California businesses face the prospect of having to apply elements of the state’s landmark privacy law to their own workers. It threatens to wreak havoc on compliance, including for gig economy companies, whose independent contractor models aren’t exempted from the new rules.
The state’s consumer privacy law, the first of its kind in the US, gives consumers the right to know what data is being collected on them and ask that it not be sold. It contains exemptions for certain data related to employees and business-to-business operations, but those carve-outs are unlikely to be extended, removing an important shield for companies and forcing them to extend those rights to workers beginning Jan. 1, 2023.
How companies apply those rights to employees and contractors, who generate troves of data and information, remains unclear, attorneys say, since employee privacy is a fairly new concept in US law compared to Europe.
“Employee privacy is one of those sleeper issues that has really become central,” said Jeewon Serrato, a partner at Baker & Hostetler LLP in San Francisco. “Not just for the gig economy, but for companies in general.”
Under the California Consumer Privacy Act, which took effect on Jan. 1, 2020, the state’s consumers got the right to access personal information companies collect on them and prevent it from being sold. The California Privacy Rights Act, passed in November 2020 and taking effect on Jan. 1, 2023, widens those rights to allow consumers to request the deletion of their personal data.
When the CPRA takes effect, businesses under its scope must extend those consumer protections to their employees as well. It doesn’t apply, though, to personal information collected in certain job application contexts.
Locating and accessing mounds of data on each employee is a logistical mess, said Lisa Sotto, a partner at Hunton Andrews Kurth in New York.
“To the extent you work in a company, your footprints as an employee are everywhere—in online systems, in hard copy documents, in many different departments,” Sotto said. “For a company to try and fulfill an access request for one person alone is difficult.”
Right to Delete
The changes will put California businesses in uncharted territory. Other US states where consumer privacy laws are taking effect—Virginia, Colorado, Utah, and Connecticut—will not extend workers such rights, including the right to delete data.
There is a lack of clarity on how the state privacy regulator will interpret those requirements, which is causing concern for many companies, particularly those collecting a large amount of data from workers on a daily basis such as gig firms, said Travis Brennan, an attorney at Stradling Yocca Carlson & Rauth in Newport Beach, Calif.
“Uber, Lyft, and their competitors are all collecting driver’s license numbers, GPS data, and other information from workers that they’re likely using for different business purposes including how to set pricing, how to better manage resources, and how to cut costs,” Brennan said. “In that scenario, will the state really expect the deletion of that data even though the company really considers it more akin to proprietary information?”
The law states that requests that are “manifestly unfounded or excessive” may be refused, but the company bears the burden of demonstrating why. It also includes exemptions for data necessary to complete transactions, detect security incidents, and comply with other laws.
Businesses, for example, may be able to argue that they need to keep a customer’s name, phone number, or payment information to deliver a product or service that was requested by the consumer, said Jerel Pacis Agatep, an associate at Baker & Hostetler in San Francisco.
A business could deny a worker’s deletion request on the basis that it needs the information to provide services associated with employment, such as for payroll or health benefits.
“If the exemptions expire, this may result in an influx of access and deletion requests from employees,” Agatep said. “Employers will be required to explain when employees’ requests to know or delete are denied.”
After the employee exemption sunsets, 2023 could bring chaos on the privacy front as companies scramble to comply with little idea of how the state will actually enforce privacy rules in regards to employees.
“We are at this point of a huge amount of uncertainty,” Serrato said. “Companies are asking, ‘How do we navigate this issue of employee privacy?’ ‘How do we think about employee data collection?’ How do we monitor privacy laws and what changes do we have to make?’”
It’s a huge lift for most employers, Serrato said, because the definition of personal information is much broader under the CPRA.
Europe’s General Data Protection Regulation applies to business-to-business and employee data, so US companies that are compliant with that law may already have a leg up, said Gretchen Ramos, an attorney at Greenberg Traurig LLP in San Francisco.
European companies and US multinationals subject to the GDPR are already required to provide much more detailed employee notices under the law, such as explaining the type of data they collect, how it’s shared, and advising employees, job candidates and B2B contacts of their rights in relation to their personal data, Ramos said.
Companies with established procedures for handling individual rights requests will have an edge.
“Knowing where your data is can be a huge hurdle on the employee data and B2B front,” Ramos said. “Unless a company is already subject to the GDPR, this could be new territory for them.”
The California Privacy Protection Agency can help companies by providing more guidance on companies’ obligations on rights requests from employees and independent contractors, and possible exemptions, Ramos added.
The agency released its first set of proposed draft regulations May 27, but they do not explicitly touch on B2B or employee data exemptions. The CPPA has previously said it intends to wrap up rulemaking by the end of 2022.
The CPPA declined to comment.
“I think of the CCPA as still being on training wheels,” Brennan said. “But the training wheels are coming off next year.”