As part of Polsinelli's COVID-19 guidance, below we summarize three commonly asked questions regarding COVID-19 and obligations under CCPA and GDPR.

Can I ask employees about whether they have symptoms of COVID-19 or if they have tested positive?

CCPA:

Employers have an obligation to protect their employees' health. Therefore, employers may collect information from employees regarding their health, provided the employee is given CCPA compliant notice of such data collection. However, employers should not gather unnecessary information and they should use appropriate safeguards to protect any specific health information they do collect.

If an employee has tested positive, or has symptoms, the employer can inform fellow employees (and others who may be potentially impacted) of their possible exposure, but should not disclose the identity of the impacted individual.

GDPR:

The European Data Protection Board, and various Data Protection Authorities, have issued guidance regarding data protection and COVID-19. See here for the European Data Protection Board Guidance.

The issued guidance is consistent in the requirement for organizations ensure the protection of personal data, notwithstanding the shared goal of fighting COVID-19. As such, employers still need to have a lawful basis for processing EU personal data, even in the current health crisis.

The good news is that processing of personal data (including healthcare or other special category data) is permitted in the context of compliance with a legal obligation to which an employer is subject, such as obligations relating to health and safety in the workplace, or to the public interest, such as the control of diseases or other threats to health. Therefore, it is reasonable to ask employees if they are experiencing COVID-19 symptoms or if they have visited a particular country. However, employers should not gather unnecessary information and they should use appropriate safeguards to protect any specific health information they do collect. Employers should also be careful about performing medical check -ups on employees, as national laws differ in this respect.

If an employee has tested positive, or has symptoms, it is also reasonable for the employer to inform fellow employees (and others who may be potentially impacted) of their possible exposure, but employers should not disclose the identity of the impacted individual. In cases where it is necessary to inform others of the identity of the impacted individual, organizations should ensure that national law permits it and should ensure that impacted individuals are informed in advance that their identity may be disclosed.

We have suffered a breach. Do we still have notify regulators according to the statutory requirements (i.e., within 72 hours for the GDPR)?

CCPA:

Yes, if a business suffers a data breach requiring notification to more than 500 CA residents, then businesses are still required to notify the CA Attorney General of such breach.

GDPR:

Yes, the applicable Data Protection Authority cannot change the 72-hour breach notification requirement under GDPR. However, various Data Protection Authorities (for example, the UK Information Commissioner) have issued guidance stating that they do not operate in insolation of matters of public concern, such as the COVID-19 pandemic. As a result, Data Protection Authorities may adopt a more lenient approach to enforcement of GDPR if an impacted organization can show that its delay in reporting a breach was the result of the COVID-19 health emergency.

We have received a consumer rights request. Do the timeframes still apply for responding to consumer requests?

CCPA:

Yes. However, when reasonably necessary, the CCPA allows for one 45-day extension for responding to requests when reasonably necessary, provided the consumer is given notice and an explanation of the extension within the initial 45-day period.

While the CA Attorney General has not provided guidance on whether delays caused by the COVID-19 pandemic constitute "necessary" under the statute, the current health emergency is likely to qualify. Importantly, businesses should keep in mind the CCPA's requirement to confirm receipt of requests to know and requests to delete within 10-business days cannot be extended. In addition, the 15-business day compliance period for responding to requests to opt-out also cannot be extended.

GDPR:

Yes. However, as with breach notification, various Data Protection Authorities have issued guidance stating that while they cannot change statutory deadlines, they do understand that usual compliance and information governance resources may currently diverted to other areas during the COVID-19 pandemic. Therefore, there may well be a more lenient approach taken to enforcement, but organizations should continue to keep individuals making data subject requests updated as to the status of their request and the likelihood of delays in responding.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.