Starting last month, companies around the United States started to reopen their doors to their employees and customers, but not without first considering what “checks” should be done to ensure a safe environment for all. Temperature checks, COVID-19 testing, symptom reporting, travel history questionnaires, geolocation tracking and other surveillance measures, and even using AI to intercept communications where relevant information, like symptoms, are self-reported are among the measures that businesses are taking.
Companies are also considering waivers of liability that their customers and employees may need to sign at the door, waiving any personal injury and potential liability in connection with COVID-19 damages.
But there is one thing that may have slipped a lot of companies’ minds… what about the data? Companies must think about how they will manage the personally identifiable information (PII) and personal health information (PHI) that they collect from their employees and customers, and the best time to do that is now.
Why now?
In addition to the numerous reasons that have always existed ((i) the sooner you do it, the easier it is; (ii) there are hundreds of state and federal privacy laws and regulations out there, and you don’t want to be in violation of any of them; (iii) FTC, Section 5; (iv) state UDAP laws; etc), now there is one more reason… and it is a compelling one: there are two pending federal bills that would temporary regulate the collection, transfer, and processing of certain personal data in connection with COVID-19 related purposes, and one of them includes a private right of action with significant fines.
The two bills are: (1) Republican proposal: the COVID-19 Consumer Data Protection Act of 2020 (referred to herein as “CCDPA”) ; and (2) Democrat proposal: the Public Health Emergency Privacy Act (publicly referred to as “PHEPA”). Both bills require express consent from individuals before their data is collected, transparency requirements, and use restrictions, but differ in several ways. First, PHEPA covers a broader set of PII. CCDPA applies to geolocation data, proximity data, and PHI, whereas PHEPA applies to (1) physical and behavioral health information, testing and examination information, information concerning infection or the likelihood of infection, and genetic data, biological samples and biometrics;(2) any information collected for the purpose of tracking, screening, monitoring, contract tracing, mitigation, or otherwise in connection with the COVID-19 public health emergency, such as geolocation data, proximity data, demographic data, contract tracing for identifiable individuals (such as an address book or call log); and (3) any data collected from a personal device. Second, PHEPA applies to government entities and private organizations, whereas CCDPA applies only to private organizations. Third, only CCDPA expressly preempts other federal and state laws. Fourth, PHEPA creates a private right of action with considerable fines.
The last point is worth calling out. PHEPA provides: “a violation of this Act with respect to the emergency health data of an individual constitutes a concrete and particularized injury in fact to that individual” (emphasis added), allowing individuals alleging violation to bring civil actions under PHEPA. This language is important because it provides an argument that a violation of the statute alone would confer standing upon a plaintiff. [Just as a reminder, the Constitution requires that a plaintiff bringing suit must have standing, i.e., (1) suffered an injury in fact, (2) that is fairly traceable to the challenged conduct of the defendant, and (3) that is likely to be redressed by a favorable judicial decision. To establish “injury in fact” in data privacy suits, plaintiffs must prove that their injuries are “concrete and particularized” and “certainly impending.” Spokeo, Inc. v. Robins, 136 S. Ct. 1540, 1542 (2016).] Courts have recently been grappling with the issue of whether plaintiffs bringing suit for violations of other privacy statutes have standing to sue regardless of whether they are able to identify any specific injury (beyond violation of the statute), with plaintiffs often arguing that PII is extremely sensitive data for which the mishandling alone constitutes a concrete and particularized injury. For example, just last month in Bryant v. Compass Group USA, Inc., the Seventh Circuit, in a unanimous decision, held that a plaintiff alleging a mere violation of Section 15(b) of the Illinois Biometric Information Privacy Act (BIPA) – which requires prior notice and consent before the collection of biometric information and data – had Article III standing without alleging further injury. This is particularly noteworthy because BIPA – unlike PHEPA – does not expressly say that a violation “constitutes a concrete and particularized injury in fact to the individual.”
The reason the above standing discussion should matter to businesses is because of this—PHEPA allows damages of $100-$1,000 per violation in cases of negligent violation, and $500-$5,000 per violation in cases of reckless, willful, or intentional violation, as well as attorney’s fees, litigation costs, and “any other relief, including equitable and declaratory relief, that the court determines appropriate.” So, if defendants have standing to sue just by virtue of the plaintiff violating the statute (for example, not obtaining express consent before data is collected), without showing any injury resulted, that opens the gateway to plaintiffs recovering $100-$5,000 per violation.
What’s more is that “per violation” could be interpreted to mean each time a business collects, uses or discloses covered PII. So if your business conducts daily temperature checks and collects the data associated therewith, you could be looking at damages of $100-$5,000 per day per person. And presumably if your business is collecting multiple types of data on a daily basis – e.g., temperature checks, symptom checks, recent contacts with people with COVID-19, etc – then the aforementioned damages could be much higher, i.e., a multiple of the number of pieces of data you’re collecting.
Now, there is no reason to panic…yet. CCDPA and PHEPA are just bills at this point. But, their introduction should serve as a wake-up call for companies and government entities alike to start considering the data they are collecting, or considering collecting, from their customers and employees in connection with the COVID-19 health crisis, and their practices and compliance strategies associated therewith.