While most privacy news and alerts have been focused on the collection and processing of customer data (see our earlier posts about interest-based advertising and the House Judiciary Committee’s Antitrust Hearing with Big Tech, for example), privacy issues related to data collected from employees and business-to-business (B2B) contacts increasingly are becoming a concern for businesses. As we have highlighted in the past, laws outside the U.S., like the EU General Data Protection Regulation (GDPR), have extraterritorial scope, and they provide equal protections to all natural persons, including customers, employees and B2B contacts. The California Consumer Privacy Act (CCPA) follows this global trend and defines “consumers” as California residents, thus providing the same level of rights to employees and B2B contacts who are California residents as well as customers. This article provides an overview of the latest legislative changes under the CCPA as they relate to company obligations concerning employee and B2B data, including exemptions, as well as practical tips for assessing when a company should reexamine employee and B2B privacy issues, including return-to-work (RTW) strategies.
HR and B2B Exemption Under the CCPA
Although the CCPA considers employees and persons who engage in business transactions with you in their professional capacity as consumers, the law as amended included partial exemptions that were set to expire on Jan. 1, 2021. Notably, for employees and job applicants, businesses were required to provide a notice before collecting any personal information but did not need to provide them the right to know, the right to delete or the right to opt-out (the “HR exemption”). For more information on the CCPA generally, see our Consumer Privacy Resource Center. For information handled in the context of B2B dealings, such as contact information of sales executives and customers, the CCPA required an opt-out notice if their personal information was being “sold,” but there was no requirement to provide B2B contacts a notice prior to the collection of their personal information or to provide them other consumer rights under the CCPA, such as the right to know and the right to delete (the “B2B exemption”). Recent developments in the California Legislature, however, indicate that businesses can continue availing themselves of these exemptions for at least another year.
On Aug. 28, 2020, AB 1281, which proposes to extend the HR and B2B exemptions until Jan. 1, 2022, was passed by both the California Senate and the Assembly. Previously, the bill was ordered to the Senate Consent Calendar after sailing through the Judiciary Committee unopposed earlier in August. As originally drafted, AB 1281 proposed disclosure requirements for businesses using facial recognition technology. A reshuffling of priorities necessitated by the COVID-19 pandemic may have prompted lawmakers to repurpose AB 1281 to achieve a more targeted goal. On June 26, 2020, AB 1281 was essentially rewritten to focus instead on extending the HR and B2B exemptions. It is important to note that AB 1281 will become inoperative if the California Privacy Rights Act (CPRA) ballot initiative is approved by voters in the November election, in which case the CPRA will extend the exemptions by two years, to Jan. 1, 2023. Click here for our latest podcast on the CPRA.
Now that AB 1281 has passed both houses of the California Legislature, the bill will garner the governor’s signature (or veto) by Sept. 30. On the governor’s desk are two other privacy bills, the Genetic Information Privacy Act (SB 980) and an amendment to the medical information exemption to the CCPA (AB 713). Stay tuned for our forthcoming analyses of these privacy bills. If not vetoed by the governor, all three bills will become effective on Jan. 1, 2021.
Even with the HR exemption, however, businesses have begun to reexamine what personal information about their employees and independent contractors is collected, because of the notice-at-collection requirement under the CCPA. Although AB 1281 most likely would extend the HR exemption for another year, this does not remove the notice requirement, which has been in effect since Jan. 1, 2020, and requires employers to provide, at or before the point where data is collected, a notice accurately describing the categories of data to be collected and the purposes for which it will be used.
Employee Privacy Issues to Consider as Part of RTW Strategies
Even for employers that revised employee privacy notices to meet the Jan. 1 deadline last year, the notice-at-collection requirements carry significant compliance implications this year for both employers deploying RTW policies and procedures and employers implementing new procedures in anticipation of long-term remote work. In many cases, and in view of state-issued reopening guidelines (see e.g., the California State Government website for COVID-19), employers may plan RTW for a portion of their workforce and continued remote work for others.
