With first responders on the front lines of helping to fight the coronavirus, sharing information about potential exposure to COVID-19 is critical to protecting them and preventing further spread. In these situations, the information shared is most often “protected health information” (PHI) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. To help clarify when PHI can be shared in these circumstances, the Office for Civil Rights (OCR) at the U.S Department of Health and Human Services (HHS) issued guidance relating to sharing PHI about individuals who have been infected with or exposed to COVID-19 to law enforcement, paramedics, other first responders, and public health authorities.

The idea is to make clear when PHI can be given to first responders and others so they can take extra precautions or use personal protective equipment (PPE), and to remind covered entities to follow the “minimum necessary” rule in the process.

According to the guidance, the HIPAA Privacy Rule permits a covered entity to disclose PHI of an individual who has been infected with, or exposed to, COVID-19, with law enforcement, paramedics, other first responders, and public health authorities without the individual’s HIPAA authorization, in certain circumstances, including the following:

  • To provide treatment. For example, a nurse in a skilled nursing facility can alert emergency medical transport personnel that the individual they are transporting to a hospital’s emergency department has COVID-19.
  • When required by law. An example is a hospital making a disclosure of positive COVID status pursuant to a state law requiring the reporting of confirmed or suspected cases of infectious disease to public health officials.
  • When first responders may be at risk for an infection. Covered entities authorized by law to notify persons as necessary in the conduct of a public health intervention or investigation may inform first responders who may be at risk of infection. For example, HIPAA permits a covered county health department, in accordance with a state law, to disclose PHI to a police officer or other person who may come into contact with a person who tested positive for COVID-19, for purposes of preventing or controlling the spread of COVID-19. Similarly, a covered entity, such as a hospital, may provide a list of the names and addresses of all individuals it knows to have tested positive, or received treatment, for COVID-19 to an EMS dispatch for use on a per-call basis. The EMS dispatch would be allowed to use information on the list to inform EMS personnel who are responding to any particular emergency call so that they can take extra precautions or use PPE.
  • When the disclosure of PHI to first responders is necessary to prevent or lessen a serious and imminent threat to the health and safety of a person or the public. For example, a covered entity may, consistent with applicable law and standards of ethical conduct, disclose PHI about individuals who have tested positive for COVID-19 to fire department personnel, child welfare workers, mental health crisis services personnel, or others charged with protecting the health or safety of the public if the covered entity believes in good faith that the disclosure of the information is necessary to prevent or minimize the threat of imminent exposure to such personnel in the discharge of their duties.

These are just some of the examples in which PHI about an individual’s COVID-19 infection can be shared with first responders. The primary authority for these exceptions to the general rule of nondisclosure without an authorization is for treatment disclosures (45 CFR 164.502(a)(1)(ii)), legal requirements (45 CFR 164.502(a)(2)), and other purposes (45 CFR 164.512). Note, however, that unless the disclosure is required by law, for treatment purposes, or for certain other purposes, the covered entity must make reasonable efforts to limit the information used or disclosed to that which is the “minimum necessary” to accomplish the purpose for the disclosure.

Remember also that state laws may be more stringent than HIPAA concerning uses and disclosures of PHI. Thus, covered entities should consult other applicable laws (e.g., state and local statutes and regulations) in their jurisdiction prior to using or making disclosures of individuals’ PHI, as such laws may place further restrictions on disclosures that would otherwise be permitted by HIPAA.

On March 19, 2020, the Equal Employment Opportunity Commission updated its 2009 pandemic preparedness guidance: Pandemic Preparedness in the Workplace and the Americans with Disabilities Act. It includes the following note:

The EEOC is updating this 2009 publication to address its application to coronavirus disease 2019 (COVID-19).  Employers and employees should follow guidance from the Centers for Disease Control and Prevention (CDC) as well as state/local public health authorities on how best to slow the spread of this disease and protect workers, customers, clients, and the general public.  The ADA and the Rehabilitation Act do not interfere with employers following advice from the CDC and other public health authorities on appropriate steps to take relating to the workplace.  This update retains the principles from the 2009 document but incorporates new information to respond to current employer questions.   

Many employers are struggling with questions such as:

  • If we follow CDC or state/local public health authorities, can we still violate the ADA?
  • Can we take our employees’ temperatures?
  • Does someone with COVID-19 symptoms in the workplace pose a direct threat?
  • May we screen applicants for COVID-19?

These and other questions are addressed in the guidance. However, as discussed here, there still may be other issues to consider, such as state and local privacy laws.

