California businesses face the prospect of having to apply elements of the state’s landmark privacy law to their own employees. This threatens to wreak havoc on compliance, including for gig economy businesses, whose independent contractor models are not exempt from the new rules.
The state’s Consumer Privacy Act, the first of its kind in the United States, gives consumers the right to know what data is collected about them and to request that it not be sold. It contains exemptions for certain data related to employees and business-to-business transactions, but these exclusions are unlikely to be extended, removing an important shield for businesses and forcing them to extend these rights to workers from January 1, 2023.
Lawyers say how companies apply these rights to employees and contractors, who generate reams of data and information, remains unclear because employee privacy is a relatively new concept in U.S. law compared to to Europe.
“Employee privacy is one of those dormant issues that has really become central,” said Jeewon Serrato, partner at Baker & Hostetler LLP in San Francisco. “Not just for the gig economy, but for business in general.”
Under the California Consumer Privacy Act, which went into effect January 1, 2020, consumers in the state have the right to access personal information that companies collect about them and to prevent it from being sold. The California Privacy Rights Act, passed in November 2020 and effective January 1, 2023, expands these rights to allow consumers to request deletion of their personal data.
When the CPRA comes into effect, companies falling within its scope must also extend these consumer protections to their employees. However, it does not apply to personal information collected in certain employment application contexts.
Locating and accessing piles of data on every employee is a logistical mess, said Lisa Sotto, partner at Hunton Andrews Kurth in New York.
“As you work in a company, your fingerprints as an employee are everywhere — in online systems, in paper documents, in many different departments,” Sotto said. “For a company, trying to fulfill an access request for a single person is difficult.”
Right to deletion
The changes will place California businesses in uncharted territory. Other US states where consumer privacy laws go into effect (Virginia, Colorado, Utah, and Connecticut) will not extend these rights to workers, including the right to delete data.
There is a lack of clarity on how the state privacy regulator will interpret these requirements, which worries many companies, especially those that collect large amounts of data from workers on a daily basis, such as the gig businesses, said Travis Brennan, an attorney. at Stradling Yocca Carlson & Rauth in Newport Beach, California.
“Uber, Lyft, and their competitors collect all driver’s license numbers, GPS data, and other information from workers that they likely use for different business purposes, including how to set prices, how to better manage resources, and how to cut costs,” Brennan said. “In this scenario, will the state really expect this data to be deleted, even if the company really considers it confidential information?”
The law states that “manifestly unfounded or excessive” requests can be refused, but the onus is on the company to demonstrate why. It also includes exemptions for data needed to conduct transactions, detect security incidents and comply with other laws.
Businesses, for example, can argue that they must retain a customer’s name, phone number or payment information to provide a product or service requested by the consumer, said Jerel Pacis Agatep, partner at Baker & Hostetler in San Fransisco.
A company could deny a worker’s removal request on the grounds that it needs the information to provide employment-related services, such as payroll or health benefits.
“If the exemptions expire, it can lead to an influx of access and deletion requests from employees,” Agatep said. “Employers will be required to explain when employee requests to know or remove are denied.”
The path to follow
After the end of the employee exemption, 2023 could wreak havoc on the privacy front as companies scramble to comply with a small idea of how the state will actually enforce privacy rules in regarding employees.
“We are at this stage of enormous uncertainty,” Serrato said. “Companies are asking, ‘How do we handle this issue of employee privacy?’ “How do we think about collecting employee data?” How do we monitor privacy laws and what changes do we need to make? »
That’s a huge boost for most employers, Serrato said, because the definition of personal information is much broader under the CPRA.
The European General Data Protection Regulation applies to business-to-business data and employee data, so US companies that comply with this law can already have a head start, said Gretchen Ramos, an attorney at Greenberg. Traurig LLP in San Francisco.
European companies and US multinationals subject to the GDPR are already required to provide much more detailed employee notices under the law, such as explaining the type of data they collect, how it is shared and informing employees, applicants to employment and B2B contacts of their rights in relation to their personal data, Ramos said.
Companies with established procedures for handling individual rights requests will have an advantage.
“Knowing where your data is can be a huge hurdle for employee data and the B2B front,” Ramos said. “Unless a business is already subject to GDPR, this could be new territory for them.”
The California Privacy Protection Agency can help businesses by providing more guidance on business obligations regarding employee and independent contractor rights requests, and possible exemptions, Ramos added.
The agency published its first set of proposed draft regulations on May 27, but they do not explicitly address B2B or employee data exemptions. CAPP has previously announced its intention to conclude rulemaking by the end of 2022.
The CPPA declined to comment.
“I think the CCAC is still on training wheels,” Brennan said. “But the training wheels come off next year.”