Handbooks & Policies

Subscribe to Handbooks & Policies

Many thanks to our data privacy colleagues for co-authoring this post: Lothar Determann, Helena Engfeldt and Jonathan Tam.

2022 is looking to be an unprecedented year for California companies’ privacy law obligations. The California Privacy Rights Act (CPRA) takes effect on January 1, 2023, with a twelve-month look-back that also applies to the personal data of employees and business contacts. The new California Privacy Protection Agency is preparing regulations that will sit on top of existing rules from the California Attorney General. Meanwhile, the California Legislature is enacting privacy laws even though it has not repealed or streamlined any of the myriad California privacy laws that continue to apply in addition to the California Consumer Privacy Act (CCPA).

On March 1, we held a webinar focused on the employment law implications stemming from these significant changes and covering a handful of critical hot topics (e.g., how to process vaccination information, the treatment of employees of PEOs, and EORs). If you missed it, here are the major highlights you should know!

Employment Takeaways

Preparing for CCPA / CPRA Compliance
  • CPRA amendments to CCPA take effect January 1, 2023; this ends the transitional exemptions for “HR” and “B2B contact information” and includes a 12-month look-back to January 1, 2022.
  • “At collection notices” have been required since January 1, 2020, with increased disclosure requirements since December 16, 2020. For more detail, click here.
  • Businesses must declare on January 1, 2023, in privacy policies whether they have been selling or sharing personal information of employees and B2B contacts in the preceding 12 months and, if yes, offer opt-out mechanisms and alternatives without discrimination.
  • Businesses must update service provider agreements, including with recruiters and IT, cloud, payroll, benefits, and other providers.
  • Businesses must offer broad access, deletion, rectification, portability and other rights to California employees and B2B contacts, and prepare for what may be the end of confidentiality in the employment area; employers should conduct training, and implement robust data governance policies (incl. deletion and discovery).
Data Access / Deletion Requests from Employees
  • Under existing employment law, California employees (not contractors) have the right to inspect and receive a copy of the personnel files and records that relate to their performance or any grievance concerning them within 30 days of their written request. The existing right to inspect does not extend to records relating to the investigation of a possible crime, letters of reference, or various ratings or reports.
  • By contrast, the new “right to know” under the CPRA/CCPA goes further. It encompasses two distinct rights: (i) the right to a disclosure explaining how the employer collects and handles the individual’s personal information; and (ii) the right to copies of “specific pieces of personal information.” The “right to know” applies to California consumers, which goes beyond employees (i.e., including contractors). In theory, it could extend the scope of the “right to know” from simply the personnel file to include, for example, informal communications about the employee, investigations, etc. Employers must generally comply with such requests within 45 days.
  • The “right to know,” however, is not absolute, and employers can refuse if the request is manifestly unfounded or excessive (e.g., if the purpose is to harass) and does not cover privileged information (e.g., communications with in-house and external counsel).
  • The CPRA/CCPA also introduce a new right to “data deletion.” This right is not absolute either. An exception should apply for most categories of personal information reasonably necessary to managing or administering current or past employment or contract work relationship.
  • Finally, the CPRA/CCPA gives California residents other rights including the right to limit the processing of sensitive information. There are exceptions to the right to limit the processing of sensitive information, but none of the statutory exceptions apply squarely to HR data.


Continue Reading A Quick Primer On New Privacy Law Obligations For California Employers

Employee Resource Groups (ERGs), or workplace affinity groups, are not new, and in fact they have been around in workplaces since the 1970s when they evolved in response to racial tensions in the US. For years, ERGs mainly hosted networking events and weren’t typically remarkably impactful on the business, but served as a safe space and support network for members. ERGs have come a long way since then, expanding and deepening their influence and impact.

Now, ERGs are typically employee-led, voluntary forums that provide employees with support, and career development, mentorship and networking opportunities. They are often created around shared characteristics or personal traits like ERGs for women employees, members of historically underrepresented racial/ethnic groups, LGBTQ+ employees, veteran employees and more. In recent years, ERGs have expanded to include interest-based groups like working parents and caregivers, the environmentally conscious and mental health advocates. Further, business leaders increasingly recognizing the value ERGs can bring as key strategic partners. In fact, about 35% of companies have added or expanded their support for ERGs since the start of 2020, according to a 2021 study by McKinsey & Co. and LeanIn.org of 423 organizations employing 12 million people.

Why the shift?

This uptick in popularity of ERGs in the workplace is due in large part to the impact of COVID-19, which has amplified the prominence and importance of ERGs. After two years of pandemic-related isolation and a lot of social and political unrest, ERGs are playing an essential role in companies by fostering community, improving employee engagement and building company culture and brand. While it can be difficult to connect with employees feeling distanced by remote work, ERGs are an effective way to give employees a sense of belonging, shared purpose and support. For instance, during the pandemic, ERGs focused on women have shared tools for easing burdens for members suddenly facing new challenges of child-care demands while working from home. Likewise, they’ve given important feedback to help shape company policies and benefits.

