While the privacy landscape continues to shift, it’s clear that the U.S. is following the European Union in the push for greater individual privacy rights. So, what can U.S. employers expect to see regarding employee privacy rights in 2023? Here, we break down what employers need to know.
Employee privacy rights: Setting the scene
In the wake of the European Union’s General Data Protection Regulation (GDPR), California was the first to pass a state data privacy regulation in the U.S. Colorado, Connecticut, Utah, and Virginia have all followed suit with their own consumer data privacy laws. A number of national privacy laws have also been proposed but as of today, none have been enacted. Let’s take a closer look at California’s law, the changes for 2023, and what this means on a national scale.
California privacy rights
The California Consumer Privacy Act (CCPA), along with the amendments passed under the California Privacy Rights Act (CPRA), gave California consumers certain rights relating to their personal data. Originally, the CCPA carved out an exception for personal information (PI) that was used solely for employment purposes. This exception expired at the beginning of 2023. Employers who have not yet aligned their data processes with CCPA and CPRA requirements, should review their employee data management practices to ensure they are in compliance.
Effective January 1, 2023, California consumers, including California employees (if their employer meets certain thresholds under the law), have rights, including, but not limited to the right to:
- Know all PI collected about them, including sensitive personal information (SPI), with whom it is shared or to whom it is sold, and the intended retention period or criteria used to determine that period
- Know about categories of SPI and limit the use and disclosure of SPI
- Opt out of the sale or sharing of their PI (or opt in for minors)
- Request deletion of all PI collected and maintained by the business
- Have inaccurate PI corrected
Additional CPRA regulations are under review by the California Privacy Protection Agency. These rules were modified twice in the last quarter of 2022. If the latest version of the CPRA Regulations is finalized, it would likely take effect in the first half of 2023, after the end of a required 30-day review period. While the CPRA regulations have been delayed multiple times, it is unclear whether the California Privacy Protection Agency will consider the delay when determining whether an organization complied with the regulations.
Federal and state privacy proposals
At the federal level, the proposed American Data Privacy Protection Act (ADPPA) provides national privacy rights to U.S. consumers and may move forward in 2023. The biggest challenge to the proposed act is whether ADPPA will preempt California’s CCPA/CPRA. It is unclear whether ADPPA can overcome this hurdle and gain the approval needed to create the first national comprehensive privacy framework in the country.
With the lack of clarity on whether a national comprehensive privacy framework will pass in 2023, states are expected to continue pursuing their own consumer privacy regulations. Colorado, Connecticut, Utah, and Virginia all have privacy laws going into effect in 2023. While these new privacy laws don’t specifically target employee data, it’s expected that more states will propose data privacy legislation that captures employee personal data.
In addition to comprehensive data privacy laws, governmental entities are tackling specific privacy topics, particularly with artificial intelligence. In October 2022, the White House Office of Science and Technology Policy published a “Blueprint for an AI [Artificial Intelligence] Bill of Rights.” The AI Bill of Rights, which is non-binding, is based on five principles in the age of artificial intelligence:
- Safe and effective systems
- Algorithmic discrimination protections
- Data privacy
- Notice and explanation
- Human alternatives, consideration and fallback.
At the local level, there is some movement toward regulating employee data use. For example, New York City will begin regulating the use of automated employment decision tools in April 2023 (local law 144).
Employee privacy rights: The takeaway
While it’s unclear whether additional employee-related data privacy regulations will pass in 2023, it is clear that the United States is following the European Union in the push for greater individual privacy rights. And, if there is no movement on a comprehensive national data protection regulation, employers can expect to continue to see a disjointed push by the states, each with their own specific requirements relating to an individual, consumer, or employee’s right to privacy.