We paste below some of the key clarifications in the EEOC’s update:

Does someone with COVID-19 symptoms in the workplace pose a direct threat?

Based on guidance of the CDC and public health authorities as of March 2020, the COVID-19 pandemic meets the direct threat standard.  The CDC and public health authorities have acknowledged community spread of COVID-19 in the United States and have issued precautions to slow the spread, such as significant restrictions on public gatherings.  In addition, numerous state and local authorities have issued closure orders for businesses, entertainment and sport venues, and schools in order to avoid bringing people together in close quarters due to the risk of contagion.  These facts manifestly support a finding that a significant risk of substantial harm would be posed by having someone with COVID-19, or symptoms of it, present in the workplace at the current time.  At such time as the CDC and state/local public health authorities revise their assessment of the spread and severity of COVID-19, that could affect whether a direct threat still exists.

During a pandemic, may an ADA-covered employer take its employees’ temperatures to determine whether they have a fever?

Generally, measuring an employee’s body temperature is a medical examination. If pandemic influenza symptoms become more severe than the seasonal flu or the H1N1 virus in the spring/summer of 2009, or if pandemic influenza becomes widespread in the community as assessed by state or local health authorities or the CDC, then employers may measure employees’ body temperature.

However, employers should be aware that some people with influenza, including the 2009 H1N1 virus or COVID-19, do not have a fever.

Because the CDC and state/local health authorities have acknowledged community spread of COVID-19 and issued attendant precautions as of March 2020, employers may measure employees’ body temperature. As with all medical information, the fact that an employee had a fever or other symptoms would be subject to ADA confidentiality requirements.

If an employer is hiring, may it screen applicants for symptoms of COVID-19?

Yes. An employer may screen job applicants for symptoms of COVID-19 after making a conditional job offer, as long as it does so for all entering employees in the same type of job. An employer may screen job applicants for symptoms of COVID-19 after making a conditional job offer, as long as it does so for all entering employees in the same type of job.  This ADA rule allowing post-offer (but not pre-offer) medical inquiries and exams applies to all applicants, whether or not the applicant has a disability.

May an employer take an applicant’s temperature as part of a post-offer, pre-employment medical exam?

Yes.  Any medical exams are permitted after an employer has made a conditional offer of employment.  However, employers should be aware that some people with COVID-19 do not have a fever.

May an employer delay the start date of an applicant who has COVID-19 or symptoms associated with it?

Yes.  According to current CDC guidance, an individual who has COVID-19 or symptoms associated with it should not be in the workplace.

CDC has issued guidance applicable to all workplaces generally, but also has issued more specific guidance for particular types of workplaces (e.g. health care employees). Guidance from public health authorities is likely to change as the COVID-19 pandemic evolves.  Therefore, employers should continue to follow the most current information on maintaining workplace safety.   To repeat:  the ADA does not interfere with employers following recommendations of the CDC or public health authorities, and employers should feel free to do so.

May an employer withdraw a job offer when it needs the applicant to start immediately but the individual has COVID-19 or symptoms of it?

Based on current CDC guidance, this individual cannot safely enter the workplace, and therefore the employer may withdraw the job offer.

During a pandemic, must an employer continue to provide reasonable accommodations for employees with known disabilities that are unrelated to the pandemic, barring undue hardship?

Generally, yes. But, the EEOC clarifies:

The rapid spread of COVID-19 has disrupted normal work routines and may have resulted in unexpected or increased requests for reasonable accommodation.  Although employers and employees should address these requests as soon as possible, the extraordinary circumstances of the COVID-19 pandemic may result in delay in discussing requests and in providing accommodation where warranted.  Employers and employees are encouraged to use interim solutions to enable employees to keep working as much as possible.

This is helpful guidance and provides some clarity, but employers will still need to assess their situations locally, weighing various factors when making these critical decisions.

The Office for Civil Rights (OCR) at the Department of Health and Human Services (HHS) wants to make it easier for individuals to reach a healthcare provider, including those most at risk (older persons and persons with disabilities). Effective immediately, during the COVID-19 nationwide public health emergency, OCR announced it will not enforce noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth.

In short, covered health care providers subject to the HIPAA Rules may seek to communicate with patients and provide telehealth services through remote communications technologies, some of which may not fully comply with the requirements of the HIPAA Rules, without the threat of enforcement.