Continue Reading DEI Matters: How Employee Resource Groups Can be Your Company’s Strategic Ally

On March 3, President Biden signed the “Ending Forced Arbitration of Sexual Assault and Sexual Harassment Act,” H.R. 4445, into law. The landmark legislation allows a plaintiff to elect not to arbitrate covered disputes of sexual assault or sexual harassment. To understand the implications of the new law, click here.

With special thanks to our data privacy colleague Helena Engfeldt for her contributions.

 On February 17, 2022, California Senator Bob Wieckowski introduced a bill (SB 1189) that would add protections for biometric information and establish a private right of action permitting individuals to allege a violation of the law and bring a civil action. The legislation is similar to the Biometric Information Privacy Act in Illinois (BIPA) which is creating expensive headaches for Illinois employers. (Read about the latest BIPA developments here.) If enacted, the law will cover all employers that use biometric time-keeping systems in California. Many employers would have to navigate the law alongside other California privacy laws such as the California Consumer Privacy Act (CCPA).

Here’s what employers need to know about SB 1189:

Covered employers?

The bill would apply to any private entity regardless of size. “Private entity” is defined as an individual, partnership, corporation, limited liability company, association, or similar group, however organized.

How does the bill define biometric information?
  • A person’s physiological, biological, or behavioral characteristics, including information pertaining to an individual’s deoxyribonucleic acid (DNA), that can be used or is intended to be used, singly or in combination with each other or with other identifying data, to establish individual identity;
  • It includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.


Continue Reading Biometric Protections May Be Coming to California Soon | Employers Should Get Ahead Now

Actions under California’s Private Attorneys General Act (PAGA) have long plagued employers, both large and small, but that all may change this year.

What is PAGA?

PAGA, enacted in 2004, permits a single employee to stand in the shoes of the state’s Attorney General and file suit on behalf of other “aggrieved” employees to recover penalties for California Labor Code violations. The potential recovery against employers can be substantial, with default penalties calculated as $100 “for each aggrieved employee per pay period for the initial violation,” and $200 per aggrieved employer per pay period for “each subsequent violation.” As such, potential PAGA awards commonly reach millions of dollars against small employers, and tens of millions against large employers, just for simple administrative oversights.

In addition to the potential for steep penalties, several California court decisions have expanded the reach of PAGA over the years. In 2009, the California Supreme Court held that employees bringing actions under PAGA need not comply with the strict procedural rules governing class actions. See Arias v. Superior Court, 46 Cal. 4th 969 (2009). Then, in 2014, the California Supreme Court held that employees could not waive their right to bring PAGA claims in court, paving the way for an increase in PAGA litigation. See Iskanian v. CLS Transportation Los Angeles, LLC, 59 Cal. 4th 348 (2014).

Recently, California courts have provided some limits to the expansion of PAGA. In 2021, the California Court of Appeals provided a potential “manageability” defense for employers.  Specifically, in Wesson v. Staples The Office Superstore, LLC, the Court of Appeals held that trial courts have the discretion to strike claims for penalties under PAGA if the claims will be unmanageable due to individualized issues at trial. See 68 Cal. App. 5th 746 (2021).

Is there an end in sight?

However, the fate of PAGA may rest in the hands of California voters this year. In December 2021, California’s Secretary of State approved the distribution of a petition to put an initiative on the 2022 ballot called “the California Fair Pay and Accountability Act.” The California Fair Pay and Accountability Act aims to essentially repeal PAGA, and replace it with an alternative framework for the enforcement of labor laws.

Continue Reading California Employers: An End To California’s Private Attorneys General Act (PAGA)?

Beyond chocolate and conversation hearts, many employers are looking to seriously woo employees this Valentine’s Day, and throughout the year. In fact, for most companies, retaining and attracting the best talent in today’s fierce labor market is a top priority in 2022.

The Great Resignation (aka the “Big Quit”) is in full effect. According to a Bureau of Labor Statistics (BLS) report released January 4, 2022, a record 4.5 million Americans left their jobs in November, with the number of private sector quits (not government or farm employees) hitting 4.3 million-and approximately 20 million people quit their jobs in the second half of 2021. And, there are just 0.62 unemployed job seekers for each available job, according to another BLS report. The forecast: employees are likely to continue to have substantial bargaining power in 2022. So employers who want to hold onto the great employees they have-and perhaps take their shot at hiring more- may need to look for creative ways to up the ante this year.

Here are five things employers are doing to retain and hire the best of the best talent in 2022.

  1. Embracing remote workbecause it allows for the flexibility some employees are demanding

Remote work was indispensable for many in the early pandemic. Now, having the option to work remotely-at least some of the time-is becoming an expectation. According to a survey of 209,000 people in 190 countries by BCG, 89% of people expect their jobs to be partly remote after the pandemic ends. Hybrid work is now a norm for many employers as they pivot to navigate the ebb and flow of COVID variants, allowing for the flexibility required by the pandemic and meeting employee desires. According to Forbes, in a recent survey of US workers who can work remotely, 74% would prefer to spend at least one day in an office environment post-COVID-19, with 30% looking to work from a space outside the home two or three days per week. Digital nomad visas-which allow employees to work in a different country after an application and a fee-are another lure for some employees who can successfully work away from the office.

