In an April survey of U.S. chief financial officers, 22% of them indicated that their companies planned to incorporate contact tracing into their workplace reopening plan.
And on June 1, Senate lawmakers released a plan to unveil a bipartisan bill that would regulate the burgeoning industry of contact-tracing apps and attempt to resolve some of the issues that have arisen around individual privacy rights, including those of employees, with the need to battle the spread of Covid-19.
The term “contact tracing app” can have a number of different meanings in different scenarios. There are apps like those seen in China, which are government mandated and ask a number of questions regarding the person’s health and recent travels and also tracks all of the individual’s movements. On the other end of the spectrum, there are apps that simply provide notification when someone has been within six feet of someone who has tested positive for Covid-19.
Although apps like these may assist with contact tracing, there are a number of legal considerations and implications to consider before deploying them.
One technical issue with contact tracing apps is that the app’s location and proximity systems are typically not accurate enough to capture every contact instance. In addition, the app will not be aware of extenuating circumstances, like walls or partitions between the two subjects, especially in dense office situations.
Another issue is that transmission may occur from people who don’t have the app, don’t have the app turned on, the app is not functioning properly or the employees are not using it correctly (for example leaving their phone at their desk while they visit the restroom).
Thus, it is unclear if contact tracing apps provide any more accuracy in contact tracing than manual methods, which rely largely on the affected employee’s memory of his or her movements and records of meetings that the infected employee attended. However, if an app and manual contact tracing are used in tandem, this could improve an employer’s overall contract tracing efforts, assuming they can successfully weed out false positive/false negatives.
In addition to the technical and practical concerns, the use of contact tracing apps in the workforce raises a number of legal considerations.
Consistent with federal and state anti-discrimination laws, use of contact tracing apps must be done in a manner that does not discriminate against individuals in any protected category. As such, only requiring their use for select groups of employees, even if they have been deemed “high risk” by the CDC (such as employees who are over 65) would likely run afoul of these anti-discrimination laws. Any requirement that employees use contact tracing apps should be applied to all employees.
Some contact tracing applications may capture data from WiFi signals, GPS, cellular triangulation, and Bluetooth in order to make judgments about where the user is, for how long, and what other application users are around them. In some states, notice and consent is required prior to tracking the geolocation of an individual. Even in states where this is not required, it is a good practice from a common law invasion of privacy perspective.
Moreover, it is likely that users will not be able to sign up for these apps anonymously and their names, email addresses, and possibly date of birth will also be recorded. It is a best practice for employers to disclose the collection and processing of data to their employees and customers (if customers are required to use the app while visiting a location).
In particular, employers with California operations who are covered by the California Consumer Privacy Act (CCPA) should check their notice of collections to employees to see if they are broad enough to cover the functionality encompassed by contact tracing apps, and if not, amend the notice or issue a CCPA-specific notice that governs the use of contact tracing apps in the event any prior notices were not.
There is also the related question of where the data collected will be stored. The information may be kept on the device itself, which would avoid issues regarding data transfer and processing with a third party off-device or the data may be cached on the device, but also aggregated with a third party (likely the developer or their agent or a cloud provider) to process it and provide a result back to users.
Employers should consider what security measures are in place to protect the data, and how much anonymization is added to avoid re-identification of individuals in the event of a breach. Thought must also be given to who will have access to the data once it is collected and stored.
Employers are generally contemplating requiring employees to use a contact tracing app while at work and employers should be very careful with any apps that trace an employee’s movement outside of the workplace. All states have some sort of common law regarding invasion of privacy and tracking their location outside of work, especially if the employee is unaware it is happening, could constitute an illegal intrusion upon seclusion. In addition, a number of states have statutes that protect employees for lawful “off duty conduct.”
Other Employment Law Issues
Another issue arises in unionized workforces. It could be argued that a requirement that employees use contact tracing apps is an alteration to the terms and conditions of employment and could implicate bargaining obligations under the National Labor Relations Act for unionized employers.
Finally, there are wage and hour issues associated with requiring employees to download and use an app, especially if they are required to interact with the app to provide health information on any kind of regular basis.
Given the practical challenges and multiple regulatory schemes implicated, employers must be very careful when implementing contact tracing policies. The advice of legal counsel is vital to ensuring that the employer has carefully considered all the potential risks and challenges.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Karla Grossenbacher is a partner in Seyfarth’s Labor & Employment department in Washington, D.C. She is chair of the firm’s National Workplace Privacy and co-chair of the firm’s National Biometrics Litigation and Compliance team.
Richard Lutkus is a partner in Seyfarth’s Litigation department in San Francisco. He is a member of the firm’s Cybersecurity and Privacy team.
Eric Suits is counsel in Seyfarth’s Labor & Employment department in Sacramento.