As we ring in the new year, employers around the country will be bringing in new or updated employee privacy notices. And while these notices were initially targeted to California employees because of privacy requirements under the California Consumer Privacy Act (CCPA), they have gradually expanded to cover other jurisdictions that saw new laws recently, impacting employee privacy. We suspect 2023 will be no different, so below we highlight a few trends at the intersection of employment and privacy law.
Notice and New Consumer Privacy Rights for HR Data
The California Privacy Rights Act, which takes effect on January 1, 2023, and updates and replaces the CCPA, will wave goodbye to the employee exemption and apply the full suite of California privacy rights to HR data (this includes employees, contingent workers and job applicants). So, in addition to the requirement for a privacy notice, individuals living in California will have the rights of access, correction, deletion, limitation on use and disclosure of “sensitive” personal information, and opt-out of data sales and cross-context behavioral advertising relating to HR data. These additional rights have forced companies to update their employee privacy notices (and to implement procedures for handling requests to exercise these new rights). And although these rights technically apply only to California residents, some companies are opting to make their notices (and even the rights) available company-wide.
Notice Requirements for Employee Monitoring
New York Senate Bill S2628, passed in 2021 and effective May 2022, requires employers in the state to provide employees notice of electronic monitoring. This includes any monitoring or interception of phone conversations, email transmissions or internet access/use. The notice must be provided in writing and acknowledged by the employee in writing or electronically. The notice must also be posted in a conspicuous place that is readily available for viewing by employees.
Notice and Opt-Out for Automated Employment Decisions
New York City Law 2021/144, also passed in 2021 and taking effect on January 1, 2023, will require notice of the use of artificial intelligence (AI) in hiring decisions as well as annual audits to assess potential bias in the use of such AI. The law regulates “automated employment decision tools” used by employers to assist or replace discretionary decision-making in hiring and promotion decisions. Individuals subject to such decisions must receive notice that an automated tool will be used and must be given the opportunity to request an alternate selection process or accommodation. The notice must also identify the job qualifications and characteristics used by the tool in assessing the candidate. The automated decision-making tool must be subject to a bias audit by an independent auditor focusing, at least, on potential discrimination based on race, ethnicity or gender.
Considering the expanded uses of HR data, including employee monitoring activities as well as the use of AI in HR decision-making, it’s clear that an employee privacy notice should not be limited to specific privacy rights, but to HR data handling overall. For this, employers should undertake a data inventory of their HR data collection, use and disclosure practices. They should also understand what service providers and third parties are doing with HR data, and ensure there are appropriate contractual safeguards in place. What once could possibly have been addressed with a jurisdiction-specific practice—like a California-only or New York-only notice—is now better served with a comprehensive approach. And the privacy notice is the best place to start because it captures all current data handling practices.