What does this mean for employers? In industries and for positions where working remotely is a viable option, employers who don’t offer employees the ability to work remotely-at least part of the week-may see employees jump ship to employers who do. In one report published by Owl Labs, companies that provide the option for remote work have 25% lower turnover than companies that don’t.

But remote work isn’t as easy as just telling employees they can work from home-or wherever they want.

Employers must consider a myriad of employment law issues before crafting any type of remote work policy, including:

  • How employers will define “remote” for their workforce–i.e. temporary “short stints,” permanent remote work, hybrid work (working some days from home and others in the office), or some combination of these. And, employers must decide whether employees will be permitted to work remotely only from home, or remotely from anywhere.
  • “Guardrails” or boundaries for the workforce. Often, this is based on factors such as whether the company already has a legal presence in the subject jurisdiction and ensuring employees can remain subject to company rules and expectations in the jurisdiction from which the employee is requesting to remotely work. Other factors, such as head count triggers for application of paid sick leave laws, must also be taken into consideration.
  • Designing an application process with established criteria. Where used, an application process should cover details such as which job positions can be performed remotely, eligible locations, whether a justification is required, and the objective criteria for accepting / rejecting applications. Decision-makers must be trained on applying the criteria objectively.
  • Developing policies to support the remote model, including salary/cost of living adjustments, how necessary equipment will be provided and whether certain costs will be reimbursed, how the company will track hours/overtime/mandatory rest breaks, necessary steps to mitigate increased risks of misappropriation of confidential information and trade secrets, and revising the business travel policy as necessary to apply to remote workers.
  • Providing employees with individualized remote work agreements, setting forth important information such as the effective date of the arrangement, expected hours of work, use of equipment, reimbursement/stipends, insurance requirements, and compensation. Agreements should also confirm the work location (to document the employee’s representation of the jurisdiction in which they are working and paying taxes) and protect the company’s right to recall employees to an onsite location.
  • Training managers and supervisors on the importance of treating all employees equally, whether they are in the office daily with substantial “face time,” or almost never in the office with only remote meeting “face time,” to avoid discrimination claims.

However employers decide, any type of remote work program raises a plethora of compliance issues-including employment law as mentioned above, as well as benefits and compensation, tax, privacy, and corporate law issues-all of which change from jurisdiction to jurisdiction. As employers design and implement remote work programs, they should work with counsel to stay compliant.

Continue Reading This Valentine’s Day Embrace 5 Strategies to Show Employees Some Love in a Competitive Talent Market

On February 9, California Governor Gavin Newsom signed legislation (Senate Bill 114) providing up to two additional weeks of paid time off if an employee is sick with COVID-19, or if they have to take care of a family member who contracts the disease. The law takes effect immediately and is retroactive to January 1, 2022, but an employer’s obligation to provide 2022 COVID-19 supplemental California paid sick leave (CPSL) does not begin until 10 days after the governor signs: February 19, 2022. Leave is available through September 30, 2022.

The law is similar to legislation that expired in September last year.

What kinds of employers are covered?

Small businesses are exempt. The new law only applies to businesses with 26 employees or more.

Who are covered employees?

Covered employees are those unable to work or telework due to certain reasons related to COVID-19, including:

Continue Reading California Revives Supplemental Paid Sick Leave Creating Immediate Obligations for Employers | Everything You Need to Know

With special thanks to our data privacy colleagues Jonathan Tam and Helena Engfeldt for their contributions.

It’s increasingly common for employers to use social media during the hiring process. The temptation is obvious — there’s a wealth of potentially useful information about applicants available online. It’s not unreasonable to wish to use social media to understand a prospective employee’s professional qualifications and skills to determine whether they fit with the criteria for the position. It’s no wonder that a recent survey from The Harris Poll finds that seventy-one percent of US hiring decision-makers agree that looking at candidates’ social media profiles is an effective way to screen applicants. Furthermore, 70% believe employers should screen all applicants’ social media profiles, while the majority (67%) say they use social networking sites to research potential job candidates.

Despite the potential benefits, this sleuthing causes significant heart burn for employment and privacy lawyers and HR professionals. While social media can be a fruitful way to find and recruit candidates, a minefield of legal risks appear when companies use social media during the screening process.

Potential Risks

  • Discrimination! Federal, state and local anti-discrimination laws prohibit discrimination in hiring based on a prospective employee’s protected class. The danger of researching applicants using social media is that you may become aware that the applicant belongs to a protected category – something that through the general application process you otherwise would be unaware of. And, you can’t put the genie back in the bottle. If a recruiter or hiring manager has accessed this data, it is difficult to prove that they were not influenced by it in their hiring decision.


Continue Reading Guardrails For Using Social Media During The Hiring Process

As we previously reported, at the end of last year, the New York city council passed a bill to require NYC employers with four or more employees to disclose in job postings – including those for promotion or transfer opportunities – the minimum and maximum salary offered for any position located within New York