuals have been and who they may have come into contact with. These apps may also use this information to generate cluster maps to understand how a specific geographic location or region may be affected.  Certain apps can also create a geofence so users are only tracked when they are at a particular site like the workplace.

  • environmental factors: Some developers are capturing environmental factors, like ventilation in a building or inability to effectively social distance, to enrich signal and/or GPS data.

  • self-reporting or partner with health care providers: Some apps rely on self-diagnosis or self-reporting positive test results or daily self-assessment features. Others partner with health care providers to verify results.  An individual that tests positive for COVID-19 and submits such information into a contact-tracing app either through self-reporting or via a health care provider, is likely to have medical information stored in the contact-tracing app.

  • Self-Assessments: Some apps send questions to users to ask whether the user has any COVID-19 symptoms, including a temperature at or above 100.4. If the user has no symptoms, they may receive some approval to report to work.  If the user does have symptoms, the user is not permitted to report to work.  Information entered into the contact-tracing app related to a medical condition constitutes medical information and requires greater protection.

What Types of Personal Information Do Contact-Tracing Apps Collect?

Depending on the app, different types of personal information may be collected.  Generally, all apps collect:

  • Basic device identifiers;

  • A log of contacts with other users;

  • The date, time, and duration of those contacts;

  • Whether an individual has tested positive; and,

  • If that test result was self-reported or verified through a health care provider.

Certain apps also offer features like daily self-assessments and require end users to create accounts including their name, email, mobile device number, and/or contact information.  Apps that use GPS and other enhancements may also collect geolocation data history or build profiles about end users’ activity and behaviors.  Finally, if the app is being used in an employment context, it may also include employment information, like the company name, employee name, job title, contact information, and department.

How Do Contact-Tracing Apps Impact Employee Privacy Rights?

Employees have fundamental rights to personal privacy that an employer is not permitted to invade unless there is a legitimate business need.  Under this equation, privacy rights are like a playground teeter-totter: as business needs go up, privacy rights go down.  And vice versa.  In the midst of a global pandemic, business needs are at an all-time high.  Government agencies like EEOC and California Department of Fair Employment and Housing that protect employees’ rights to privacy issued guidance that temporarily relaxes certain privacy laws to allow businesses to maintain a safe work environment during the pandemic.  For example, temperature checks and COVID-19 testing are expressly permitted even though they constitute medical tests.

Contact-tracing apps may also be a form of employee surveillance because such apps track the user’s location and movements.  However, for the safety of their workforce (and to comply with OSHA and CDC), employers have a compelling and legitimate business need to identify individuals that may have been exposed to COVID-19 and alert co-workers who may have been in close contact.  Most apps collect information that identifies an individual or device and may not discern whether the employee is on-duty or off-duty.  Tracking off-duty activity is perceived to have greater employee privacy rights and businesses would need to demonstrate how tracking such activity is legitimate.

How Do We Maintain Employee Confidentiality Using Contact-Tracing Apps?

Employers must maintain the confidentiality of employee data, particularly medical information.  Make sure to designate administrative access only to select personnel who need to know if an employee tests positive for COVID-19.

Is an Employer Required to Provide Any Notices or Disclosures to Employees?

If the data collected by the app is personal information, then adequate disclosures and consent should be obtained.  Under California law, app developers are separately required to provide notice and obtain user consent about data the app collects, uses, and discloses.  However, this form of disclosure and consent is different from employer disclosure and consent since employers use the information to make employment decisions which is a different purpose than the app developer.

Laws like California’s Consumer Privacy Act (“CCPA”) and Confidentiality of Medical Information Act (“CMIA”) both apply to medical information and require specific notices at collection and consent to share such information.  As previously reported, laws like CCPA expand employee privacy rights.  With the Attorney General Regulations now final and awaiting approval by the Office of Administrative Law, enforcement of CCPA on July 1, 2020, will coincide with deployment of contact-tracing apps.  If an employer is a covered business under CCPA then employees are entitled to notice at collection before employers deploy a contact-tracing app.  Given the rise in transparency required under state consumer protection laws, employers should have a COVID-19 policy that discloses all types of data collected in the contact-tracing app and explain the purpose of such collection.  Some states have also enacted laws that require individuals be notified and consent to GPS tracking.