For employers deploying RTW strategies, this may involve collection of new information in the form of temperature scans and health questionnaires, as well as the deployment of new technologies and outsourced services such as touchless temperature scanners, temperature scanning kiosks and thermal cameras incorporated into facial recognition-enabled video surveillance programs. Thus, businesses should examine how the employee privacy notices that were previously delivered may need to be revised if additional data collection or processing practices have been implemented to meet workplace safety challenges. For companies that are expanding remote work, new software solutions to allow employees and contractors to Bring-Your-Own-Device (BYOD) may also be adding new challenges to businesses that are concerned about privacy and data security. Because many of these solutions may require onboarding new vendors and outsourcing services, businesses should also undertake a separate legal and regulatory assessment of the vendors and technologies at issue.
To comply with the CCPA, the notice at collection should accurately disclose the additional data elements under the appropriate category of personal information enumerated in the CCPA. For example, body temperature would fall in a category (thermal) separate from facial recognition data (biometric), and data processing that may generate inferences about an employee’s COVID-19 status should be disclosed under the “inferences” category.
In addition to collecting new data, employers may also be leveraging employee data for new uses, such as processing employee health data to lower insurance costs or processing network data to assess employee productivity. Under the final CCPA regulations issued Aug. 14, 2020, opt-in consent is no longer a permissible mechanism for enabling the use of previously collected personal information for a materially different purpose. As discussed in our earlier blog article, a strict reading of the regulations would require businesses to provide a new notice describing the previously undisclosed purpose and to re-collect the data it already has on file before the data can be used for a new purpose. Of course, prompting the consumer to provide the same data under a new notice-at-collection is more cumbersome than obtaining the consumer’s consent to a new use. It is important to note that in the next few months, the attorney general will resubmit for administrative approval the provision permitting opt-in consent for new purposes, so re-collection under a new notice may not be necessary. In the meantime, it is unsettled whether previously collected data may be used for a new purpose with a simple opt-in consent from the consumer. Businesses may wish to take a “wait and see” approach or a more conservative approach, depending on their risk tolerance.
For employers that do not have employees in California, it is worth noting that other state, federal and non-U.S. laws may also apply to the handling of employee data. For collection of health-related data, a separate analysis should be undertaken to see if the Health Insurance Portability and Accountability Act (HIPAA) applies, and certain employer actions may result in tort claims such as for invasion of privacy or negligence. States including Illinois, Washington and Texas also have passed specific laws regulating the collection and use of biometric data. If the company is deploying technology solutions that involve the collection of fingerprints, iris scans or facial recognition, for example, a separate biometric privacy law analysis is recommended.
Apart from specific types of data that may be considered sensitive, recent guidance from the U.S. Equal Employment Opportunity Commission covers generally how companies may collect and use data for pandemic preparedness in the workplace. For all employers in the U.S., the National Labor Relations Act (NLRA) protects almost all private-sector employees regardless of whether they are union-represented. Employers should review the latest National Labor Relations Board (NLRB) general counsel’s memorandums, including the memorandum published on Mar. 27, which outlines case summaries touching on the duty to bargain when employers are responding to emergencies, while making references to the coronavirus pandemic (see GC 20-04 Case Summaries Pertaining to the Duty to Bargain in Emergency Situations). The NLRB also published on July 28 a Notice of Proposed Rulemaking (NPRM) relating to employee privacy and participation by workers on military leave. Thus, collection and use of personal information belonging to employees should be evaluated not only with regard to consumer privacy laws, like the CCPA and GDPR, but also with regard to labor law to ensure that no adverse actions are being taken on protected concerted activities or unilateral changes are being made to working conditions, including increased employee surveillance, health monitoring or contact tracing. In the next blog article, we will take a closer look at the B2B exemption and issues related to the sale of personal information and the right to opt-out.
- Most data protection and labor laws are jurisdiction-specific. Companies should continue to monitor legislative or regulatory changes to make sure the impact of consumer privacy laws and labor laws is understood with regard to employee and B2B data. For example, the definitions of what constitutes “personal information” or “biometric data” are rapidly evolving and require close scrutiny.
- Many RTW strategies involve the collection of new information or use of previously collected information for a new purpose. Companies should examine what notice, if any, was delivered at the time personal information was collected and whether consent was obtained, as appropriate.
- Even if proper notice was provided at the time of collection, it is difficult for businesses to continue to monitor how that data is used as it moves through the data life cycle. We recommend companies institute a data privacy impact assessment program to continually monitor the types of data processing activities that are considered high risk, to regularly check to make sure no legal or regulatory changes need to be built into business processes, and to test and audit internal controls for remediating any residual risks.