Data Privacy

Subscribe to Data Privacy via RSS

With special thanks to our data privacy colleagues Jonathan Tam and Helena Engfeldt for their contributions.

It’s increasingly common for employers to use social media during the hiring process. The temptation is obvious — there’s a wealth of potentially useful information about applicants available online. It’s not unreasonable to wish to use social media to understand a prospective employee’s professional qualifications and skills to determine whether they fit with the criteria for the position. It’s no wonder that a recent survey from The Harris Poll finds that seventy-one percent of US hiring decision-makers agree that looking at candidates’ social media profiles is an effective way to screen applicants. Furthermore, 70% believe employers should screen all applicants’ social media profiles, while the majority (67%) say they use social networking sites to research potential job candidates.

Despite the potential benefits, this sleuthing causes significant heart burn for employment and privacy lawyers and HR professionals. While social media can be a fruitful way to find and recruit candidates, a minefield of legal risks appear when companies use social media during the screening process.

Potential Risks

  • Discrimination! Federal, state and local anti-discrimination laws prohibit discrimination in hiring based on a prospective employee’s protected class. The danger of researching applicants using social media is that you may become aware that the applicant belongs to a protected category – something that through the general application process you otherwise would be unaware of. And, you can’t put the genie back in the bottle. If a recruiter or hiring manager has accessed this data, it is difficult to prove that they were not influenced by it in their hiring decision.

Continue Reading Guardrails For Using Social Media During The Hiring Process

Illinois employers have been waiting for answers on two important questions regarding the Illinois Biometric Information Privacy Act (BIPA):

  1. Whether the Illinois Workers’ Compensation Act (the Compensation Act) preempts BIPA statutory damages, and
  2. Whether BIPA claims accrue each time a person’s biometric information is scanned or transmitted without informed consent–or just the first time.

The

Special thanks to Lothar Determann, Helena Engfeldt, Jonathan Tam, Andrea Tovar, and Vivian Tse.

2022 is looking to be an unprecedented year for California companies’ privacy law obligations. The California Privacy Rights Act (CPRA) takes effect on January 1, 2023 with a twelve-month look-back that also applies to the personal

Special thanks to Guest Contributor Harry Valetk.

In early May, private sector employers in New York will face new disclosure requirements for electronic monitoring of employees.  Beginning May 7, 2022, New York will join Connecticut and Delaware among the states that now require employers to provide written notice to new hires who are subject to electronic monitoring.  These new disclosure requirements come after Governor Kathy Hochul signed into law amendments to Civil Rights Chapter 6, Article 5, Section 52-C*2.

Here’s what New York employers need to know now about the new law:

Who is covered under the law? All private employers with a place of business in New York regardless of size. “Employer” is defined as any individual, corporation, partnership, firm, or association with a place of business in the state (not including the state or any political subdivision of the state).

What does the law require?  In practice, the law requires employers to (1) provide employees with a notice of electronic monitoring, (2) obtain proof of acknowledgement, and (3) prominently post the notice for all to see.Continue Reading New York’s New Electronic Monitoring Disclosure Law Requires Action Before May

Many thanks to Lothar Determann and Jonathan Tam for this post.

Some of your job applicants and employees in California may be alarmed if you tell them you sell their personal information. But you will have to say you sell their personal information if you disclose their personal information to third parties after January 1, 2022 without including certain data processing clauses in your contracts, as required by the California Consumer Privacy Act (CCPA). So we recommend reviewing these contracts to ensure they include the prescribed clauses if you wish to avoid being a “seller” of personal information.

You should also get ready to field data access, deletion, correction, portability and other requests from your employees and other personnel in California starting January 1, 2023. This will require implementing new protocols and training up your human resources and compliance teams. We also recommend tightening up your data retention and deletion protocols to limit the amount of information you have to review when handling data subject requests.

Do you use employee monitoring software or algorithms to help you evaluate job applicants? You should ensure that your use of these and similar tools address upcoming requirements regarding automated decision-making, risk assessments and the use of sensitive personal information. Note that the CCPA also currently requires employers to issue privacy notices to their California employees pursuant to a California Privacy Rights Act (CPRA) amendment that took effect on December 16, 2020.

There is an HR exception under the CCPA but it is not comprehensive and expires January 1, 2023. When the CCPA originally passed in 2018, it included a limited, temporary carve-out for personal information of job applicants, employees, independent contractors and other personnel, who only needed to receive a brief “notice at collection.” The CPRA extended the limited carve-out until January 1, 2023 and immediately expanded the list of disclosures that employers have to provide to employees and candidates at or before the time of collecting their personal information.[1] Such “notices at collection” must include details about the types of personal information collected, the purposes for which the information is collected, and how long the personal information is retained or the criteria for determining the same. The California Attorney General’s CCPA Regulations also require notices at collection to indicate whether the business sells California residents’ personal information and a notice of the their right to opt-out of sales if so, and a link to the business’s privacy policy.[2] You should begin to address these requirements immediately if you have not done so already.Continue Reading Employers Must Prepare Now For New California Employee Privacy Rights

Special thanks to Melissa Allchin and Lothar Determann.

Our California Employer Update webinar is designed to ensure that California in-house counsel are up to speed on the top employment law developments of 2021 and are prepared for what’s on the horizon in 2022.

With our “quick hits” format, we provide a content-rich presentation complete

We identified and mapped out our most relevant blog posts, articles and video chats to serve as a quick and handy roadmap to recovery and renewal for your company.

Our 2022 Employment & Compensation Resource Navigator provides US multinational companies organized links to Baker McKenzie’s most helpful, relevant thought leadership in one brief document. Arranged

Special thanks to guest contributors Melissa Allchin and Harry Valetk

Our Labor and Employment, Global Immigration and Mobility, and Data Privacy lawyers discuss vaccine passports — what they are, how countries are already using them domestically and for international travelers, data privacy concerns related to the use of digital health documentation, and what employers should