Data Privacy Laws Protect Consumers, But They Can Apply to Your Employees, Too

Monumental changes are underway, thanks to evolving technologies and laws that attempt to regulate how employers use technology and data. New technologies like artificial intelligence (AI), biometric information and surveillance are helping to improve efficiency and production, but they present new legal challenges. As companies embrace the advancements of technologies in the workforce, they must be mindful of laws regulating data privacy and understand employee rights as they relate to the collection and use of employee data.

Data privacy laws

Since California passed the first comprehensive data privacy law in 2020, almost two dozen states followed with their own laws. California is the only state with comprehensive data privacy law that expressly regulates employee data, but many other state and local laws restrict how employers collect, use and disclose employee data. Many of the laws are narrowly tailored to specific types of information, such as biometric data.

These laws often intersect with federal regulations, creating a complex web of requirements that businesses must navigate to ensure compliance. For example, HIPAA restricts how employers can access and use employee health information when managing self-funded health plans, and the Fair Credit Reporting Act (FCRA) requires employers to provide certain disclosures to job candidates and employees if they use a “consumer reporting agency” to conduct background checks or drug testing.

Below are a few of the laws and regulations, from various states and at the federal level, governing the processing of employee data that employers should pay particular attention to.

Biometrics

Employers are increasingly collecting this type of employee information — including fingerprints, handprints, voice prints and retina scans — for reasons ranging from timekeeping to security. However, employers’ collection and use of such data may result in significant legal liability. For instance, Illinois’ Biometric Information Privacy Act (BIPA) mandates that businesses provide written notice to employees about the collection, use and retention of this information and requires employers to obtain signed consent from individuals before collecting, storing, using or selling their biometric data. Class-action litigation brought by employees alleging violations of BIPA have resulted in millions of dollars in settlements paid by employers who often do not realize they collected biometric information until the lawsuits are filed.

Privacy disclosures

The California Consumer Privacy Act (CCPA) sets a high standard for privacy disclosures, requiring businesses to inform employees and other consumers about how personal information is collected, used and disclosed to service providers and other third parties. In addition to posting privacy policies on websites regarding the collection of employee data via the website and in the course of business, employers subject to CCPA should issue privacy notices to California-based employees and applicants, detailing the categories of information collected, the purposes for which it is used and the entities with which it is shared. Even if employees are not located in California, the CCPA applies to employers doing business in California if the business has annual gross revenue in excess of $25 million, processes personal information of 100,000 or more California consumers or derives 50% or more of its annual revenues from selling California customers’ personal information.

Data Privacy

Functional Privacy: A New Concept to Simplify Legal Analysis

by Joe Andrieu, Scott David and Lynn Parker Dupree

July 22, 2024

In-house counsel & practicing attorneys face challenges as advancement of technology outpaces regulatory response

Read moreDetails

Artificial intelligence

The use of AI in the workplace, particularly in recruitment, is another area fraught with legal and ethical considerations. AI tools must be carefully vetted to ensure they do not inadvertently discriminate against job candidates and employees. The Equal Employment Opportunity Commission (EEOC) has issued guidelines emphasizing that employers are liable for any biases in AI tools they use. The guidelines explain that employers should assess whether a selection procedure (e.g., hiring, promotion, firing) has an adverse impact on a particular protected group by checking whether the use of AI causes a selection rate that is “substantially” less than the selection rate for individuals in another group.

Additionally, New York City recently passed a law prohibiting employers from using certain automated tools in employment decisions unless the tools are subjected to a bias audit within one year of the use of the tool. This law also requires employers to notify employees and candidates about the use of automated tools and disclose information about the bias audit. We expect to see many new laws and regulations that address the privacy, bias and cybersecurity implications of AI.

Employee surveillance

Numerous states have passed laws that limit employer surveillance of employees. For example, Delaware requires employers to notify employees of any electronic monitoring before conducting it. Connecticut also requires advance written notice of employee electronic monitoring, including of computer, telephone, wire, radio, camera, electromagnetic, photoelectronic or photo-optical systems. Additionally, the CCPA includes geolocation information within its definition of sensitive personal information, so businesses subject to the CCPA that collect that data (even inadvertently through the usage of smartphones, laptops and vehicles) must disclose this practice in privacy notices.  

Practical tips for employers

Given the complexity and dynamic nature of data privacy laws, employers should consider taking proactive steps to comply with these and other applicable laws and regulations. Below are a few practical ways employers can manage risk related to the collection of employee data:

Assess applicable laws

Employers should regularly determine which laws apply to their businesses based on the location of the businesses and where employees reside. This is not always as easy as it sounds. For example, the CCPA contains data volume and annual revenue thresholds that often apply to employers that are not headquartered in California. In addition, determining whether certain data constitutes biometric information under different laws is not always straightforward. However, taking the time to understand which laws apply is a critical step toward building a compliance program.

Conduct a comprehensive audit

After assessing which privacy and employment laws apply to the business, employers should audit their compliance with applicable laws and regulations.  The audit can be an informal audit of procedures and practices conducted by its internal legal or compliance department or a formal audit conducted by a security vendor or law firm. This audit should include an unbiased review of existing policies, procedures and contracts to ensure they meet legal requirements, as well as document in a written risk management plan how the employer plans to address specific compliance gaps.

Implement robust privacy policies

Employers should develop and implement detailed privacy policies that clearly articulate how employee data is collected, used and disclosed. The policies should be easily accessible and clearly communicated to all employees. They should also delegate specific individuals or committees that oversee compliance. In addition, employers subject to the CCPA must issue privacy notices to employees and applicants.

Conduct regular training sessions

Employees involved in handling personal data need regular training to ensure they understand the legal requirements and best practices. This includes training on responding to data subject requests; legal requirements regarding collection, maintenance and disclosure of employee data; and requirements regarding identification and response to data incidents.

Obtain informed consent

Where required, employers should obtain explicit consent from employees before collecting or using their personal data. This is particularly crucial for biometric information and other categories of sensitive personal data. Providing clear disclosures about the collection and use of personal information can help defend against potential claims by employees.

Leverage technology responsibly

When implementing new technologies, particularly AI and surveillance tools, employers should ensure thorough vetting and testing of the tools to avoid unintended biases or privacy violations. Furthermore, employers should conduct thorough due diligence when vetting vendors to understand the vendors’ capabilities, limitations and specific tools.

Data minimization and retention

Employers should minimize data collection, gathering only what is necessary for legitimate business purposes. They should also establish and document clear retention schedules to ensure data is not kept longer than needed.

Be transparent about employee monitoring

If employee monitoring is necessary, provide clear and advance notice to employees about the nature and extent of the monitoring, how the data will be used and whether it will be disclosed to third parties.

Stay updated on legal developments

Data privacy laws are continually evolving. Stay informed about new legislation and regulatory changes. This may involve subscribing to legal updates, participating in industry webinars and consulting with legal counsel.

Navigating the digital frontier of employee privacy rights and legal obligations requires a multifaceted and informed approach. By understanding the intricate legal landscape and implementing robust privacy practices, businesses can safeguard employee data, maintain compliance, and foster a culture of trust and transparency. The insights and practical tips shared here serve as a valuable guide for employers striving to enhance their data privacy practices in the modern workplace. As the legal environment continues to evolve, staying proactive and informed will be key to successfully managing employee privacy and data protection challenges.