If California’s Privacy Law Expands, Bosses Face Chaos

Businesses in California may have to start enforcing portions of the state’s groundbreaking privacy law on their employees shortly. Because gig economy firms with independent contractor models aren’t protected from the new laws, it might have a significant impact on compliance in that sector.

It is the first law of its sort in the United States that offers customers the right to know what data is being gathered about them and to request that it not be sold. However, the exemptions for some data relating to employees and B2B transactions won’t be extended, removing a crucial shield for corporations and forcing them to provide those rights to workers beginning on Jan. 1, 2023, which is a significant disadvantage for the organizations that have them.

Attorneys say it’s still unclear how firms apply such rights to employees and contractors, who generate a wealth of data and information, given employee privacy is a relatively new idea in US law compared to Europe.

Jeewon Serrato of Baker & Hostetler LLP in San Francisco says that “employee privacy is one of those sleeper issues that has truly become fundamental.” That goes for small businesses as well as large ones, according to the gig economy.

Employee Rights

As of Jan. 1, 2020, Californians will be able to see their personal information and prevent it from being sold under the California Consumer Privacy Act. After being approved in November 2020 and going into effect on January 1, 2023, the California Privacy Rights Act broadens consumer rights by allowing them to seek the removal of their data.

As soon as the CPRA goes into effect, firms that fall under its jurisdiction will be required to offer the same consumer safeguards to their workers. Personal information gathered during employment applications, on the other hand, is exempt from this rule.

According to Lisa Sotto, a partner at Hunton Andrews Kurth in New York, it’s a logistical nightmare to track down and gain access to the mountains of data about each employee.

You leave a trail wherever you go—in online systems, in hard copy documents, in many different departments—if you’re employed by a corporation. Access requests for a single individual are “impossible for a firm to fulfill.”

Read More:

Right to Delete

Businesses in California will have to adapt to new conditions as a result of the reforms. Workers in Virginia, Colorado, Utah, and Connecticut, where consumer privacy rules are taking effect, will not have the same rights, including the right to delete data.

Many businesses, particularly those that collect large amounts of data from employees daily, such as gig firms, are concerned about how the state privacy regulator will interpret these requirements because of the lack of clarity, according to Travis Brennan, an attorney at Stradling Yocca Carlson & Rauth in Newport Beach, Calif.

For example, Uber and Lyft may use driver’s license numbers, GPS data, and other information to help them better manage resources, establish pricing, and minimize costs, Brennan said. Is the state expecting that data to be deleted if the corporation believes it to be confidential information?

“Manifestly unjustified or excessive” requests can be rejected, although the corporation must show that they are legitimate. In addition, there are exclusions for data that is required to complete transactions, detect security incidents, and comply with other applicable regulations.

Customers’ names, phone numbers, and credit card numbers might be used to support a business argument that they must be kept on file to fulfill a request from the customer, according to Baker & Hostetler associate Jerel Pacis Agatep in San Francisco.

An employer could oppose a worker’s request to delete their personal information because they require it to deliver services related to employment, such as payroll or health insurance.

There may be an inflow of access and delete requests if the exemptions expire, according to Agatep. If an employer denies an employee’s request for information or deletion, they must explain why.

Requests for comment from Uber Inc. and Lyft Inc. went unanswered.

Path Forward

A lack of clarity on how the state would enforce the new employee privacy standards in 2023 could lead to a chaotic scramble by corporations as they scramble to comply.

At this point, Serrato remarked, “we are at a significant level of ambiguity. Many companies are asking themselves, ‘How can we negotiate this issue of employee privacy?’ ” ‘How do we conceptualize the collecting of employee data?’ Is there a way to keep track of privacy rules, and if so, what adjustments do we need to make?”

The CPRA’s definition of personal information is substantially broader than under the PIPEDA, making it a significant challenge for most businesses, Serrato added.

According to Gretchen Ramos, an attorney with Greenberg Traurig LLP in San Francisco, US corporations who comply with Europe’s General Data Protection Regulation may already have an advantage when it comes to handling business-to-business and employee data.

By law, European corporations and US multinationals that fall under the GDPR’s jurisdiction are already expected to post far more thorough employee notices, such as describing the types of personal data they gather as well as how that data is shared.

Companies that have systems in place for dealing with petitions for individual rights will have an advantage.

On the employee data and B2B front, “Knowing where your data is can be a major challenge,” Ramos noted. The GDPR may be a fresh experience for companies that haven’t previously been subject to it.

Ramos said that the California Privacy Protection Agency can help companies by providing greater clarity on the obligations of companies to employees and independent contractors, as well as possible exemptions.

Employee data and B2B data exemptions aren’t mentioned at all in the agency’s first set of proposed regulations, which was released on May 27. By the end of 2022, the CPPA has stated that it wants to complete rule-making.

Read More: