By Eric D. Morton
California privacy laws now give expansive rights to employees about the data collected by their employers. Employers have new obligations as to the employee data they collect.
Ironically, these new legal obligations come into play at a time when employers are collecting more and more data about their employees. Since the beginning of the pandemic, many more employees work from home. Employers are often concerned about the productivity of those employees. To meet those concerns, technology companies have developed new and increasingly sophisticated software to allow businesses to track employee performance and productivity. The result is that employers are collecting considerable amounts of data about their employees. Businesses that collecting such information about their employees are also increasing their legal and logistical burdens.
California Privacy Laws
The California Privacy Rights Act (“CPRA”) is the main source of privacy protection for employees regarding data collected by their employers. CPRA is broadly aimed at consumers and includes employees within that definition.
The CPRA includes employees in the definition of “consumers,” thereby effectively extending all requirements regarding businesses’ handling of consumer personal information to employee data. Before it was amended by the CPRA, the California Consumer Privacy Act (“CCPA”) provided limited exemptions for employee data that was collected in relation to their role as employee, applicant, or independent contractor. Businesses were required to adequately safeguard employee personal information, and notify them of the categories of data that would be collected and the purposes for which the data would be used.
As of January 1, 2023, employees were giving the same rights as consumers under CCPA. The CCPA requirements with respect to consumer data – including the right to know, the right to delete, the right to non-discrimination for
exercising rights, and the right to opt-out of the sale of personal information – now apply to employees as well. Also effective in January 2023, the CPRA grants consumers new rights, such as the right to correct inaccurate personal information, the right to know about automated decision making and to opt out of it, and the right to limit the use of sensitive personal information.
Privacy Notices
Businesses must provide employees with a privacy notice identifying the categories of personal information will be collected, and whether that personal information is to be sold or shared, and the length of time for which the employer intends to retain that information. A company that uses a third-party service to collect personal information on its behalf must inform employees of this third-party service in its privacy notice. Basically, employees must be made aware of when, how and why their personal information is being collected. If a business is using a vendor to handle employee data, the business should have a data privacy agreement with that vendor.
Privacy Notices should be competently and carefully drafted. Some companies have presented their employees with badly written privacy notices that contain verbatim portions of the CCPA. Employees don’t understand such notices and are confused and can be suspicious of their employers as a result.
If a business begins collecting more employee data, such as through new surveillance methods, the business needs to inform its employees.
Use of Data
The right to restrict the use of sensitive personal information applies where businesses use sensitive personal information to “infer characteristics” about an individual. The CPRA includes in its definition of personal sensitive information any “mail, email and text messages unless the business is the intended recipient of the communication.” This means that communications between employees might be sensitive personal information. Companies should consider whether scanning the content of employees’ communications for purposes of evaluating their productivity would amount to inferring characteristics about individuals, in which case their processing activities would fall within the scope of this right.
Employee Rights
When an employee requests to exercise their rights under the CPRA, businesses must implement the
necessary processes to respond adequately to those requests. Foremost, a business must know what information it collects and where it is stored. Before sending privacy notices to its employees, a business must determine what information is collecting and how and where it is stored. The CCPA requires businesses to inform employees of how they can make data requests.
Even if some businesses’ processing activities do not require them to give employees the right to limit the use of sensitive personal data, employees may still exercise their right to know or delete information collected about them.
Employers will need to evaluate how they collect employee information and where its is stored and used. They will need to give appropriate and well written privacy notices to their employees. Employers will also need a process to comply with the exercise of privacy data rights from their employees. This is a
Eric D. Morton is the principal attorney at Clear Sky Law Group. He can be reached at 760-722-6582, 510-556-0367, or emorton@clearskylaw.com.