A couple of key points about this announcement:

  • covered health care providers that want to use audio or video communication technology to provide telehealth in good faith to patients during the COVID-19 nationwide public health emergency can use any non-public facing remote communication product that is available to communicate with patients.
  • The announcement applies to telehealth provided for any reason, not just services related to the diagnosis and treatment of health conditions related to COVID-19.

In the exercise of their professional judgement, for example, a covered health care provider may request to examine a patient exhibiting COVID- 19 symptoms using a video chat application connecting the provider’s or patient’s phone or desktop computer in order to assess a greater number of patients while limiting the risk of infection of other persons who would be exposed from an in-person consultation.  The provider may use popular applications that allow for video chats, including Apple FaceTime, Facebook Messenger video chat, Google Hangouts video, or Skype, to provide telehealth.

However, OCR advises providers to take some precautions:

  • notify patients that these third-party applications potentially introduce privacy risks,
  • enable all available encryption and privacy modes when using such applications,
  • public facing video communication applications, such as Facebook Live, Twitch, TikTok, and similar should not be used in the provision of telehealth,
  • where applicable, use technology vendors that are HIPAA compliant and will enter into HIPAA business associate agreements (BAAs) in connection with the provision of their video communication products. OCR listed some vendors that represent that they provide HIPAA-compliant video communication and that will enter into a HIPAA BAA (Skype for Business, Updox, VSee, Zoom for Healthcare, Doxy.me, Google G Suite Hangouts Meet), but has not endorsed any of these or their BAAs.

The OCR’s guidance extends to BAAs in this context. It will not impose penalties against covered health care providers for the lack of a BAA with video communication vendors relating to the good faith provision of telehealth services during the COVID-19 nationwide public health emergency.

This is welcomed news and should help facilitate the availability of care, particularly to those most at risk.

As the coronavirus spreads across the globe and in the United States, providers, businesses, employers, and others are struggling to understand what medical information they can collect and what information they can share. These are difficult questions the answers to which involve considering factors such as long-standing compliance requirements (e.g., HIPAA, ADA, GINA, state law), the unprecedented times we are in, business risk, and common sense. Government is trying to act to relieve some of these challenges, but questions still remain.

HIPAA Privacy Rule Waiver of Penalties and Sanctions

Effective March 15, 2020, for example, Secretary of the U.S. Department of Health and Human Services (HHS) Alex M. Azar (Secretary) waived certain penalties and sanctions under the HIPAA Privacy Rule against hospitals in its March 2020 COVID-19 and HIPAA Bulletin. These waivers were issued in response to President Donald J. Trump’s declaration of a nationwide emergency concerning COVID-19, and the Secretary’s earlier declaration of a public health emergency on January 31, 2020. The Secretary’s guidance makes clear that the Privacy Rule is not suspended during this crisis and provides guidance about the ability of entities covered by the HIPAA regulations to share information, including with friends and family, public health officials, and emergency personnel. But, in the following areas, the Secretary has waived sanctions and penalties against covered hospitals that do not comply with the following provisions of the HIPAA Privacy Rule:

  • the requirements to obtain a patient’s agreement to speak with family members or friends involved in the patient’s care. See 45 CFR 164.510(b).
  • the requirement to honor a request to opt out of the facility directory. See 45 CFR 164.510(a).
  • the requirement to distribute a notice of privacy practices. See 45 CFR 164.520.
  • the patient’s right to request privacy restrictions. See 45 CFR 164.522(a).
  • the patient’s right to request confidential communications. See 45 CFR 164.522(b).

The waiver became effective on March 15, 2020, and there is more information and access to resources in the Bulletin about where it applies and for how long.

Reminder About What Entities Are Covered Entities and Business Associates

As part of its guidance on HIPAA privacy and disclosures in emergency situations, the Bulletin reminds readers what entities are covered by these rules – covered entities and business associates. There can be some tricky questions here, but these are the basic rules from the Bulletin:

The HIPAA Privacy Rule applies to disclosures made by employees, volunteers, and other members of a covered entity’s or business associate’s workforce. Covered entities are health plans, health care clearinghouses, and those health care providers that conduct one or more covered health care transactions electronically, such as transmitting health care claims to a health plan. Business associates generally are persons or entities (other than members of the workforce of a covered entity) that perform functions or activities on behalf of, or provide certain services to, a covered entity that involve creating, receiving, maintaining, or transmitting protected health information. Business associates also include subcontractors that create, receive, maintain, or transmit protected health information on behalf of another business associate. The Privacy Rule does not apply to disclosures made by entities or other persons who are not covered entities or business associates (although such persons or entities are free to follow the standards on a voluntary basis if desired). There may be other state or federal rules that apply.

