As the long COVID-19 winter quickly thaws, businesses are struggling with questions about how to safely welcome back customers and workers. Many businesses want to be accommodating and remove masking requirements, but also want to ensure that unvaccinated individuals are safe and not unnecessarily exposing vaccinated individuals.

To achieve a balance of protecting all, a consensus seems to be emerging that gatherings and settings that pose a high risk to attendees will require proof of vaccination from those attendees. Unfortunately, but like almost anything in this country during these times, attitudes on how to approach vaccination restrictions are often driven by political affiliations and attitudes swing wildly depending on where you live.

Vaccine passports have become a potentially eloquent solution for admission to gatherings and settings that will require proof of vaccination.

Vaccine passports are paper or digital forms certifying that a person has been vaccinated against a disease. In this case, we are focusing on digital certifications, most likely on a mobile device, confirming that an individual has been fully vaccinated against COVID-19. One of the benefits of a well-implemented vaccine passport is that a business can verify the vaccination status of an individual without the individual sharing any further information with the business. All the business sees is a QR code that, when scanned, indicates that the individual is vaccinated.

Initial Legal Questions

The ability to use and attitude toward the use of vaccine passports differs based on geography. A handful of states are allowing or even facilitating the use of such tools by the private sector. On the one hand, New York already has an option available. Other states are considering the same.

On the other hand, several states such as Arizona, Florida, Idaho, Montana, Texas and Utah have banned local governments or businesses from requiring patrons to provide proof of vaccination for everyday activities. The concern that has been raised is that if visiting bars, restaurants and movie theaters, attending sporting events, and boarding commercial flights is available to only the vaccinated, we will effectively be creating two classes of citizens and threaten individual freedoms, health privacy and the free flow of commerce.

Because there is so much variation, businesses should stay abreast of vaccination passport laws and regulations in all states in which they operate. Before implementing a vaccine passport verification process, a business must consider the web of privacy and data security laws that may be implicated by this process.

New York’s Solution

In March, New York launched its vaccine passport solution, Excelsior Pass, which eliminates the need for an individual to carry a CDC vaccination card or evidence of a recent negative COVID test. Excelsior Pass is already in use at many venues, including Yankee Stadium and Madison Square Garden.

Excelsior Pass has some critics complaining that this information is being shared with the state of New York, which is inherently dangerous because of state governments’ long record of inadequate data protection. Others counter that the information required to be provided to the state of New York is information that the state already has.

Florida’s Ban on Vaccine Passports

Unlike New York, Florida has prohibited any use of vaccine passports. Florida is concerned that “use of vaccine credentials raises concerns that unvaccinated individuals could be treated unfairly by employers, businesses, governmental entities or the community at large.”

Limiting Data Collected and Data Sharing

A business’ first and most important objective will be to limit the amount of data collected. Data minimization is the best approach, which is the mindset and practice of only collecting the information that is necessary to accomplish your purpose.

The business and the purpose of determining the person’s vaccination status will dictate what is the minimum data necessary to verify an individual’s vaccine status. Airlines, concert venues, restaurants, and sports venues likely only need to know the vaccination status of an individual. Other businesses may need to know date of vaccination and underlying health conditions. For most vaccine passport uses, only vaccination status will be necessary, and rarely if ever will geolocation tracking information be appropriate.

The second objective will be to eliminate or limit the subsequent disclosure of collected data. The disclosure of data collected should be limited to what is necessary to allow the individual to provide proof of vaccination.

Selection of Vaccine Passport Solution Vendors

Privacy by Design is a concept that became commonplace and expected as a result of European Union’s General Data Protection Regulation (GDPR) and new U.S. state privacy laws. Put simply, Privacy by Design is an approach that ensures businesses consider privacy and data protection issues at the design phase and throughout the lifecycle of any system, service, product, or process.

A business should investigate whether the provider has designed its product to collect only the data that the business has determined is necessary and to restrict unnecessary, further disclosure of that data? In other words, is the vendor using a Privacy by Design approach in building its vaccine passport product?

For any vaccine passport vendor to succeed and comply with both privacy concerns and laws, a deliberate and thoughtful Privacy by Design approach is critical.

Security

Ideally, the passport vendor should never receive any of the data entered by the individual. Information that is input into the vaccine passport could continue to reside on the smartphone, for example. However, not all solutions will offer that approach, and that is not necessarily a problem. The reason for sharing the data should be considered a case-by-case basis, with the approach to as little sharing as possible.

It is a must that any vaccine passport solution that collects personal information must implement “adequate technical and organizational measures” to secure this data. There are many ways to address appropriate security and there is not a one-size-fits-all answer. However, what is required is likely more than what you expect, and that bar continues to be raised.

Disclosure and Consent

As has become default, businesses must disclose their data collection, monitoring and usage practices. It has become customary, and legally required in some cases, to clearly inform consumers about what data is being collected, how they are being monitored and how their data will be used so they can choose whether to allow such collection, monitoring and usage.

Additionally, consumers must be permitted to actively choose to allow such collection, monitoring and usage. The old practice of simply disclosing the data collection, monitoring, and usage without obtaining explicit consent is now inadequate. The consent process should require the consumer to take active steps to affirm their permission. That can be as simple as providing an opportunity to review a properly drafted Privacy Notice that describes (among other things) what data is collected, how it is used and to whom it will be disclosed, and requiring them to check a box (that is not presented as checked) acknowledging their consent.

Collection of Sensitive Data

Businesses and government should also understand the legal significance of the information that is being collected. The GDPR, which has been in effect since 2018, as well as the California Privacy Rights Act and Virginia Consumer Data Protection Act, which are both set to go live in 2023, include heightened protections for “sensitive” consumer data, a category that includes health and location information that may find its way into at least some versions of vaccine passports.

The new California privacy law expands the state’s landmark Consumer Privacy Act by giving consumers the right to limit the use and disclosure of a new category of “sensitive” personal information, while the Virginia law is the first in the nation to require companies to obtain affirmative opt-in consent for processing sensitive data. Both states include health information, race, ethnicity, and precise geolocation data in their definitions of “sensitive” data.

Determining whether the use of a vaccine passport is an appropriate way to meet a business’ goal of protecting customers and workers is only the first step in this journey. A business must also consider many other aspects of the journey from selection to implementation to use.

Reprinted with permission from the July 9 issue of The Legal Intelligencer. (c) 2021 ALM Media Properties, LLC. Further duplication without permission is prohibited. All rights reserved.