The California Privacy Rights Act is coming. Soon. For real.
To help employers get ready, I recently joined the “Your Bytes = Your Rights” podcast to discuss the changes coming in January 2023 to employee privacy laws, the rise in Data Subject Access Requests (DSARs) from employees and the complexities of data access rights.
Some of what employers need to know:
- The US does not have a comprehensive privacy laws, but there are a number of state labor laws that address privacy, data privacy, employee surveillance, biometric data (e.g. employee time clocks); discrimination, and artificial intelligence/machine learning recruitment.
- The Federal Trade Commission, under Chair Lina Khan, is active and vigilant. It will enforce even in the absence of a comprehensive privacy law (Also, there is a new FTC Notice of Proposed Rulemaking).
- If your employee does not know what data about them you are processing, then you need to fix that ASAP because employees already have the right to receive disclosure about data processing. Given the new standards for disclosure coming from the EU and already evidenced in the CPRA regs and the FTC enforcement action, it is vital employers take a close look at their disclosures and make sure they are specific and clear enough.
- CPRA adds the right to deletion. Read the exceptions in the law closely and work with counsel because, for a lot of the straightforward HR data processing, there will be exceptions to the deletion requirements.
- Know what your HR data is, what it is doing and where. Only God’s omniscient powers are unknowable. Your data processing should not be. Make sure you know where your data is and that your HR service providers know what you are expecting from them if you get a DSAR from an employee.
- The best way to minimize employee DSARs is to have happier employees. Disgruntled employees are far more likely to make requests.
- Make sure your HR team is on board. They need to know that this is coming, which HR data is in play (almost everything which identifies the employee or from which personal information can be inferred), how to recognize a DSAR request and what to do when one arrives.