Employers are Not Covered Entities or Business Associates – But Still Have Privacy and Confidentiality Obligations

When conducting its business, an organization can be a HIPAA covered entity and/or a business associate. However, when that business is functioning as an employer, it is neither a HIPAA covered entity nor a business associate, although it may sponsor a covered health plan subject to the HIPAA privacy and security rules. As organizations face the coronavirus threat to their workforce and their business, many questions arise about the collection, processing, and disclosure of medical information from employees, their family members, and visitors to their facilities. These can be thorny questions and organizations should seek qualified counsel, but here are some general rules:

When may an ADA-covered employer take the body temperature of employees during the COVID-19 pandemic? Continue Reading HIPAA Privacy Rule Waiver, Other Medical Information Questions During the COVID-19 Pandemic

The debate over working from home continues, reaching a high point in 2013 when Marissa Mayer, then CEO of Yahoo, sought to curb the practice. However, as the Coronavirus continues to spread across the U.S., more companies are instructing their employees to work-from-home as a social distancing technique to help contain the spread and remain productive.  No doubt advances in technology and widespread availability of broadband access have made it possible for many to carry out their employment duties from anywhere.

But, of course, remote work is not available for everyone. Restaurant workers, retail store employees, delivery drivers, and other occupations cannot telecommute. However, when work can be performed from home, there are a range of issues for businesses to consider as the workplace expands.

By no means an exhaustive list of the all of the issues that may arise, here are some items to consider when implementing a work-from-home policy.

  • Making the decision
    • Review existing resources, applicable policies, and customer/client agreements to determine if remote work is feasible, prudent, and contractually permissible.
    • Have a plan for resources, communications, expense reimbursement, etc.
    • Review insurance policies (e.g., employee benefits, workers compensation, cyber, etc.) to ensure coverage.
    • Stay on top of developments as plans may need to be changed.
  • Confirm the IT infrastructure can support remote work.
    • Be ready to address systems and equipment needs of employees who may not be set up to work from home.
    • Beef up staffing, including help desk capacity to support workers not used to remote work.
    • Ensure data privacy and security (see below).
  • Communicate clearly and consistently.
    • Ensure critical lines of communication between management are open.
    • In the course of developing communications to employees, examine existing policies closely, such as confidentiality, written information security programs, business continuity, bring your own device (BYOD), etc. Companies without these policies or a comprehensive telework policy, should consider putting them in place. In general, all existing company policies should apply whether an employee is working at the office or at home.
    • A localized approach may be warranted based on local conditions. But, be sure managers are on the same page to avoid inconsistent application of policy.
    • Provide employees system access instructions and where to go for help.
    • Outline best practices for maintaining a safe “workspace.”
    • Be understanding and solution-oriented
  • Ensure data privacy and security.
    • Implement the work-from-home arrangement consistent with company’s written information security program to ensure the access, transmission, and storage of confidential business and personal information is safeguarded. Some key safeguards include:
      • Permit access only through VPN or similar connection.
      • Require two-factor authentication.
      • Supply employees with secure laptops.
    • Communicate critical reminders for employees, such as
      • Elements of confidential business and personal information that warrant protection.
      • Minimum necessary rule – basically, only use confidential and personal information as needed to complete the employee’s assigned tasks.
      • Being aware of phishing attacks, which are a particular concern now as threat actors are using the coronavirus as part of their attacks.
      • Knowing where to report a data incident.
      • Following instructions for system updates and security patches.
      • Saving company data only on the network, and not personal devices.
      • Not permitting others to access the company’s systems, including the personal device that has access to the company’s systems.
      • Setting devices to lock automatically for periods of nonuse.
      • Avoid printing sensitive corporate materials unless the reason to do so outweighs the risk.
      • Not sending sensitive corporate data to personal email or cloud accounts.
  • Obtain employees’ agreement to conditions for remote work. Items to cover in the agreement might include:
    • Continuing requirement to complete work assignments.
    • Maintaining availability during normal business hours.
    • Adherence to the company’s data privacy, security, and confidentiality policies.
    • Maintaining safe conditions and safety habits at the home office as established at company facilities.
    • Ensure all work time is recorded.
  • Consider tax issues associated with employees working from home, including those out of state, and reimbursement for costs related to equipment and service-related costs needed to perform work duties.

