Listen to this post

Many thanks to our data privacy colleagues for co-authoring this post: Lothar Determann, Helena Engfeldt and Jonathan Tam.

2022 is looking to be an unprecedented year for California companies’ privacy law obligations. The California Privacy Rights Act (CPRA) takes effect on January 1, 2023, with a twelve-month look-back that also applies to the personal data of employees and business contacts. The new California Privacy Protection Agency is preparing regulations that will sit on top of existing rules from the California Attorney General. Meanwhile, the California Legislature is enacting privacy laws even though it has not repealed or streamlined any of the myriad California privacy laws that continue to apply in addition to the California Consumer Privacy Act (CCPA).

On March 1, we held a webinar focused on the employment law implications stemming from these significant changes and covering a handful of critical hot topics (e.g., how to process vaccination information, the treatment of employees of PEOs, and EORs). If you missed it, here are the major highlights you should know!

Employment Takeaways

Preparing for CCPA / CPRA Compliance
  • CPRA amendments to CCPA take effect January 1, 2023; this ends the transitional exemptions for “HR” and “B2B contact information” and includes a 12-month look-back to January 1, 2022.
  • “At collection notices” have been required since January 1, 2020, with increased disclosure requirements since December 16, 2020. For more detail, click here.
  • Businesses must declare on January 1, 2023, in privacy policies whether they have been selling or sharing personal information of employees and B2B contacts in the preceding 12 months and, if yes, offer opt-out mechanisms and alternatives without discrimination.
  • Businesses must update service provider agreements, including with recruiters and IT, cloud, payroll, benefits, and other providers.
  • Businesses must offer broad access, deletion, rectification, portability and other rights to California employees and B2B contacts, and prepare for what may be the end of confidentiality in the employment area; employers should conduct training, and implement robust data governance policies (incl. deletion and discovery).
Data Access / Deletion Requests from Employees
  • Under existing employment law, California employees (not contractors) have the right to inspect and receive a copy of the personnel files and records that relate to their performance or any grievance concerning them within 30 days of their written request. The existing right to inspect does not extend to records relating to the investigation of a possible crime, letters of reference, or various ratings or reports.
  • By contrast, the new “right to know” under the CPRA/CCPA goes further. It encompasses two distinct rights: (i) the right to a disclosure explaining how the employer collects and handles the individual’s personal information; and (ii) the right to copies of “specific pieces of personal information.” The “right to know” applies to California consumers, which goes beyond employees (i.e., including contractors). In theory, it could extend the scope of the “right to know” from simply the personnel file to include, for example, informal communications about the employee, investigations, etc. Employers must generally comply with such requests within 45 days.
  • The “right to know,” however, is not absolute, and employers can refuse if the request is manifestly unfounded or excessive (e.g., if the purpose is to harass) and does not cover privileged information (e.g., communications with in-house and external counsel).
  • The CPRA/CCPA also introduce a new right to “data deletion.” This right is not absolute either. An exception should apply for most categories of personal information reasonably necessary to managing or administering current or past employment or contract work relationship.
  • Finally, the CPRA/CCPA gives California residents other rights including the right to limit the processing of sensitive information. There are exceptions to the right to limit the processing of sensitive information, but none of the statutory exceptions apply squarely to HR data.

Continue Reading A Quick Primer On New Privacy Law Obligations For California Employers

Listen to this post

Employee Resource Groups (ERGs), or workplace affinity groups, are not new, and in fact they have been around in workplaces since the 1970s when they evolved in response to racial tensions in the US. For years, ERGs mainly hosted networking events and weren’t typically remarkably impactful on the business, but served as a safe space and support network for members. ERGs have come a long way since then, expanding and deepening their influence and impact.

Now, ERGs are typically employee-led, voluntary forums that provide employees with support, and career development, mentorship and networking opportunities. They are often created around shared characteristics or personal traits like ERGs for women employees, members of historically underrepresented racial/ethnic groups, LGBTQ+ employees, veteran employees and more. In recent years, ERGs have expanded to include interest-based groups like working parents and caregivers, the environmentally conscious and mental health advocates. Further, business leaders increasingly recognizing the value ERGs can bring as key strategic partners. In fact, about 35% of companies have added or expanded their support for ERGs since the start of 2020, according to a 2021 study by McKinsey & Co. and LeanIn.org of 423 organizations employing 12 million people.

