Last month, Senator Robert Casey (D-PA) introduced the Stop Spying Bosses Act (SSBA), S.262, with Senators Corey Booker and Brian Schatz as co-sponsors. The bill’s official title states that its aim is “to prohibit, or require disclosure of, the surveillance, monitoring, and collection of certain worker data by employers.” The SSBA is the first bill to appear on Capitol Hill targeting the risks associated with “bossware” – that is, intrusive electronic surveillance and algorithmic management that employers are increasingly deploying in the workplace.
In recent years, CDT has watched the rise of such bossware systems with concern, including their potential to harm workers’ health and safety. The threat that these technologies pose to workers has been exacerbated by the absence of meaningful regulation or statutory guardrails. While the past year has seen some promising policy developments, including comprehensive workplace technology legislation introduced in California and hints of federal regulatory action targeting uses of bossware that threaten workers’ labor rights, there had been little indication of congressional action on the subject prior to the SSBA’s introduction.
While some provisions of the bill should be reinforced to ensure workers are informed about intrusive workplace surveillance and are protected from its harmful effects, if passed, the SSBA would represent a significant and welcome step toward leveling the technological playing field between workers and employers. This blog post will walk through the bill’s broad scope, highlight its strengths, and note the areas in which the bill should be revised to ensure the protection it promises materializes in practice.
How the Stop Spying Bosses Act would protect workers
Covers a wide range of workplace surveillance practices
The SSBA is sweeping in its scope, defining the activity it regulates – “workplace surveillance” – as encompassing seemingly all methods through which employers could monitor and collect data on workers. It covers both on- and off-duty surveillance, as well as “the detection, monitoring, interception, collection, exploitation, preservation, protection, transmission, or retention of data concerning activities or communications with respect to the covered individual.” Other definitions in the bill’s text underscore its broad reach:
- The definition of “covered individuals,” the bill’s term for the workers to whom it applies, includes all individuals who are “employed by, or perform work for remuneration for, an employer” – language plainly meant to encompass independent contractors as well as workers in traditional employment relationships.
- Covered “data” includes all information “that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with the covered individual, regardless of how the information is collected, inferred, or obtained.” The bill would cover personally identifiable information, social media and other online information, and “any information related to the workplace activities with respect to the covered individual,” including HR information, productivity and downtime information, workplace communications, data collected through electronic surveillance systems, biometric information, and inputs and outputs from automated decision systems.
- Employment-related decisions that trigger the bill’s requirements include not just hiring, firing, and promotion, but also decisions relating to scheduling, pay, or “any other term, condition or privilege of employment.”
Restricts surveillance in circumstances where it could harm workers
One of the strongest substantive features of the bill is that it targets uses of surveillance that harm workers or threaten their legal rights. To that end, the SSBA would prohibit companies from using workplace surveillance to:
- Identify or monitor workers engaged in union or protected labor activity
- Collect health or disability data
- Determine disability status
- Use an automated employment decision system “to predict behavior of a covered individual that is unrelated to the work of the covered individual for the employer”
- Monitor workers while off-duty
It also prohibits companies from using workplace surveillance “in any manner that threatens the mental or physical health” of the worker and from “selling or licensing” data collected on a worker to third parties.
Such prohibitions of harmful uses of technology are far preferable to the comparatively weak notice-and-consent model that has characterized most privacy regulation efforts in the United States. Given the inherent power imbalance that exists between workers and employers–an imbalance that is only exacerbated by the intrusive use of surveillance technologies–truly informed and voluntary consent regarding potential harmful uses of technology is impractical in most employer/worker relationships. It is for that reason that under the EU’s General Data Protection Regulation, employers are generally prohibited from using consent as a basis for collecting workers’ data. By establishing firm boundaries past which employers are simply barred from engaging in surveillance, the SSBA would effectively guard against many of the most harmful and exploitative uses of bossware.
Requires extensive disclosure to workers
The SSBA would also help close the information gap between employers and workers by requiring companies to disclose key aspects of their surveillance and data collection practices. Specifically, companies would have to tell workers:
- The nature, purpose(s), and methods by which the employer collects data on a worker;
- The identity of any third parties with whom the employer shares the worker’s data or that the employer “use[s] for . . . workplace surveillance”
- How workplace surveillance affects employment-related decisions
At present, the vast majority of workers in the United States have no right to receive any of this information from their employers, although the California Consumer Privacy Act now gives workers in the Golden State a “right to know” what categories of data employers collect and why they collect such data.
When an employer uses data collected through workplace surveillance to make an employment-related decision, the SSBA similarly allows the worker to review both their data and “related aggregated data for other similarly situated” workers. Such data might shed light on whether the worker was subjected to discrimination.
Robust enforcement mechanisms, including a new office to enforce the SSBA
The bill also includes strong enforcement provisions that would, if implemented, provide a variety of mechanisms to ensure companies that violate the SSBA are held accountable. These include the establishment of a new Privacy and Technology Division (the “Division”) within the Department of Labor, which would be tasked with most of the regulatory and administrative enforcement powers associated with the SSBA. The bill would also provide other avenues of relief for workers when companies violate the law, including a private right of action and granting state attorneys general and enforcement agencies authority to pursue claims under the SSBA.