Jackson Lewis attorneys from multiple practices and industries are actively assisting businesses on the rapidly evolving Coronavirus/COVID-19 workplace health challenge. We are closely monitoring and updating our information as the situation continues to evolve. Below are some additional important resources to help answer some of the most common questions:

Earlier this month, California Attorney General (“AG”) Xavier Becerra sent a letter to several members of U.S. Congress, providing an update on the implementation of the newly effective California Consumer Privacy Act (CCPA), and urging Congress not to enact a federal law that would preempt the CCPA and other state consumer privacy measures. Instead, AG Becerra called on Congress to develop a law that would “build on the rights” provided for by the CCPA, and partner with states to ensure greater consumer privacy protections.

“I invite Congress to look to the states as sources of innovation and expertise in data privacy, and not to undermine protections, like CCPA, that states have already developed. Therefore, as I noted above, I encourage Congress to favor legislation that sets a federal privacy-protection floor rather than a ceiling, allowing my state— and others that may follow—the opportunity to provide further protections tailored to our residents,” wrote AG Becerra. 

In addition, AG Becerra emphasized that Congress in its development of a federal consumer privacy law should extend enforcement powers broadly, providing state attorney generals with parallel enforcement authority, and consumers the ability to protect their rights directly under a private right of action. It is not clear the extent to which AG Becerra is suggesting the inclusion of a private right of action in federal law. The CCPA only authorizes a private cause of action against a covered business if a failure to implement reasonable security safeguards results in a data breach, and is not available when a consumer’s individual rights under the CCPA are violated. Moreover, the definition of personal information for a private right of action is much narrower than the general definition of personal information under the rest of the CCPA.

AG Becerra is instrumental in the CCPA legislative process, in particular his office is tasked with development of regulations to operationalize the CCPA and provide clarity and specificity to assist in the implementation of the law. AG Becerra announced proposed regulations in October 2019, and following a series of public hearings across California, announced a regulatory update to the existing proposed regulations in early February 2020, and then again last week. The AG’s regulations must be finalized and implemented by July 1, 2020.

In the meantime, the U.S. Congress has been plugging away at a federal consumer privacy law over the last couple years, with limited progress. Most recently, two competing federal consumer privacy bills were introduced. The first proposal, Consumer Online Privacy Rights Act, introduced by Sen. Maria Cantwell (D-Wash), and shortly after the United States Consumer Data Privacy Act , introduced by Senator Roger Wicker (R-Miss). While the two proposals have significant overlap, a key difference is their treatment of state consumer privacy laws. Cantwell’s proposal includes preemption of “directly conflicting state laws”, but stipulates that the federal law would not override state laws with a “greater level of protection”. Conversely, Wicker’s proposal includes a broad provision expressly preempting any state law “related to the data privacy or security and associated covered entities”.

A federal consumer privacy law, while still unclear what shape it will take and when, is almost inevitable.   With the CCPA in effect and other state measures on the horizon, the development of a meaningful data privacy and protection program has never been more important.

Over the past few months, businesses across the country have been focused on the California Consumer Privacy Act (CCPA) which dramatically expands privacy rights for California residents and provides a strong incentive for businesses to implement reasonable safeguards to protect personal information. That focus is turning back east as the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), becomes effective in less than two weeks. With the goal of strengthening protection for New York residents against data breaches affecting their private information, the SHIELD Act imposes more expansive data security and updates its existing data breach notification requirements.

This post highlights some features of the SHIELD Act. Given the complexities involved, organizations would be well-served to address their particular situations with experienced counsel.

When does the SHIELD Act become effective?

The SHIELD Act has two effective dates:

  • October 23, 2019 – Changes to the existing breach notification rules
  • March 21, 2020 – Data security requirements

Which businesses are covered by the SHIELD Act?

The SHIELD Act’s obligations apply to “[a]ny person or business which owns or licenses computerized data which includes private information” of a resident of New York. Previously, the obligation to provide notification of a data breach under New York’s breach notification law applied only to persons or businesses that conducted business in New York.

Are there any exceptions for small businesses?

As before the SHIELD Act, there are no exceptions for small businesses in the breach notification rule. A small business that experiences a data breach affecting the private information of New York residents must notify the affected persons. The same is true for persons or businesses that maintain (but do not own) computerized data that includes private information of New York residents. Persons or businesses that experience a breach affecting that information must notify the information’s owner or licensee.

