Contact-tracing during COVID-19 raises data privacy implications for restaurants.
It cannot be argued that COVID-19 is anything but a gut-punch to the restaurant industry. Projections for business sustainability are low and prospects grow bleaker each day that restaurants go without patrons who stay away due to mixed messages about safety. As restaurants struggle to survive, they face another hurdle in protecting and maintaining data privacy of customers in the context of required state or municipal contact-tracing rules. Generally, contract-tracing requirements are a component of hastily implemented patchwork regulations designed to limit the progress of the virus. In implementation, the data necessary for contact tracing implicates privacy concerns that many businesses are not prepared to manage during a time when enterprises are stretched to the maximum.
As businesses reopen or increase capacity, some jurisdictions have encouraged restaurants to maintain contact lists of all persons who visit the premises, including, of course, customers. Washington State requires the maintenance of contact lists as a condition of reopening. Lawful implementation of contact tracing also requires restaurants to successfully navigate data privacy compliance issues.
Personally Identifiable Information
In order to facilitate effective contact tracing, restaurants need to create an inventory delineating the names and contact information (e.g., phone numbers and addresses) of customers and the dates and times of their visits. By complying, restaurants are controllers and processors of personally identifiable information (PII), which implicates data privacy regulations with potential legal repercussions. For example, the Federal Trade Commission can prosecute as an unfair and deceptive trade practice a restaurant’s misuse of PII or its failure to properly safeguard PII, potentially exposing the restaurant to fines or a privacy audit.
Additionally, states – including California, Connecticut and New York – have data security laws which impose obligations on businesses acting as data controllers and processors to ensure the security, confidentiality and integrity of aggregated PII. However, many of these state laws impose prerequisites to applicability, resulting in a de facto exclusion of small to medium-sized regional restaurants. This is also the case where PII is collected strictly for non-commercial use. For example, the California Consumer Privacy Act applies only to businesses with annual gross revenue of at least $25 million or those aggregating personal data belonging to at least 50,000 people for commercial purposes.
General Data Protection Regulation
Restaurants acting as data controllers and/or data processors may also be subject to the European Union’s General Data Protection Regulation (GDPR), which imposes data security requirements on businesses that offer goods or services to, or monitor the behavior of, EU citizens. In other words, technically speaking, an American restaurant may be subject to GDPR where it adds an EU citizen to its contact list in furtherance of contact tracing efforts. Practically speaking, however, it is unlikely that GDPR would be enforced against small to medium-sized regional restaurants operating within the United States that are collecting PII to comply with regulatory requirements.
Whether contact tracing efforts are imposed by law or adopted through internal policy, restaurants can operate within the parameters of data privacy law by adhering to the following general rules of thumb:
- Minimize data collection: Limit the amount and type of PII collected to that which is strictly required for contact tracing purposes (i.e., person’s name, contact information, and the date and time on premises).
- Restrict data use: Limit use of PII to exclusively contact tracing; additional or different use, such as marketing or advertising, requires disclosure and consent.
- Be transparent: Post a conspicuous privacy notice advising of the restaurant’s collection of PII including disclosure of its intended use and retention time as well as identification of the persons and/or entities with whom it will be shared.
- Provide customers with access: Permit customers access to the collected PII as well as the ability to correct any inaccuracies.
- Limit access: Designate contact tracing coordinator(s) responsible for management and protection of the collected PII and ensure that the contact tracing coordinator has exclusive access to collected PII.
- Limit retention and properly dispose: Retain PII for no longer than necessary to fulfill the contact tracing goal, which is typically thirty to sixty days. Additionally, dispose of PII by shredding, erasing or otherwise modifying it to make it unreadable or undecipherable (such as encryption). Thirty-five states have their own data destruction laws; consult state law before disposing of PII.
The hope and expectation is that contract-tracing and the challenges it brings will be required for only a limited time. Nevertheless, the risks and opportunities it creates for comprehension of PII responsibilities should be understood as part of a long-term framework for good data-privacy practices.