Why the shift?

This uptick in popularity of ERGs in the workplace is due in large part to the impact of COVID-19, which has amplified the prominence and importance of ERGs. After two years of pandemic-related isolation and a lot of social and political unrest, ERGs are playing an essential role in companies by fostering community, improving employee engagement and building company culture and brand. While it can be difficult to connect with employees feeling distanced by remote work, ERGs are an effective way to give employees a sense of belonging, shared purpose and support. For instance, during the pandemic, ERGs focused on women have shared tools for easing burdens for members suddenly facing new challenges of child-care demands while working from home. Likewise, they’ve given important feedback to help shape company policies and benefits.

Continue Reading DEI Matters: How Employee Resource Groups Can be Your Company’s Strategic Ally

Listen to this post

On March 3, President Biden signed the “Ending Forced Arbitration of Sexual Assault and Sexual Harassment Act,” H.R. 4445, into law. The landmark legislation allows a plaintiff to elect not to arbitrate covered disputes of sexual assault or sexual harassment. To understand the implications of the new law, click here.

Listen to this post

With special thanks to our data privacy colleague Helena Engfeldt for her contributions.

 On February 17, 2022, California Senator Bob Wieckowski introduced a bill (SB 1189) that would add protections for biometric information and establish a private right of action permitting individuals to allege a violation of the law and bring a civil action. The legislation is similar to the Biometric Information Privacy Act in Illinois (BIPA) which is creating expensive headaches for Illinois employers. (Read about the latest BIPA developments here.) If enacted, the law will cover all employers that use biometric time-keeping systems in California. Many employers would have to navigate the law alongside other California privacy laws such as the California Consumer Privacy Act (CCPA).

Here’s what employers need to know about SB 1189:

Covered employers?

The bill would apply to any private entity regardless of size. “Private entity” is defined as an individual, partnership, corporation, limited liability company, association, or similar group, however organized.

How does the bill define biometric information?
  • A person’s physiological, biological, or behavioral characteristics, including information pertaining to an individual’s deoxyribonucleic acid (DNA), that can be used or is intended to be used, singly or in combination with each other or with other identifying data, to establish individual identity;
  • It includes, but is not limited to, imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.

Continue Reading Biometric Protections May Be Coming to California Soon | Employers Should Get Ahead Now

Listen to this post

As the COVID-19 Omicron wave recedes and the desire to get back to a pre-pandemic “normal” is stronger than ever, scores of states have either lifted mask mandates or have set a date for lifting them. But what should employers take into account before allowing employees to toss masks aside?

In this Quick Chat video, Baker McKenzie’s Labor and Employment lawyers discuss key considerations for employers before dropping mask mandates in the workplace.

Click here to watch the video.

Listen to this post

Baker McKenzie’s Mind the Gap report outlines the main barriers to I&D success and key actions that companies can take to further develop their I&D programs. In this episode of TMT Talk, Kate AlexanderJulia Wilson, and Paul Evans focus on the insights from a survey of 900 employment and I&D leaders, looking at the most relevant issues to the TMT sector. Our lawyers highlight the key I&D challenges that the tech industry is facing and give their perspectives on the priorities that these companies need to keep in mind as they build strategies and strengthen their I&D initiatives.

Please click here for the podcast.

Listen to this post

President Biden is expected to sign into law landmark #MeToo legislation, which allows a plaintiff to elect not to arbitrate covered disputes of sexual assault or sexual harassment. The “Ending Forced Arbitration of Sexual Assault and Sexual Harassment Act of 2021,” amends the Federal Arbitration Act (FAA), by narrowing its scope and applicability. The bill’s passage had bipartisan support in both the House and the Senate.