However, the SHIELD Act’s data security obligations include some relief for small businesses, defined as any person or business with: Continue Reading New York SHIELD Act FAQs

As announcements relaying the spread of Coronavirus (COVID-19) continue daily, governmental agencies at all levels are offering information and guidance, and businesses are scrambling to prepare and protect their employees and customers. As part of a larger group in my firm helping to synthesize all this information, there is an aspect of responding to COVID-19 that has not gotten much attention – emerging phishing attacks by informed hackers trying to capitalize on fears employees have about the COVID-19 crisis and what their employers are doing to respond.

Image result for coronavirus phishing

We have posted several times about the different techniques hackers use to trick unsuspecting, distracted, or nervous employees into falling victim to a phishing attack. A good example, also particularly relevant now, is IRS Form W-2 cyber scams designed to get workers to email other employees’ Forms W-2. The IRS has issued numerous warnings about these scams and guidance for addressing them. And, the World Health Organization has issued a similar warning relating to COVID-19.

At the moment, organizations around the world are communicating with their workforces about coronavirus in areas such as (i) updated travel policies, (ii) work at home requirements, and (iii) cleaning best practices. ​Businesses also might be adjusting or changing plans for conferences and other business initiatives in response to the reported spread of COVID-19. Hackers do their research and see the opportunity. Through social engineering, they can target employees who in the current environment might be more likely to respond to an executive’s email seeking action on a coronavirus-related topic.

As with Form W-2 and other scams, employees may, for example, receive fake emails purporting to be information from management about coronavirus. The hacker might assume an executive’s identity and apparent e-mail address for the purpose of sending what appears to be a legitimate request to address a critical business need surrounding the virus’ outbreak. Unsuspecting and nervous employees might be more likely to respond, allowing attackers into the organization’s information systems.

While an organization can use firewalls, web filters, malware scans or other security software to hinder spear phishing, experts agree the best defense is employee awareness. So, it is a good idea to remind employees about this threat, along with guidance for avoiding these attacks.

In the event your business is a victim of such an attack, it needs to be prepared to respond. This may require steps such as (i) investigating the nature and scope of the attack, (ii) ensuring that the attackers are not still present in its systems, (iii) determining whether notification is required under applicable state law to individuals and state agencies, and (iv) helping employees whose personal information may have been compromised.

The much anticipated California Consumer Privacy Act (“CCPA”) is now in effect (as of January 1, 2020), and as we’ve recently reported, class action litigation under the CCPA has already begun.  Organizations should have already assessed whether their business is subject to the new law and if so, taken steps to ensure compliance.  Likely, one of the most difficult compliance areas of the CCPA is responding to consumer requests to know the personal information a business collects about them.  Under the CCPA consumers have the right to know what personal information a business is collecting about them.  The information must be made available, free of charge, within 45 days, although extensions are available in limited circumstances. The business’s response to a request to know must be in a “readily useable format that allows the consumer to transmit this information to another entity without hindrance.” In addition, in October of 2019, as required by the CCPA, Attorney General Xavier Becerra announced Proposed Regulations that operationalize the new law and provide clarity and specificity to assist in implementation of the CCPA. The Proposed Regulations, which were recently updated, have yet to be finalized, but as is, have a technical and substantive impact on the consumer request to know process.

The CCPA defines “personal information” very broadly, which is the reason consumer requests to know are particularly cumbersome for businesses. Per the statute, personal information is that which “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”   This definition includes the types of personal information we are used to seeing, including Social Security numbers and driver’s license numbers, it also includes a person’s name and address (physical and email). In addition, it may include less obvious things like the person’s browsing history, biometric data, and geolocation data.

The following are practical tips for handling consumer requests to know:

Preparing for compliance

  • Identification of process owner: Organizations should designate a person or team to handle requests to know.
  • Develop an effective process: Organizations should have clear internal policies and procedures for responding to requests. Like the discovery process in litigation, reviewing data in response to a request can be incredibly burdensome. Personal information must be transmitted securely and all deleted information must be permanently erased, deidentified or aggregated. Organizations may want to employ technology and outside partners to make this process more efficient. For example, current technology is available to make files more easily searchable, to extract key metadata, and to remove duplicate files to eliminate redundancy. In addition, organizations must maintain records of consumer requests for at least 24 months, and these records generally cannot be used for any other purpose.
  • Training: The response team (which may include third party service providers if applicable), and other key staff and management involved in handling requests must receive training on what a consumer may request and the organization’s policies and procedures for responding to requests.
  • Data mapping: Organizations should have an easy-to-access file of what personal data it is storing, why it has the data, how it uses the data, with whom it shares the data, how long it retains the data, and where it is located.
  • Provide a method for requests: Under the CCPA, organizations are required to create at least two designated methods for submitting disclosure requests, including, at minimum, a toll-free number and another acceptable method, such as an email address. Organizations should provide clear direction on how to submit requests to know and should not make the process difficult, as this could lead to fines for non-compliance.

