Most companies are still subject to state and local stay-at-home orders due to COVID-19. However, as states and local governments begin loosening restrictions, companies will need to consider implementing policies and procedures to reduce the risk of spreading and transmitting COVID-19 for employees, customers, and clients. In developing these policies and procedures, companies should be aware that the use of no-contact temperature taking devices may be subject to privacy laws in order to avoid any unintentional violations of these laws and exposure of themselves for potential liabilities.

The U.S. federal government has acknowledged that a company taking temperatures of its employees is a mitigation tool to reduce the spread of COVID-19. On March 17, 2020, the U.S. Equal Employment Opportunity Commission (“EEOC”) updated its guidance to expressly acknowledge that employers may implement temperature screening measures in response to the current COVID-19 pandemic. The EEOC guidance states that “[b]ecause the CDC and state/local health authorities have acknowledged community spread of COVID-19 and issued attendant precautions, employers may measure employees' body temperature.” Furthermore, the EEOC guidance states that “employers will be acting consistent with the ADA as long as any screening implemented is consistent with advice from the CDC and public health authorities for that type of workplace at that time.” This guidance “may include continuing to take temperatures and asking questions about symptoms (or require self-reporting) of all those entering the workplace.”

There are several issues that companies will have to consider in implementing temperature taking policies. Companies will need to consider who will be taking temperatures, when and where will temperatures be taken, what device will be used to take temperatures, and what precautions should be implemented. Choosing a temperature device will be of utmost significance because different devices may raise different privacy issues.

Illinois Biometric Information Privacy Act (“BIPA”)

BIPA restricts the collection, use, or other processing of biometric identifiers by entities, which includes employers, unless certain requirements are met. Some of the requirements under BIPA include 1) informing individuals that biometric information is being collected or stored; 2) informing individuals about the purpose and length that this information will be retained; 3) obtaining a written release for the collection, use, and storage of that information; and 4) establishing a policy on these issues available to the public.

No-Contact Infrared Scanners

The simplest and perhaps the most common device for taking temperatures are no-contact infrared scanners. These devices are operated by placing the scanner a few inches from an individual’s forehead and pushing a button to obtain a temperature readout. BIPA should not apply to no-contact infrared scanners because the term “biometric identifier” generally refers to “retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry.”

Facial Recognition and Thermal Scanners

The next type of device uses facial recognition to identify the faces of individuals and thermal scanning to take the temperature of individuals passing by the device. Some of these devices take the temperature of one person at a time, but there are devices capable of scanning large groups. These devices can be used to scan large gatherings of people, and already see some use in airports and train stations. In contrast to no-contact infrared scanners, the use of devices relying on facial recognition to identify individuals likely falls within the purview of BIPA. Companies using these devices must adhere to BIPA’s requirements, otherwise they can be subject to costly violations. Companies should also be aware that if they are using these devices for data collection, they could be subject to state breach notification laws in the event of any data breaches.

Wearables

The final type of device for taking temperatures is categorized as wearable devices. These devices include watches, rings, and stick-on sensors that can collect temperature, heart rate, sleep information, steps, calories, and other data, many of which can be paired with smart phones. Companies must be aware that these devices could be collecting personal information that is potentially subject to BIPA as well as state breach notification laws.

Conclusion

Companies that implement policies for the use of no-contact temperature devices should be cognizant of each device’s data collection capabilities and only collect no more data than they actually require. Devices that collect biometric information should only be used with caution and in compliance with BIPA. As more companies enter the marketplace to sell no-contact temperature devices, it will be especially important to vet these companies to determine what data will be collected and to understand the terms of use for using the devices to prevent any potential BIPA violations.

CONTACT

Robert D. Tepper, Esquire
rtepper@satclaw.com
mobile: (312) 303-3116

John W. Campbell, Jr., Esquire
jcampbell@satclaw.com
Mobile: (312) 391-3126

Websites:
https://satclaw.com/
https://www.satcsolutions.com/