Historically, some employers have implemented arbitration programs that require both the employer and its employees to arbitrate most or all types of employment claims, including claims alleging sexual harassment or sexual assault. Largely in response to the #MeToo movement, which began in late 2017, some states passed laws designed to prohibit or restrict employers from requiring employees to arbitrate sexual harassment or sexual assault claims. For example, in New York, employers are prohibited from requiring the arbitration of sexual harassment claims except where inconsistent with federal law. New York’s prohibition on mandatory arbitration in relation to sexual harassment claims went into effect on July 11, 2018, and it has applied to contracts entered into on or after that date. New Jersey and California have enacted similar laws. New Jersey’s law prohibits any provision of an arbitration agreement that waives a substantive or procedural right or remedy relating to employment discrimination, harassment, and retaliation claims. This law applies to all contracts and agreements entered into, renewed, modified, or amended on or after March 18, 2019. Further, on October 10, 2019, California enacted a law, which prohibits employers from requiring employees to sign new mandatory arbitration agreements concerning disputes arising under the California Fair Employment and Housing Act (FEHA) or California Labor Code.  California’s law applies only to agreements dated January 1, 2020 or after. However, courts have found these statutes to be pre-empted by the FAA.

On February 7, 2022, the U.S. House of Representatives overwhelmingly passed H.R. 4445, 335 to 97. Shortly thereafter, on February 10, 2022, the bill passed the Senate in an unrecorded voice vote.

Continue Reading Landmark #MeToo Legislation Allows Employees To Pursue Sexual Harassment & Assault Claims In Court, Rather Than Arbitration

Listen to this post

Actions under California’s Private Attorneys General Act (PAGA) have long plagued employers, both large and small, but that all may change this year.

What is PAGA?

PAGA, enacted in 2004, permits a single employee to stand in the shoes of the state’s Attorney General and file suit on behalf of other “aggrieved” employees to recover penalties for California Labor Code violations. The potential recovery against employers can be substantial, with default penalties calculated as $100 “for each aggrieved employee per pay period for the initial violation,” and $200 per aggrieved employer per pay period for “each subsequent violation.” As such, potential PAGA awards commonly reach millions of dollars against small employers, and tens of millions against large employers, just for simple administrative oversights.

In addition to the potential for steep penalties, several California court decisions have expanded the reach of PAGA over the years. In 2009, the California Supreme Court held that employees bringing actions under PAGA need not comply with the strict procedural rules governing class actions. See Arias v. Superior Court, 46 Cal. 4th 969 (2009). Then, in 2014, the California Supreme Court held that employees could not waive their right to bring PAGA claims in court, paving the way for an increase in PAGA litigation. See Iskanian v. CLS Transportation Los Angeles, LLC, 59 Cal. 4th 348 (2014).

Recently, California courts have provided some limits to the expansion of PAGA. In 2021, the California Court of Appeals provided a potential “manageability” defense for employers.  Specifically, in Wesson v. Staples The Office Superstore, LLC, the Court of Appeals held that trial courts have the discretion to strike claims for penalties under PAGA if the claims will be unmanageable due to individualized issues at trial. See 68 Cal. App. 5th 746 (2021).

Is there an end in sight?

However, the fate of PAGA may rest in the hands of California voters this year. In December 2021, California’s Secretary of State approved the distribution of a petition to put an initiative on the 2022 ballot called “the California Fair Pay and Accountability Act.” The California Fair Pay and Accountability Act aims to essentially repeal PAGA, and replace it with an alternative framework for the enforcement of labor laws.

Continue Reading California Employers: An End To California’s Private Attorneys General Act (PAGA)?

Listen to this post

As the Omicron wave recedes, a raft of states have announced plans to lift their mask mandates.

In the past few days alone, California, Connecticut, Delaware, Illinois, Massachusetts, Nevada, New Jersey, New York, Oregon, and Rhode Island have announced changes to their face covering rules. And if the number of Omicron cases continues to dwindle as expected–and remain low–more states are sure to follow.

We highlight key changes in California, Illinois, and New York below, and touch on some points employers should consider before tossing masks aside in the workplace.

