For decades, California has been at the forefront of consumer privacy protection in the United States, especially since 2018, when Governor Jerry Brown signed the California Consumer Privacy Act (CCPA) into law after a unanimous vote in the legislature. California voters strengthened its state’s privacy protections further by adopting the California Privacy Rights Act (CPRA) in a referendum in 2020. The CCPA (as amended by CPRA) protects many types of data that employers collect on workers, but the law included a temporary exemption that excluded most workplace data from protection.
Fortunately, that exemption will expire on January 1, 2023, at which time California workers will be granted sweeping new protections over the information their employers can collect about them.
The extension of CPRA to employees will represent arguably the most significant change in workplace privacy laws in U.S. history, as well as a radical experiment in how the principles of consumer privacy protection can be applied in the workplace. Because the law was written primarily with consumers in mind–the CCPA uses the word “consumer” to refer to the individuals it protects–its application to employees will raise a number of issues.
The CCPA requires companies to tell consumers at or before the time they collect it: (1) what categories of personal data they collect; (2) the purposes for which they are collecting the data; (3) the length of time the company plans to retain the data; and (4) in the case of sensitive personal information, whether the company will sell or share the data. Companies’ data collection is then limited to the scope of the notice and they are not permitted to collect more information than necessary.
This raises several questions regarding how the rule will be applied in an employment setting. Employment relationships can last years or even decades, far longer than the length of most consumer relationships. If an employer gives a worker a handbook containing their data collection practices at the beginning of employment (saying, for example, that a worker’s electronic activities will be monitored), is that disclosure adequate to cover the whole length of the relationship with the worker? If not, how often does the employer have to remind the worker that their data continues to be collected?
Similarly, the types of data that employers may collect are far more numerous than what a company may be able to collect about ordinary consumers. How broad and generic can disclosures be? How strictly will courts read disclosures when determining whether employers have satisfied their minimization obligations?
The CCPA gives consumers the “right to request that a business delete any personal information about the consumer” it has collected from that person. The law contains a number of exceptions, however, many of which are potentially relevant in employment settings. Exceptions (along with some employment-related questions) include if the company retains the data to:
“Perform a contract between the business and the consumer.” Since all employment relationships are technically contracts, with terms often spelled out in handbooks, policies, procedures, and other documents, could employers essentially create documents that would trigger this exception?
- “Enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business.” This exception might swallow the rule given the limited expectation of data privacy (as well as privacy overall) that workers have in their workplace, at least under default rules in the United States.
- “Exercise a right provided by law” or “comply with a legal obligation.” Many workplace data and records could at least arguably become relevant if an employer ever faces an investigation or enforcement action. Could an employer collect and retain worker data on the argument that the information collected could be relevant to (or used to defend the company) in administrative or judicial proceedings?
The CCPA also gives each consumer a right to request that a company “correct inaccurate personal information” in its possession regarding the consumer. The statute then requires companies to make “commercially reasonable efforts to correct” the inaccurate information.
Questions this raises in the employment context include:
- Could a worker use the right to correct to force employers to review his old performance reviews, disciplinary write-ups, and other documents? And
- Could an employee force her employer to search emails, other forms of communication, and other non-personnel records for instances where a manager or co-worker made a false or misleading statement about her?
Consumers also have the right under the CCPA to direct companies not to sell or share their personal information to third parties. Starting in 2023, the CCPA also gives consumers the right to direct a company to restrict its use of sensitive personal information (which includes social security number, precise geographic location, or racial or ethnic origin) to those uses “necessary to perform the services . . . reasonably expected by an average consumer who requests those . . . services.”
Here too, scope questions abound–what are the “services reasonably expected” by a worker from their employer? Does the expectation that employers will monitor worker productivity provide a reasonable expectation that employers will track their location using GPS at all times? Or collect biometric or health-related information?
Before these laws go into effect in January 2023, CDT will examine these and other questions regarding how the CCPA might be applied in California workplaces.