Whether the contact-tracing app will collect personal information or not, users are entitled to notice about how the app will be used, including that it will monitor their activity on an ongoing basis at work and, if applicable, while off the clock.  If the app will use GPS, it is important to carefully review relevant laws to ensure the company has a compliant acknowledgment and consent form.

How Is Employee Data Stored in Contact-Tracing Apps?

It depends on the app.  Some apps are cloud-based, and others will save data on the device itself, or transmit data to the business’ servers.  Some apps empower businesses to control the length of time data is stored.  Other apps have fixed retention periods.  To the extent possible, opt for the app that minimizes the amount and type of data collected.  If given the option, only store data for as long as may be required to fulfill the purpose for which it was collected.  For example, if an employee in her self-assessment reports no symptoms that day, then there is more risk than value in maintaining her data, provided individualized “no-symptom” data is unnecessary to the business’ COVID-19 response.  Understand whether the app encrypts employee data or how it safeguards data stored on its systems.  Most state laws require businesses to give notice to consumers if sensitive data is breached.  Those statutes typically include health or medical information in their definitions of sensitive information that would trigger breach notice and require businesses reasonably secure the data.  If employee and medical data are collected and stored, generally encryption and multi-factor authentication should be used to store medical information.

If I Am Collecting an Employee’s Medical Information on the App, Do I Have to Comply With Health Insurance and Portability Accountability Act (“HIPAA”)?

HIPAA only applies to covered entities, which include health care providers, health plans, and health care clearinghouses, as well as their business associates.  An employer that uses a contact-tracing app is unlikely subject to HIPAA, unless it is a covered entity, such as a self-funded health plan.  However, if an employer is a covered entity, the data may be collected, but written authorization must be obtained from the employee prior to releasing medical information to the employer for employment purposes.  Generally, a covered entity that uses a contact-tracing app must also enter into a business associate agreement with the app provider and ensure the app adequately secures protected health information from unauthorized use or disclosure.

Are There Any Other Laws That Are Implicated by Using Contact-Tracing Apps?

Some states like Washington have proposed legislation that will govern the development and use of contact-tracing apps.  Other states, like California, have laws that specifically protect medical information.  Under CMIA, employers who receive medical information must keep it confidential and protect it from unauthorized use or disclosure.  In most cases, employers may not use or disclose employee medical information collected through contact-tracing apps unless the employer obtains a written authorization from the employee.  Under California law, anonymized or de-identified data may not constitute “personal information” as that term is defined by CCPA.

Do I Have to Reimburse My Employees If They Download and Use Contact-Tracing Apps on Their Personal Devices?

Many employers will require employees to download the contact-tracing app to their personal mobile devices and whether reimbursement is required depends on state laws.  Several states, including California, require businesses to reimburse employees for work-related uses of their personal cell phones or devices.  For example, under California Labor Code 2802 and Cochran, if the business requires employees to download and use contact-tracing apps on an employee’s personal device then the business must reimburse the employee for (1) any cost associated with downloading the app, and (2) a pro rata share of the employee’s monthly mobile device bill.  Contact-tracing apps run continuously even if only in the background, which means individuals might incur data and roaming costs.

How Do We Reduce Risk and Respect Employee Privacy While Using Contact-Tracing Apps?

When it comes to balancing employee privacy and business needs, the benefit of any technology should outweigh the risk.  Contact-tracing apps provide a much-needed and novel solution to allow businesses, schools and public venues to reopen and provide immediate transparency to users about their exposure risk.  Below are a few takeaways to help minimize the risk and increase the benefit of contact-tracing apps.

  1. Understand the technology solution your business is adopting including data collected, data flows, how long data is stored, data security, whether data is shared with third parties, and what sort of notice and consent are required depending on the personal information included.

  2. Develop clear and thoughtful policies that describe how the technology works, what data is collected, how the data and app will be used, requisite disclosures/consent under applicable laws, and any rights to reimbursement. Have employees acknowledge and agree to the use of the contact-tracing app and receipt of the policy.  Also update your CCPA Employee Notice to include contact tracing.