Responding to a request

  • Ensure request is valid: To comply with requests to know, organizations need verification and authentication processes to confirm the identity of the consumer making the request and the validity of the request. A request made by a third party on behalf of someone else should be refused without written authority. The Proposed Regulations require organizations to establish, document and comply with reasonable methods for verifying the identity of the consumer. There are also several factors for determining the “reasonable” identity verification method:
    • The type, sensitivity and value of the personal information collected;
    • The risk of harm to the consumer posed by unauthorized access or deletion;
    • The likelihood that fraudulent or malicious actors would seek the personal information;
    • Whether the personal information the consumer must provide in order to verify their identity is easily spoofed or fabricated;
    • The manner in which the business interacts with the consumer; and
    • Available technology for verification.

If the identity of the consumer cannot be verified, the individual submitting the request must be informed that the request cannot be verified. Moreover organizations must implement reasonable security measures to detect fraudulent identity verification activity and prevent unauthorized access to these records. Note that there are separate verification requirements if the organization maintains a password-protected account with the consumer. Organizations should not collect additional data during the verification process. Instead, they should rely on existing credentials. For example, if, during the period it collected the data, the organization required a dedicated user name, it should use this to verify the requester. We will be addressing some of these issues in other posts; check out one of our recent blog posts on the topic available here.

  • Narrow the search: Ideally, requests to know should be as specific as possible, and organizations should work with the requestor to narrow the scope as much as possible. For example, if a consumer requests all personal information ever collected by the organization, the search could be vast. But if the organization works with the consumer to determine the specific matter of the consumer’s concern, the requesting consumer may agree to narrow the scope of the request.
  • Determine universe of data that should be searched: This may include electronic records, emails, archived information, information stored on organizational databases and paper files. The CCPA requires disclosure of certain information in response to a request to know, including the source, the purpose for collection and any third parties with which the data is shared, among others; organizations should ensure they are disclosing all required information.
  • Ensure response is timely: Organizations must confirm receipt of a request within 10 business days and respond to the request within 45 calendar days from the time the request is received, not from when the request is verified although an extension may be possible. It can take a considerable amount of time to respond to a request, and this is a short timeframe. Thus, organizations should begin work on the request as soon as it is received.
  • Review response to ensure it does not contain the personal information of others: The individual is only entitled to their own personal data, and organizations must redact any documents or information related to another individual, unless that individual has provided consent. This becomes complicated in the context of joint household requests. Under the CCPA, all members of a household can jointly request to know or delete specific pieces of personal information for the household. While the household request was referenced in the CCPA, only in the update to the Proposed Regulations has procedures for this request been addressed – businesses may respond to household requests only if all consumers of the household jointly make the request, the business verifies the identity of each consumer, and verifies that each is current household member. If a member of the household is under 13 years of age, there must be verifiable parental consent before compliance with the request.
  • Monitor compliance: Compliance with company policies and procedures for responding to requests should be periodically audited.

It should be noted that under the CCPA consumers are allotted several rights in regards to their personal information, including, for example the “right to delete” the information businesses have collected about them, and while the practical tips described above are particularly geared towards a consumer’s “right to know”, the underlying principles generally can be applied to other forms of consumer requests as well.

In addition, as of now, businesses are exempt from most CCPA obligations in regards to their employees – the exclusion includes information collected “by a business in the course of the natural person acting as a job applicant to, an employee of, director of, officer of, medical staff member of, or contractor of that business” (see more on this in a recent blog post discussing employees under the CCPA). As of now, however, this exemption sunsets on January 1, 2021, and while it is not clear what will be, considering the current direction of privacy law, it seems likely that there will be more and not less privacy protections for employees by the end of 2020.

