Among the many developments in data privacy regulation that took place over the past year, new requirements relating to employee personal information in California and New York have deservedly received a lot of attention. Meanwhile, ongoing risks arising under older laws—such as the massive verdict in the first jury trial of a claim under the Illinois Biometric Information Privacy Act—demonstrate that employers also cannot lose sight of compliance with more familiar privacy laws.

Employee and Applicant Data Come into Scope Under the California Consumer Privacy Act

On January 1, 2023, the California Privacy Rights Act (CPRA) amendments to the California Consumer Privacy Act (CCPA) took effect. Among the many changes brought under the CPRA was the expiration of an exemption to the CCPA that excluded personal information about employees and job applicants from most of CCPA’s requirements. As a result, employers must now provide all CCPA rights to their California workers, including prospective, current, and former employees as well as temporary workers. Key steps for employee privacy compliance under the CCPA include:

  • Refreshing Data Maps: The CCPA created new categories of “sensitive” personal information, which includes Social Security numbers, driver’s license numbers, union membership, race or ethnicity, biometrics, and precise geolocation (within a geographic area equal to or less than 1,850 feet), among other types of data. The CCPA also established new rights for individuals relating to automated decision-making and correction of personal information. To account for these changes, and as a matter of good practice, employers should update their data maps to include the categories of personal information they collect about employees, the systems that house these data, the purposes for which the data are used, the time period for which the data are to be retained, and parties to whom the data may be disclosed. Having a comprehensive and up-to-date data map can greatly facilitate all other aspects of compliance with the CCPA.
  • Individual Privacy Rights for Employees and Applicants: Employers must now provide all individual privacy rights under the CPRA to employees and job applicants. This includes the right to know, the right to delete, the right to correct, the right to limit certain uses of sensitive personal information, and the right to opt out of “sales” and “sharing” of personal information. Employers must also avoid discrimination against employees who choose to exercise their rights under the CCPA. Among the many challenges in implementing these rights for employee data is the fact that although the CCPA now applies in the employment context, it was drafted as a consumer law. Careful analysis and documentation are thus all the more important for a business to know when, where, and how certain data may be impacted by these new rights and under what circumstances exceptions may apply. At an operational level, management of privacy rights requests from employees may be assisted by the involvement of human resources and employment lawyers in ways that differ from consumer requests. Businesses should plan accordingly and make sure all internal stakeholders are trained on what to do when an employee or applicant makes a request.
  • Updates to Employee and Applicant Privacy Notices: While employees and applicants were previously entitled to receive a privacy notice at or before the point of collection of their personal information, those notices must now be expanded to cover the availability of the privacy rights discussed above and to meet other new requirements under the CCPA (such as how the company collects, uses, and discloses sensitive personal information).
  • Contract Updates: The CCPA requires a written agreement, including specific terms, any time personal information is transferred outside the company. To meet this standard in the employment context, businesses should review and update agreements with HR vendors, recruiting vendors, cloud-hosting providers, identity management vendors, and other vendors that may handle employee and applicant personal information.

So far, California is the only state whose comprehensive privacy law applies to employee and applicant personal data. With the rapid expansion of privacy laws taking place across the country, this may not be the case for long. Even in the near term, however, it is important for employers to address compliance with the CCPA for California employees and job applicants in order to mitigate the significant risks associated with noncompliance.

New York Employee Monitoring and Automated Decision-Making

Joining Connecticut and Delaware, New York State passed an amendment to its Civil Rights Law, effective May 7, 2022, requiring private-sector employers that monitor their employees’ use of telephones, emails, and the internet to provide prior written notice of such monitoring and obtain acknowledgment of receipt of the notice.

The New York law applies to employers with a place of business in New York, but exempts data monitored solely for the purpose of system maintenance or security. Many New York employers are likely subject to this law, given its broad scope. They should assess the applicability of this law to their monitoring activities, prepare updated disclosures, and obtain acknowledgments as needed.

On April 15, 2023, New York City began enforcing Local Law 144, which took effect January 1, 2023. Local Law 144 regulates the use of automated employment decision tools (AEDTs) and requires employers to provide notices and undertake audits to identify potential bias associated with the use of AEDTs. For more, please see our in-depth analysis of New York’s Local Law 144.

BIPA Class Action Reaches Jury Verdict Favoring Employee Class

In October 2022, the first jury trial on a case alleging violations of the Illinois Biometric Information Privacy Act (BIPA) reached a $228 million verdict in favor of a class of employees. The jury found that BNSF Railway violated BIPA by scanning and retaining employees’ fingerprints at its railyards without obtaining written informed consent and without publishing a data retention or destruction schedule.

At trial, BNSF unsuccessfully argued that it could not be held liable because the fingerprints were scanned by a third-party vendor, which underscores the need for tight controls over the collection of biometric data and strict adherence to the intricate consent and destruction requirements under BIPA. The case also serves as a reminder of the ongoing importance of BIPA compliance even as the law approaches its 15th anniversary. Indeed, issues relating to biometric data remain front and center as more states continue to consider their own versions of BIPA.

As of May 2023, BNSF has filed a motion for judgment as a matter of law and a motion for a new trial or to alter or amend judgment, which are pending before the United States District Court for the Northern District of Illinois.