  3. Offer training and information to employees so they can understand how the technology works, what information the business will be able to access, and how this technology is intended to help keep them and their co-workers safe and healthy.

  4. If you are shopping for an app, choose solutions that collect as little data as possible to accomplish their purpose or store data for short periods of time. Certain apps have demonstrated privacy by design principles that collect very little data, geofence the workplace, store data for 30 or less days, and store data on encrypted platforms.

  5. To the extent the app collects personal information, ensure the company has adequate measures in place to keep that information secure and confidential.

As you are aware, things are changing quickly and there is a lack of clear-cut authority or bright line rules on implementation. This article is not intended to be an unequivocal, one-size fits all guidance, but instead represents our interpretation of where things currently and generally stand. This article does not address the potential impacts of the numerous other federal, state and local orders that have been issued in response to the COVID-19 pandemic, including, without limitation, potential liability should an employee become ill, requirements regarding family leave, sick pay and other issues.

Copyright © 2020, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume X, Number 156

TRENDING LEGAL ANALYSIS


About this Author

Justine M. Phillips Labor & Employment Attorney Shepard Mullin Law Firm San Diego
Special Counsel

Justine Phillips is a special counsel in both Data Privacy & Security and Labor and Employment Practice Groups in the firm's San Diego (Del Mar) office.

Areas of Practice

Justine focuses her practice on cybersecurity, data privacy, employment litigation and counseling, and commercial litigation. Justine takes a holistic approach to assist clients on everyday issues related to electronically stored information including: cyber risk management and mitigation; eWorkforce policies; compliance with data regulations; retention/destruction...

858-720-7476
Jessica R. Gross Privacy and Cybersecurity California Consumer Privacy Act of 2018 Labor and Employment
Attorney

Jessica R. Gross is an attorney in both the Privacy and Cybersecurity and Labor and Employment Practice Groups in the firm's San Diego office.

Areas of Practice

Jessica is a rising professional practicing data security and privacy. She is a Corporate Member of the International Association of Privacy Professionals—the largest and most comprehensive global information privacy community—and is a Certified Information Privacy Professional on European Data Laws and the General Data Privacy Regulation (GDPR). Jessica assists all aspects of her clients’ cybersecurity needs. From sound information governance policies and regulatory compliance to incident response, Jessica helps businesses and individuals understand their obligations and address some of the biggest challenges of today’s digital world. With the expansion of laws on data privacy and cybersecurity, like California’s new Consumer Privacy Act of 2018, Jessica helps her clients stay on top of cutting-edge developments and mitigate risk. Her work also includes crafting pragmatic privacy policy and terms of use provisions for websites and apps in light of these everchanging state, national, and international laws.

Jessica assists the Labor and Employment Group with a range of issues related to employee privacy, including background checks, device and social media use policies, and other employment agreements such as proprietary innovation and information agreements. Given Jessica’s technical background, she is also able to assist in trade-theft secret investigations and matters.

Jessica also supports the firm’s eDiscovery needs and other general litigation matters. Managing complex electronic discovery issues can be daunting. Jessica can assist litigation counsel and trial teams with the collection, production, and presentation of electronically stored information. As a former judicial law clerk for a federal magistrate judge, Jessica is well-trained to effectively and efficiently manage discovery obligations and to resolve discovery

619-338-6692
Morgan Forsey, Labor and Employment Attorney, Sheppard Mullin Law Firm
Associate

Morgan Forsey is an associate in the Labor and Employment Practice Group in the firm's San Francisco office.

Areas of Practice

Ms. Forsey handles all facets of the litigation process in labor and employment disputes.  Ms. Forsey has significant experience in defending wage and hour class actions, including claims for overtime pay, meal and rest period violations, misclassification claims, prevailing wages and claims concerning premium pay issues.  She has successfully defeated class certification motions and prevailed...

415-774-3254
Alexandra M. Gross Attorney San diego Labor and Employment Privacy and Cybersecurity
Attorney

Alexandra M. Gross is an attorney in both the Privacy and Cybersecurity and Labor and Employment Practice Groups in the firm's San Diego office.

Areas of Practice

Ali is the former Compliance Privacy Officer for UCI Health and brings depth and experience in HIPAA and privacy disclosures.

619-338-6596