Check out some of our other CCPA resources for more practical insights and tips:

In back-to-back decisions bound to have significant impact on Telephone Consumer Protection Act (TCPA) class action litigation, the Eleventh and Seventh Circuit Courts recently reached similar conclusions, narrowly holding that the TCPA’s definition of Automatic Telephone Dialing System (ATDS) only includes equipment that is capable of storing or producing numbers using a “random or sequential” number generator, excluding most “smartphone age” dialers. Each court expressly rejected the Ninth Circuit’s more expansive interpretation from a ruling in 2018, concluding that the TCPA covers any dialer that calls from a stored list of numbers “automatically”. These decisions are significant as most technologies in use today only dial numbers from predetermined lists of numbers.

One of the most complex issues under the TCPA is determining whether the technology utilized qualifies as an ATDS. The TCPA prohibits using an ATDS to make calls to cell phone numbers, absent prior consent of the called party.  The complexity lies with the TCPA’s definition of an ATDS as: equipment which has the capacity (A) to store or produce telephone numbers to be called, using a random or sequential number generator; and (B) to dial such numbers.

When the TCPA was enacted in 1991, most American consumers were using landline phones, and Congress could not begin to contemplate the evolution of the mobile phone.  The Federal Communications Commission (FCC) with its 2015 Declaratory Ruling & Order (2015 Order), attempted to provide clarifications on the TCPA for the mobile era, including the definition of ATDS and what devices qualify. The 2015 Order only complicated matters further, providing an expansive interpretation for what constitutes an ATDS, and sparking a surge of TCPA lawsuits in recent years. The FCC’s expansive definition in the 2015 Order was set aside by the D.C. Circuit Court in March 2018.

The Eleventh Circuit three-judge panel opinion concluded simply, “In the age of smartphones, it’s hard to think of a phone that does not have the capacity to automatically dial telephone numbers stored in a list, giving §227 [of the TCPA] an ‘eye-popping sweep’…Suddenly an unsolicited call using voice activated software (think Siri, Cortana, Alexa), or an automatic ‘I’m driving’ text message could be a violation worth $500…Not everyone is a telemarketer, not even in America.”

In the case before the Eleventh Circuit, the plaintiffs alleged that they had received over a dozen unsolicited calls over a one-year period, from the defendants . While the defendants acknowledged that that they had indeed placed the calls, they argued that this was not a TCPA violation, as their calling system required too much “human intervention” to qualify as an ATDS. The Court agreed with the defendants, finding that in each element of the calling system, there was a “human’s involvement” – from the marketing team creating a “set of parameters” regarding who they intended to contact, to a team of employees programing the “criteria” into the system, a team that reviews the final call list, and finally a team that presses a button labeled “make the call”. “Unless and until the employee presses this button, no call goes out…far from automatically dialing phone numbers, this system requires human involvement to do everything except press the numbers on a phone.”

Last week, less than one month after the Eleventh Circuit’s ruling, the Seventh Circuit, with a similar fact pattern reached a similar conclusion. The Seventh Circuit noted that accepting the plaintiffs’ arguments against the defendant’s dialing system would have “far-reach consequences…it would create liability for every text message sent from an iPhone. That is sweeping restriction on private consumer conduct that is inconsistent with the statute’s narrower focus”. The Seventh Circuit also emphasized the historical intention of the TCPA.

“The [defendant’s] system, like others commonly used today, pulls and dials numbers from an existing database of customers rather than randomly generating them.. ..  Determining whether such systems meet the statutory definition has forced courts to confront an awkwardness in the statutory language that apparently didn’t matter much when the statute was enacted: it’s not obvious what the phrase “using a random or sequential number generator” modifies. The answer to that question dictates whether the definition captures only the technology that predominated in 1991 or is broad enough to encompass some of the modern, database‐focused systems.”

As we reported last week, several petitions are currently before the Supreme Court addressing issues with the TCPA, all with the potential to significantly impact the future of TCPA class action litigation. Particularly relevant to the Eleventh and Seventh Circuit rulings, back in October of 2019, the Court was petitioned to review the following issues: 1) whether the TCPA’s prohibition on calls made by an ATDS is an unconstitutional restriction of speech, and if so whether the proper remedy is to broaden the prohibition to abridge more speech, and 2) whether the definition of “ATDS” in the TCPA encompasses any device that can “store” and “automatically dial” telephone numbers, even if the device does not “us[e] a random or sequential number generator.” The Court has still not announced whether it will accept this petition.

The future of the TCPA remains uncertain, and 2020 will hopefully provide clarity for organizations facing TCPA class action litigation. While it appears that courts are generally leaning towards the narrowing of the TCPA in a myriad of aspects, organizations are still advised to err on the side of caution, during this period of uncertainty, when implementing and updating telemarketing and/or automatic dialing practices.