Most organizations are aware of the recent proliferation of comprehensive privacy laws. Starting with the General Data Protection Regulation (GDPR) in the E.U. in 2018, there has been a steady flow of new privacy laws with differing scope and coverage. On the U.S. front, California led the way with passage of the California Consumer Privacy Act (CCPA), effective January 1, 2020 and amended by the California Privacy Rights Act (CPRA), effective January 1, 2023. Other states have passed similar laws, including Virginia, Connecticut, and Colorado, and yet other states have comprehensive privacy legislation pending.
Organizations may be aware of the consumer focus of these privacy laws, with consumers now having the right, for example, to fulsome disclosure regarding how an organization collects and shares personal information and having to request copies, deletion, or correction of personal information. Organizations should be aware, however, that in many circumstances there are others who may also have rights with respect to their information: employees.
Recent action by the California Attorney General illustrates the importance of organizations taking steps to protect and provide access to employee information. On July 14, 2023 the California Attorney General instituted an investigative sweep, sending letters to several large California employers, seeking information on how the organizations are complying with CCPA in connection with employee data.
When CCPA was originally passed, personal information of employees and business-to-business contacts were out-of-scope, with an expectation that the California legislature would address employee and business-to-business information separately. Other state privacy laws passed after CCPA followed suit and excluded employee information from scope. This carve-out made sense on several fronts. The volume and type of information an organization collects about its employees is likely to differ greatly from that collected from a typical consumer. For example, HR files may often include sensitive categories of information like financial information (collected to enable salary payment), health information (collected to administer benefits), and racial or ethnic information. And the relationship between an employer/employee and business/consumer is, by its nature, very different. An employee expects an employer to collect and process a certain amount of personal information as a normal part of the relationship. Consumers, on the other hand, will often be surprised at the type and volume of information a business collects and how it uses that information.
CPRA looked like it would continue this practice of excluding employee information from its scope; the ballot initiative, which was approved by voters November 3, 2020, extended the carve-out until January 1, 2023, noting that “[t]he privacy interests of employees and independent contractors should also be protected, taking into account the differences in the relationship between employees or independent contractors and businesses as compared to the relationship between consumers and businesses.” CPRA, Section 3.A.8. However, when January 2023 arrived, the California legislature had not addressed employee privacy in separate legislation and the CCPA/CPRA carve-out expired.
The investigative sweep in California should emphasize to organizations the importance of being aware of obligations regarding employee personal information. CCPA is limited in scope to organizations that do business in California, but it is far from the only law that speaks to obligations employers have vis a vis employees. These can vary widely in coverage and application. For example, we’ve written previously on requirements imposed on New York employers who monitor, or want to reserve the right to monitor, employee telephone calls, emails or internet use.
And beyond this, state cybersecurity and breach notification laws rarely exempt employee information. Case in point, the N.Y. SHIELD Act, N.Y. Gen. Bus. Law § 899-bb, requires employers to protect certain types of employee information―such as social security number, driver’s license number, but also biometrics and online credentials, the same way they would consumer information. And if that information is acquired or accessed by an attacker, employees are due the same type of notice of “breach of security of the system” as consumers. And the definitions of the types of data that must be protected or in relation to which a breach notification may be due differ by state. With the interplay between state comprehensive privacy regimes and often overlapping data breach and cybersecurity requirements, the data protection landscape for employee data is complex, with numerous potential pitfalls.
The most important step an organization should take in this space is analyze what requirements it is subject to in connection with employee information. The patchwork nature of potentially applicable laws makes this a challenging task, particularly for organizations with employees in multiple states. And consumer-facing organizations should not forget that their employees may also be their customers. An employee may lack certain rights to employee data, but may have the full slate of those rights in relation to the employee’s data as a customer. Once an organization has identified its obligations it can then develop processes for responding to data requests, adequately protecting data, and otherwise meeting the obligations it has identified. And the one constant in this space is change. The rules in place in relation to employee data today will not be the same rules in place in the near future, and organizations must regularly reassess the types of personal data they process, the grounds for that processing, and what rights may apply.