Privacy Implications and CCPA Compliance in the Time of COVID-19
The current COVID-19 pandemic has had tremendous impacts on all facets of life, including how people work and communicate. In this time of upheaval, however, it is important for businesses and employers to be mindful of privacy concerns and not relegate privacy and associated legal issues to the cutting room floor. Rather, businesses must assure that they are in compliance with data privacy laws, including in particular the new requirements imposed on many businesses this year by the California Consumer Privacy Act (CCPA). Accordingly, businesses and individuals should pause and assess whether some of the mechanisms used during the COVID-19 pandemic are adequately protecting privacy rights and whether the business is complying with its obligations under the CCPA and other privacy laws.
CCPA Requirements and Privacy Implications of Information Collected from Employees
As discussed in Part 1 of our CCPA Alert Series, section 1798.100 of the California Consumer Privacy Act (CCPA) requires for-profit businesses that meet at least one of the CCPA criteria to inform California consumers and employees (i.e., California residents)—at the time of or before it collects California residents’ personal information—of the categories of personal information to be collected, and the purposes for which the categories of personal information shall be used. A business may not collect additional categories of personal information or use information collected for any additional purpose other than those outlined in its notice, unless it provides the consumer or employee with an updated notice to reflect the additional personal information and/or businesses purposes for its collection, in accordance with the requirements of Section 1798.100(b). (The CCPA does not apply to government entities or agencies.)
In light of the spread of COVID-19 and the precautions issued by the CDC and public health authorities, the EEOC has issued guidelines that allow employers to take employee’s temperature to limit the spread of the virus. California employers subject to the CCPA, however, should make sure they are still providing CCPA-compliant notice to employees before or at the time they are collecting employee temperature and other health-related personal information. These notices should, at a minimum, outline the business’s new COVID-19-related collection practices and the purpose of such collection to ensure compliance with the CCPA. Moreover, if the business is inquiring about COVID-19 exposure or any travel or other related movements, employers should also be sure that any notice includes this disclosure, as well.
Concerns About Privacy During Telecommuting and Video Conferences
In response to the California Governor’s “stay home” Executive Order and other “shelter-at-home” public health orders issued by local municipalities across the State—and an increasing number of stay-at-home orders across the United States (and the world)—businesses, individuals, and even some government agencies have become increasingly reliant on video teleconferencing to conduct business and stay connected. Privacy and cybersecurity experts, however, have been raising alarms about some of these companies’ data collection and sharing practices, which businesses must consider, especially in light of the new requirements imposed on qualifying businesses by the recently enacted CCPA.
But due to this rising tide of concern, a privacy lawsuit under the CCPA was inevitable. And on Monday, March 30, 2020, Zoom was hit with a putative class action lawsuit, filed in the United States District Court for Northern District of California in San Francisco, alleging that Zoom has failed to protect its users’ personal information and passed on user data to third parties like Facebook without notifying its users. The suit, Cullen v. Zoom Video Communications, Inc., asserts claims for alleged violations of the CCPA, Unfair Practices under the Business and Professions Code, violation of the Consumer Legal Remedies Act, and Negligence. At the crux of plaintiffs’ privacy claims, the complaint alleges that “Upon installing or upon each opening of the Zoom App, Zoom collects the personal information of its users and discloses, without adequate notice or authorization, this personal information to third parties, including Facebook, Inc. (“Facebook”), invading the privacy of millions of users” and violating users’ privacy rights. The complaint also alleges that despite releasing a new version of the app on March 27 and stating it would no longer send information to Facebook, Zoom allegedly failed to block prior versions of the app and did not assure users that information already collected was deleted. The proposed putative class includes “all persons and businesses in the United States” whose personal information was collected or disclosed to a third party “upon installation or opening” of the Zoom app, conceivably an extraordinarily large potential class given how many businesses and individuals have used Zoom during this work-at-home period.