Notably, the SSBA would prohibit companies from enforcing pre-dispute arbitration or class-action waivers with respect to most violations of the statute. This would cut off a path by which many companies avoid accountability for violations of law.
Other notable rights and requirements
Other notable and positive provisions in the SSBA include:
- Giving workers the right to obtain any data collected through workplace surveillance, and to update or correct any data that is incomplete or erroneous
- Allowing workers to opt out of the transfer of their data to third parties
- Prohibiting companies from collecting data on workers “that is not reasonably related to operations of the employer”
- Requiring the new Division to prepare a report for Congress on workplace surveillance and make recommendations to the President and Congress “targeted at reducing harms related to workplace surveillance on covered individuals”
How the bill can be strengthened
While the SSBA would provide far stronger protection than most workers currently enjoy, the bill could be strengthened or clarified in some areas to ensure employers are held properly accountable:
Requiring pre-surveillance notice
The bill currently requires employers to disclose surveillance and data collection only after it has occurred. The bill should be amended to require pre-collection and pre-surveillance notice to workers.
Strengthening data minimization requirements
The current language of the SSBA states that employers cannot collect data unless it is “reasonably related to the operations of the employer.” This is a very low bar to clear. At a minimum, the bill should be amended to require employers to collect data only that is necessary to achieve the disclosed purposes for which the surveillance/data collection is conducted. Ideally, the bill would be amended along the lines of the Workplace Technology Accountability Act and the Berkeley Labor Center’s workplace technology framework, which would only allow employers to conduct surveillance for specific, statutorily-defined purposes and then prohibit surveillance that is not necessary to achieve those purposes.
Requiring agency disclosures
The SSBA takes a significant step toward facilitating public understanding of workplace surveillance practices by requiring the Division to conduct a study of employers on such practices and using the results of that study to prepare a report for Congress. But the bill does not include any provisions requiring employers to cooperate with or provide information to the Division as part of the study. The bill should be amended to require such cooperation, and should also require the Division to conduct follow-up studies and submit corresponding reports every five years–and require employers to submit information regarding their workplace surveillance practices as part of such follow-up studies as well.
Clarifying ambiguous language and provisions
The bill’s language or requirements should be clarified to ensure employers do not exploit textual ambiguities to avoid accountability:
- The bill says that employers must provide disclosures in an “accessible” manner, but it does not specify what “accessible” means in this context. The bill should spell out its accessibility requirements. One model for such accessibility requirements could be the requirements for short-form disclosures under the Civil Rights Standards for 21st Century Employment Selection Procedures, which require that worker disclosures be:
- Provided in English, in any non-English language spoken by a substantial portion of the employer’s workforce, and in any other language that the employer regularly uses to communicate with workers or candidates;
- Written in clear and plain language;
- Made available in formats that are accessible to people who are blind or have other disabilities; and
- Otherwise presented in a manner that ensures the disclosure clearly and effectively communicates the required information to candidates.
- The definition of “covered individual” should be modified so that it explicitly references independent contractors as covered by the bill, thus cutting off any argument that certain categories of freelance or platform-based workers are excluded from its scope. So, for example, the definition could be modified to say that a covered individual is one ”who is employed by, an independent contractor for, or otherwise performing work for remuneration for, an employer…”
- The opt-out process for the transfer of data should be spelled out in greater detail. At present, the bill simply says that employers can only transfer data to third parties if the covered individual “does not opt out of the instance of the transfer.” No detail is provided as to what notice employers must give workers regarding their opt-out rights or what requirements employers are allowed to impose on workers in order to opt out of data transfers. Unless greater detail is provided, employers may try to use the vagueness of this provision to hide the opt-out option from workers or to impose onerous requirements before workers can exercise their opt-out rights.
- Relatedly, the bill’s definition of “third party” (and thus the entities for which workers can opt out of data transfers) include all entities aside from the employer except “a service provider of [the] employer with respect to the data being transferred.” This could be read either as exempting, (1) all vendors who provide some service to the employer for which the worker data is relevant; (2) only companies that provide data/cloud/IT services necessary to storing and transferring worker data for the employer’s own purposes; or (3) something in between. The interpretation would be so broad that the “service provider” exemption could swallow the rule, while the second would mean that workers could conceivably opt out of transferring their data even to entities such as service providers, security companies, and benefits administrators. More precise language is needed to ensure this exemption neither sweeps too broadly nor is confined too narrowly.
In a statement announcing the bill’s introduction, the SSBA’s sponsors correctly noted that “[e]mployers are increasingly using these technologies to monitor workers’ activities, on and off duty, and penalize them without oversight, accountability, or transparency.” If enacted, the SSBA would mark a significant step toward providing that oversight, accountability, and transparency, which is sorely needed as harmful uses of bossware proliferate. CDT welcomes the introduction of this important bill and hopes that the Senate will advance it while maintaining–and hopefully reinforcing – its obligations and protections.