In December 2021, the Ontario government passed Bill 27 – Working for Workers Act, 2021 requiring employers with 25 or more employees to create a “Disconnecting from Work Policy” by June 2, 2022. The Ontario government is following the lead of
Many thanks to our colleague in London, Julia Wilson, for co-presenting.
An influx of high profile whistleblowing cases have made headlines in recent years, and claims (and awards) are on the rise. At the same time, more defined and greater protections for whistleblowers are coming into play in the US, UK and…
2022 is looking to be an unprecedented year for California companies’ privacy law obligations. The California Privacy Rights Act (CPRA) takes effect on January 1, 2023, with a twelve-month look-back that also applies to the personal data of employees and business contacts. The new California Privacy Protection Agency is preparing regulations that will sit on top of existing rules from the California Attorney General. Meanwhile, the California Legislature is enacting privacy laws even though it has not repealed or streamlined any of the myriad California privacy laws that continue to apply in addition to the California Consumer Privacy Act (CCPA).
On March 1, we held a webinar focused on the employment law implications stemming from these significant changes and covering a handful of critical hot topics (e.g., how to process vaccination information, the treatment of employees of PEOs, and EORs). If you missed it, here are the major highlights you should know!
Preparing for CCPA / CPRA Compliance
- CPRA amendments to CCPA take effect January 1, 2023; this ends the transitional exemptions for “HR” and “B2B contact information” and includes a 12-month look-back to January 1, 2022.
- “At collection notices” have been required since January 1, 2020, with increased disclosure requirements since December 16, 2020. For more detail, click here.
- Businesses must declare on January 1, 2023, in privacy policies whether they have been selling or sharing personal information of employees and B2B contacts in the preceding 12 months and, if yes, offer opt-out mechanisms and alternatives without discrimination.
- Businesses must update service provider agreements, including with recruiters and IT, cloud, payroll, benefits, and other providers.
- Businesses must offer broad access, deletion, rectification, portability and other rights to California employees and B2B contacts, and prepare for what may be the end of confidentiality in the employment area; employers should conduct training, and implement robust data governance policies (incl. deletion and discovery).
Data Access / Deletion Requests from Employees
- Under existing employment law, California employees (not contractors) have the right to inspect and receive a copy of the personnel files and records that relate to their performance or any grievance concerning them within 30 days of their written request. The existing right to inspect does not extend to records relating to the investigation of a possible crime, letters of reference, or various ratings or reports.
- By contrast, the new “right to know” under the CPRA/CCPA goes further. It encompasses two distinct rights: (i) the right to a disclosure explaining how the employer collects and handles the individual’s personal information; and (ii) the right to copies of “specific pieces of personal information.” The “right to know” applies to California consumers, which goes beyond employees (i.e., including contractors). In theory, it could extend the scope of the “right to know” from simply the personnel file to include, for example, informal communications about the employee, investigations, etc. Employers must generally comply with such requests within 45 days.
- The “right to know,” however, is not absolute, and employers can refuse if the request is manifestly unfounded or excessive (e.g., if the purpose is to harass) and does not cover privileged information (e.g., communications with in-house and external counsel).
- The CPRA/CCPA also introduce a new right to “data deletion.” This right is not absolute either. An exception should apply for most categories of personal information reasonably necessary to managing or administering current or past employment or contract work relationship.
- Finally, the CPRA/CCPA gives California residents other rights including the right to limit the processing of sensitive information. There are exceptions to the right to limit the processing of sensitive information, but none of the statutory exceptions apply squarely to HR data.
With special thanks to our data privacy colleague Helena Engfeldt for her contributions.
On February 17, 2022, California Senator Bob Wieckowski introduced a bill (SB 1189) that would add protections for biometric information and establish a private right of action permitting individuals to allege a violation of the law and bring a civil action. The legislation is similar to the Biometric Information Privacy Act in Illinois (BIPA) which is creating expensive headaches for Illinois employers. (Read about the latest BIPA developments here.) If enacted, the law will cover all employers that use biometric time-keeping systems in California. Many employers would have to navigate the law alongside other California privacy laws such as the California Consumer Privacy Act (CCPA).
Here’s what employers need to know about SB 1189:
The bill would apply to any private entity regardless of size. “Private entity” is defined as an individual, partnership, corporation, limited liability company, association, or similar group, however organized.
How does the bill define biometric information?
- A person’s physiological, biological, or behavioral characteristics, including information pertaining to an individual’s deoxyribonucleic acid (DNA), that can be used or is intended to be used, singly or in combination with each other or with other identifying data, to establish individual identity;
- It includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.
As I&D rises to the top of the corporate agenda, how can organizations bridge the disconnects between workplace functions in order to accelerate progress? This episode explores the findings and shares practical takeaways from our Mind the Gap series, which examines the role that compliance…
California has always kept employers on their toes when it comes to changing employment laws. This year is no exception. Here is our roundup of the top 10 developments California employers need to know. (And scroll down to see what’s on the horizon!)
- Minimum Wage Increases
Effective January 1, 2022, the California state minimum wage increased to $15.00 per hour ($14.00 per hour for employers with 25 or fewer employees). As a result, the minimum monthly salary for California exempt employees increased to $5,200, or $62,400 on an annual basis (which is two times the state minimum wage for full-time employment).
For computer software employees, their minimum hourly rate of pay increased to $50.00 and the minimum monthly salary increased to $8,679.16 ($104,149.81 annually). And for licensed physicians and surgeons, the minimum hourly rate of pay increased to $91.07 .
Some counties and cities have imposed their own higher minimum wage rates, including Los Angeles, where a $15 minimum wage for all employers took effect in July 2021. The following local minimum wages took effect on January 1, 2022, regardless of employer size:…
Some of your job applicants and employees in California may be alarmed if you tell them you sell their personal information. But you will have to say you sell their personal information if you disclose their personal information to third parties after January 1, 2022 without including certain data processing clauses in your contracts, as required by the California Consumer Privacy Act (CCPA). So we recommend reviewing these contracts to ensure they include the prescribed clauses if you wish to avoid being a “seller” of personal information.
You should also get ready to field data access, deletion, correction, portability and other requests from your employees and other personnel in California starting January 1, 2023. This will require implementing new protocols and training up your human resources and compliance teams. We also recommend tightening up your data retention and deletion protocols to limit the amount of information you have to review when handling data subject requests.
Do you use employee monitoring software or algorithms to help you evaluate job applicants? You should ensure that your use of these and similar tools address upcoming requirements regarding automated decision-making, risk assessments and the use of sensitive personal information. Note that the CCPA also currently requires employers to issue privacy notices to their California employees pursuant to a California Privacy Rights Act (CPRA) amendment that took effect on December 16, 2020.
The United States Department of Labor, Occupational Safety and Health Administration (OSHA) has decided to sing the same song as its sister agency. Last Friday, August 13, OSHA updated its guidance for American workplaces, auto-tuning its recommendations for fully vaccinated employees to match recent guidance issued by the Centers for Disease Control and Prevention (CDC).…
As more US companies prepare to return to the office, whether on a hybrid schedule or otherwise, in addition to grappling with COVID testing protocols and vaccine mandates (read more here), is the reality of re-engaging with compliance matters that may have been on “hiatus” for the last year.
One time-sensitive topic that may…