Employee and Applicant Data Comes into Scope Under the California Consumer Privacy Act (CCPA)
January 1, 2023 marked the expiration of an exemption to the CCPA that excluded personal information about employees and job applicants from most of CCPA’s compliance requirements. As a result, employers must now provide all CCPA rights to their California workers, including prospective, current, and former employees, as well as temporary workers. Employers who have not yet mapped their data, built processes for handling employee and applicant privacy rights requests, and updated privacy notices for these populations should do so as soon as possible. With enforcement authority now vested in both the California Attorney General and the California Privacy Protection Agency (CPPA), the risk of non-compliance is heightened as well. Enforcement of these expanded requirements under the amended CCPA will begin on July 1, 2023. Fortunately for employers, California is currently the only state whose comprehensive privacy law applies to employee and applicant personal data. The comprehensive privacy laws taking effect in 2023 in Virginia, Colorado, Connecticut, and Utah all exempt employee and applicant data from their scope.
New York Employee Monitoring and Automated Decision-Making
Joining Connecticut and Delaware, New York State passed an amendment to its Civil Rights Law, effective May 7, 2022, requiring private-sector employers that monitor their employees’ use of telephones, emails, and the internet to provide prior written notice of such monitoring and obtain acknowledgment of receipt of the notice. The law applies to employers with a place of business in New York but exempts data monitored solely for the purpose of system maintenance or security. Given its broad scope, New York employers are likely subject to this law and should assess its applicability to their monitoring activities, prepare updated disclosures, and obtain acknowledgments as needed. Meanwhile, in April 2023, New York City began enforcing Local Law 144, which took effect on January 1, 2023. Local Law 144 regulates the use of automated employment decision tools (AEDTs) and requires employers to provide notices and undertake audits to identify potential bias associated with the use of AEDTs.
BIPA Class Action Reaches Jury Verdict Favoring Employee Class
In October 2022, the first jury trial on a case alleging violations of the Illinois Biometric Information Privacy Act reached a $228 million verdict in favor of a class of employees. The jury found the employer violated BIPA by scanning and retaining employees’ fingerprints at its locations without obtaining written informed consent and without publishing a data retention or destruction schedule. At trial, the employer unsuccessfully argued that it could not be held liable because the fingerprints were scanned by a third-party vendor, which underscores the need for employers to understand their responsibility for the consent and destruction requirements under BIPA. The case also serves as a reminder of the ongoing importance of BIPA compliance even as the law approaches its 15th anniversary.