Data privacy concerns for human resources executives

Unforgettable

That's what you are,

Unforgettable

Though near or far.

-- "Unforgettable," by Nate King Cole

Nat King Cole's words never applied with more force than in today's digital world. While not crooning about romance in 1890, Samuel Warren and Louis Brandeis published, "The Right to Privacy," in the Harvard Law Review, defining privacy as the "right to be left alone." The parallel notion of "the right to be forgotten," or in French, "le droit à l'oubli," derives from European ideals. In 2014, the European Court of Justice solidified the "right to be forgotten" as a human right. See Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González. This right includes the right to demand deletion of personal data, and it has been defined as "the right to silence on past events in life that are no longer occurring." (Pino, G. (2000). "The right to personal identity in Italian private law: Constitutional interpretation and judge-made rights." In: M. Van Hoecke; F. Ost (eds.). The harmonization of private law in Europe (pp. 225-237). Oxford: Hart Publishing. p. 237.)

In the employment context under U.S. law, however, the right to be forgotten poses difficulties for employers. California has undertaken an ambitious initiative designed to enhance privacy protections for consumers. The new California Consumer Protection Act, effective Jan. 1, 2020 (with potential retroactive provisions), opens a new privacy frontier.

Human resource professionals already address employment privacy rules in the context of consumer credit and criminal background checks, HIPAA protections and drug testing, among others. But under the CCPA, "consumers" can now request information about collected personal data as well as its deletion and the right to opt out of its sale. Cal. Civ. Code Sections 1798.100, 1798.105. As written, "consumers" includes employees who might seek to have data deleted that is necessary for an employer's operations, such as maintaining personnel files, and as defined by other laws. It is a conundrum for employers.

To resolve these issues, as of this writing, proposed Assembly Bill 25 carves out employees and independent contractors from the CCPA's definition of "consumer." Many organizations have also submitted letters urging Attorney General Xavier Becerra to adopt regulations clarifying that the CCPA excludes HR data, should AB 25 fail. These organizations argue that the Legislature intended to exclude employee data from the scope of "personal information," as defined by the CCPA. For example, the CCPA measures a "business" by its annual gross revenue; the number of consumers, households or devices about which the business processes personal information; or the percentage of its annual revenue derived from selling consumers' personal information. See Civ. Code Section 1798.140(c). In contrast, most employment laws define an "employer" by the number of employees. See e.g., 42 U.S.C. Section 2000e(b); Cal. Gov't Code. Section 12926(d). In addition, many existing laws already provide employees with access to their personal information, e.g., Labor Code 226(b) (payroll records), 432 (documents signed by employees), 1198.5 (personnel files). The CCPA's right to deletion also contradicts various statutes that require preservation of employee data and undermines an employer's ability to document harassment investigations, among other complications.

Even if AB 25 passes, HR professionals will nonetheless engage with engineering, marketing, sales and finance in privacy impact assessments to identify where personal information flows; to enable the fulfillment of consumer right requests (to be forgotten); and to effectively meet the CCPA "look-back" requirement. In other words, HR professionals are key to maintaining an organization's compliance with the CCPA. Civ. Code Section 1798.135(a)(l), (2) (e.g., training consumer-facing employees to be informed and educated on data subject rights under the CCPA).

Of further significance, the CCPA currently allows private plaintiffs to seek statutory damages of up to $750 per violation for certain violations. Civ. Code Sections 1798.150. (A bill to amend the CCPA, AB 561, would have further expanded the private right of action to privacy violations, including statutory damage class actions, and eliminated the 30-day right to cure, but it failed in the Senate.) The CCPA could substantially increase liability for companies akin to the penalties many employers attempt to ward off in Private Attorney General Act matters. Akin to defenses in PAGA matters, a business can reduce penalty exposure by showing it took steps to ensure substantial compliance with CCPA data security and privacy protections.

California-based employers who conduct business in other states are already being sued for privacy violations in such jurisdictions as Illinois. As employers adopted technology to track employees, the plaintiffs' bar filed numerous lawsuits under a relatively unknown privacy law that allows for statutory penalties. Illinois' 2008 Biometric Information Privacy Act. 740 ILCS 14/1 et seq. regulates the retention, collection, disclosure and destruction of a private entity's use of both "biometric identifiers" and "biometric information." BIPA emphasizes the uniqueness and inability to change an individual's biometric identifiers ("a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry"), comparing them to Social Security numbers, which, if compromised, can be changed. BIPA's legislative findings note the growing prevalence of biometrics in financial transactions and security screenings.

BIPA allows recovery of statutory damages for any person "aggrieved" by a violation of BIPA, plus attorney fees and costs. In Rosenbach v. Six Flags Entertainment Corp. et al., 2019 IL 123186, the Illinois Supreme Court ruled that technical violations of BIPA -- even absent an actual injury or adverse effect -- give rise to a plaintiff's qualification as an "aggrieved" person under the act. Employers who use timekeeping technology reliant on employees' fingerprint data and/or security management devices reliant on iris scans, facial recognitions and/or fingerprints should take heed.

As expected, both BIPA's plain language and the Rosenbach decision have given rise to an influx of class actions. And while many employers have implemented changes in their internal protocols to comply with BIPA, employers' past use of "biometric identifiers" and/or "biometric information" are now in litigation. These lawsuits have prompted employers to focus on potential defenses based on theories of implied consent, substantial compliance, waiver, ratification, estoppel, failure to mitigate damages and an assumption of risk, among others.

Employers have also raised defenses based on the circumstances surrounding each purported violation of BIPA. For example, some employers have relied on prompts set forth by their timekeeping devices which request an individual to affirmatively select "I Agree" prior to the timekeeping device's scan of an individual's fingerprints. See, e.g., Motion to Dismiss, Lenoir v. Little Caesar Enterprises, Inc., 1:19-cv-01575 (N.D. Ill. Apr. 12, 2019), ECF No. 15. Other employers have raised defenses against dissemination allegations based on the fact that their timekeeping systems do not sync to a cloud, or that they do not use outside payroll vendors.

Concerns regarding BIPA and Rosenbach's opening of the class action floodgates have not been completely ignored. Last year, the Illinois Senate introduced Senate Bill 3053, which would deem BIPA inapplicable where biometric information is used exclusively for employment, security, or human resources purposes. SB 3053 did not report out of committee. Following SB 3053's lack of success, the Illinois Senate introduced SB 2134, which would omit a private right of action. But this bill again failed to advance.

There is much to track as privacy laws attempt to catch up with big data. As evidenced by both California's pending AB 25 and the unsuccessful Illinois Senate Bills 3053 and 2134, there is a widespread desire to exclude employers from the scope of consumer-friendly privacy regulations such as the CCPA and BIPA. Still, human resource executives will remain crucial as part of the core team to ensure data security and should keep tabs on emerging privacy laws to know how to vet, for example, an employee's demand for deletion of personal data. 