The crux of the privacy issue with Zoom and the allegations in the pending lawsuit, moreover, is that Zoom was allegedly sharing the data it was collecting with Facebook, without explicitly notifying its users. Zoom allows users to log in through Facebook and its policy noted that sign in information could be collected, but it did not explicitly state that the data collected was being forwarded to Facebook, nor did it inform users that it sends data to Facebook through the Zoom iOS app, even if you don’t have a Facebook account or do not use it to log in. This transfer of data to Facebook is not unique to Zoom, as a number of apps use Facebook’s software development kits (SDK) to implement features on their apps, which have the effect of sending information to Facebook, but the plaintiffs allege that Zoom did not inform users to be aware that this was happening. Among other types of personal information that Zoom reportedly may have collected and shared include when a user opens the app, details on the user’s device such as the model, the time zone and city they are connecting from, which phone carrier they are using, and a unique advertiser identifier created by the user’s device for targeted advertisements. On March 27, 2020, before the lawsuit was filed, Zoom issued a statement that it was removing Facebook SDK in their iOS client, and reconfiguring it to prevent it from collecting “unnecessary device information” on Zoom users.
Businesses using video teleconferencing platforms such as Zoom to host calls with employees and consumers in California should also be aware of the types of personal information the business has access to and determine whether it may also be collecting personal information from California consumers and employees that may require notice under the CCPA. For example, hosts of Zoom calls are able to monitor user behavior, record sessions, and can view household identifying information such the IP address, location information, device information, and other information. Therefore, it is important to understand and assess whether your business is collecting personal information from participants and, if so, whether those categories of information and the business purposes for the collection is included in your privacy notice.
In addition to the collection of personal information, businesses should also be cognizant of other potential privacy implications of these emerging and expanding technology platforms supporting remote workers. In particular, cybersecurity experts have raised concerns about the security of some platform and misleading claims about encryption and security. For example, Zoom recently “clarified” that despite earlier statements, it is not capable of assuring “end-to-end encryption” of Zoom calls. Indeed, the company has admitted that it can only encrypt content from Zoom meetings where everyone is using the Zoom app and the session is not being recorded, but confirmed that it is unable to assure content is encrypted end-to-end when users log in using other devices or other means. In addition, concerns over hacking of meetings and multiple complaints of “Zoom-bombing” (where unauthorized users crash in-progress video-teleconferencing meetings) has led to an FBI investigation and caused certain companies such as SpaceX and government agencies such as NASA to prohibit employees from using the video teleconferencing platform for meetings involving confidential information. The FBI’s Boston office also recently issued a cybersecurity warning to users regarding these same issues.
Tracking of Individual Movements
While geolocation data collected from cell phones and other devices has been a hot topic in data privacy for a long time—and is already one of the categories of personal information subject to the notice requirements and other rights under the CCPA—cell phone and other geolocation data has been increasingly relied upon during the COVID-19 pandemic to track individual movements. While no doubt useful data to illustrate the spread of COVID-19 and to track the course of the virus, the increased use of such data is bringing data privacy concerns to the forefront and placing a spotlight on collection methods for geolocation data for all purposes and the adequacy of privacy and data collection notices, including for businesses under the CCPA.
It has also been widely reported by the Wall Street Journal and other major news outlets that the U.S. federal government, several state and local governments, and foreign governments are all using cell phone and other geolocation data to also track how people move around during the COVID-19 pandemic. Indeed, according to the Wall Street Journal, some countries, like South Korea, have started to utilize cell phone apps to track people’s movements and interactions with each other in order to better enable tracing of any COVID-19 positive connections. Although the U.S. appears only to be using tracking anonymous movement for now, this may become an area where further notice would need to be given to employees that have and use business-provided cell phones.
Working from home appears to be the new normal, at least for the foreseeable future, so make sure to evaluate your video teleconferencing use to be more privacy conscious:
- Review the privacy policies of the video teleconferencing platforms you are using or considering using, including in particular their sharing procedures.
- Update your CCPA privacy notices for California consumers and employees to include any new personal information the business may be collecting through its utilization of video teleconferencing technology.
- Consider the video teleconferencing habits of the business’s users and ways to mitigate potential risks and inadvertent collection and disclosure, such as adjusting camera and microphone settings to limit the risk of passive collection of unrelated personal information, use of virtual background images, management of tracking cookies, opting out of secondary data uses when possible, refraining from recording in most instances, and limiting the content you create and confidential information disclosed during video teleconferencing sessions.
If you are implementing policies during the pandemic that may implicate privacy issues, contact the authors and the other attorneys in the Data Security and Privacy team at Atkinson, Andelson, Loya, Ruud & Romo to help navigate any potential actions. If your business is faced with a lawsuit or regulatory enforcement action, AALRR has a team of data privacy litigators well-versed in the CCPA and related law ready to step in and defend you.