In the early 20th Century, Henry Ford employed 50 investigators who would make unannounced visits to employees’ homes. The investigators evaluated cleanliness and inquired about the employees’ spending habits, alcohol consumption, and marital accord. Ford believed that by collecting this information, he could determine whether his employees met his personal standards and could contribute to building a better company.
Employee monitoring and information collection is a longstanding practice. It can advance critical business interests such as improving productivity, protecting confidential information, and minimizing employee misconduct. Technological advancements make it increasingly easier for employers to monitor, and to obtain personal information about, their employees. While Ford’s investigators may seem intrusive based on today’s standards, employers today are able to obtain even more personal data from their employees with the click of a button. Unlike the visibility of an investigator in the living room of a Ford employee, this information is often obtained without employees even realizing it.
Employers can use fingerprinting devices to track attendance; tonal analysis software to record meetings and dissect group dynamics; and software to record keystrokes and assess efficiency. Some employers offer health-tracking apps to employees, as part of wellness programs, and then have access to the personal health information that is recorded. While this information may be readily available, is its collection by employers serving a legitimate business purpose? Is technology being used simply because it is available? Are employers subjecting themselves to unnecessary legal and security risks?
Historically, the United States has permitted employee monitoring and the collection of employee information with minimal oversight or restriction. However, in light of recent and spreading developments, employers may want to consider reassessing the information that they are collecting, taking into account the trends in privacy law that may impact their collection and retention of this information.
Effective May 2018, the European Union’s General Data Protection Regulation (“GDPR”) strengthened EU residents’ rights to control and protect how their personal data was used and collected. While federal laws such as the Health Insurance Portability and Accountability Act (“HIPAA”) and the Fair Credit Reporting Act govern the collection of some employee information, unlike the EU, United States employee privacy rights are mostly governed by state law.
Last year, in California, the legislature passed the California Consumer Privacy Act (“CCPA”). This groundbreaking legislation, which takes effect on January 1, 2020, was inspired by aspects of the GDPR and provides extensive rights to consumers, including employees and job applicants, with respect to the protection of their personal information. The CCPA broadly categorizes the information at issue and it can include biometric data, such as fingerprints, iris scans, and facial recognition; information from company devices, such as internet browsing history and geolocation data; information captured from surveillance systems; and other employment-related information. While recently passed amendments, likely to be approved by the governor shortly, would temporarily suspend some of the more arduous obligations imposed on covered employers under the CCPA, these companies will still be required to provide notice of the employee personal information they are collecting, as well as the purpose for which it is being collected, beginning on January 1, 2020. The CCPA also permits individuals to file lawsuits against companies that fail to implement reasonable security procedures, if such procedures result in a data breach.
Other state legislation, while less expansive, also imposes obligations on employers with respect to the collection and use of certain employee data. In 2008, Illinois passed the Biometric Information Privacy Act (“BIPA”), requiring businesses to obtain employee consent in conjunction with the collection and use of employee biometric data. Under the BIPA, an employee can bring a lawsuit against an employer for a violation and, based on a 2019 Illinois Supreme Court decision, the employee does not need to incur actual harm to be entitled to damages. This decision has led to a further increase in class action litigation pursuant to the BIPA, including employee lawsuits, which commonly allege that biometric information, such as fingerprints, was being collected and stored without proper notice or consent in violation of the BIPA.
More state legislation is pending, as a dozen states have introduced new privacy legislation since the passage of the CCPA. Other states are likely to follow suit. These statutes vary in terms of scope and breadth, with some closely paralleling the CCPA, some borrowing more expansively from the GDPR, and others providing a narrower set of restrictions. Given the growing trend toward more restrictive privacy legislation, the growing patchwork of state laws, and their conflicting governance, multi-state businesses are likely to find themselves increasingly subjected to greater costs and compliance issues as they try to navigate this developing body of law in states where they operate and in states where their employees and consumers reside. The CEOs of companies such as Amazon, Visa, and Walmart recently petitioned the United States Congress to stall the growing number of state privacy laws by establishing a federal law that would harmonize regulations. To date, federal legislation has not gained sufficient momentum to suggest that changes at the federal level are imminent, and it seems likely that for the time being, states will continue to take the lead on developing their own, potentially conflicting, privacy regulations.
While the landscape continues to develop, for employers who are collecting personal information, they should reassess whether the information serves a legitimate business purpose. If not, employers should consider discontinuing this collection, as it could lead to unnecessary compliance obligations under state law and/or legal issues. If the data being collected serves a legitimate business purpose, employers should establish necessary safeguards for the protection of this data; determine how long the data will be stored and how it will be purged; revisit their policies to ensure that adequate notice is being provided when data is collected; and track the developing law to ensure ongoing compliance with both existing and new obligations.
The privacy landscape is changing, domestically and globally, with a greater emphasis being placed on individuals’ rights to limit the collection and use of their personal information. Employers who may have been able to gather and mine employee data with little oversight or regulation in the past can no longer be confident that their prior practices will be complaint with new privacy laws as they continue to develop. Employers should remain abreast of developments in privacy legislation, and consider revisiting their practices and policies to ensure that they adhere to existing laws, with an eye to compliance in what may well be a more restrictive climate going forward.