California

California’s Department of Public Health announced it will let its Omicron-modified indoor mask mandate expire on Tuesday, February 15.  Beginning Wednesday, February 16, vaccinated individuals will be allowed to go maskless in most indoor public settings, unless a more restrictive local order remains in place.  Either way, the state’s pre-Omicron guidance will remain in effect, which means unvaccinated individuals must still wear masks in indoor public settings and workplaces.  Workplaces also must continue to follow the COVID-19 prevention standards set by Cal/OSHA.

Illinois

Illinois Governor Pritzker announced the state will lift its indoor mask requirement starting Monday, February 28.  With the fastest rate of decline in hospital metrics since the pandemic began, Illinoisans will soon be able to go maskless indoors in most instances.  However, masks will still be required in schools, health care facilities, prisons, and other designated settings.

New York

New York Governor Hochul announced an end to the state’s indoor mask-or-vaccine requirement starting Thursday, February 10.  Pointing to plummeting case counts and hospitalizations, Governor Hochul said it is time to let counties, cities, and businesses make their own decisions.  But not all mask requirements have been lifted. At the state level, masks are still required in schools, health care facilities, nursing homes, correctional facilities, public transit hubs, and some other specific settings.

What does this mean for employers?

Before employers allow their employees to show their faces at the office, employers should take these considerations into account.

  • While some states may be dropping mask mandates, both the Centers for Disease Control and Prevention (CDC) and the Occupational Safety and Health Administration (OSHA) still recommend face coverings  for unvaccinated individuals. Employers are still required to provide workers with a safe and healthful workplace under OSHA’s General Duty clause (Section 5(a)(1)), and with the CDC not yet endorsing the lifting of mask mandates, the jury’s still out on whether a “safe and healthful” workplace continues to include masks. Some states, including Mississippi and Nevada, have conditioned their liability shield law protections on employers following both guidance and requirements for COVID-19, so complying with CDC / OSHA guidance may be required for a company to take advantage of COVID-19 liability shield laws.  And potential exposure for third party or employee injury claims can increase if a company does not follow CDC / OSHA guidance, even when that guidance is not mandatory. Therefore, even in jurisdictions which no longer require indoor masks, employers may wish to consider CDC and OSHA guidance as part of their return-to-office plans (subject to local restrictions).
  • Federal contractors should remain mindful of Executive Order 14042 (EO) and the Safer Federal Workforce Task Force Guidance (Guidance) (which we blogged about here) requiring all federal contractors to ensure that all covered contractor employees are fully vaccinated for COVID-19 (unless the employee is legally entitled to a disability, medical, or religious accommodation). The Guidance also includes masking, distancing, travel and quarantine rules. While the EO’s vaccine mandate has been blocked nationwide by a Georgia federal district court, that court stated on January 21 that it did not block the Guidance’s other components–including its masking rules. On the other hand, injunctions against the EO issued in other courts, such as in Missouri and Kentucky, have not been clarified, making it difficult to determine if those injunctions bar enforcement of all of the EO’s requirements, or just the vaccine mandate. And an injunction issued by a Florida court covering all contracts within Florida bars all aspects of the Guidance. The EO remains subject to appeal in various appellate districts, and any one of those courts could determine that the federal government does not have congressional authority under the applicable federal procurement statute to require masks (or testing or distancing) in workplaces. Bottom line: the current landscape of the federal contractor EO is patchwork, but employees in some covered contractor workplaces are now required to wear a mask – even if state/local law doesn’t require it.
  • As always, employers should keep in mind that local county or city mandates may still apply. Case in point: California’s Santa Clara County has announced it will not join the state in lifting its indoor mask mandate. Los Angeles County also will keep its indoor mask mandate in place until the county’s level of transmission stays at or below the “moderate” level as defined by the CDC for two straight weeks and there are no new variants of concern circulating in the community. The CDC defines moderate transmission to be a cumulative, seven-day new case rate of less than 50 per 100,000 residents. As of today, the CDC’s website shows LA County as having a weekly average of 459 cases per 100,000 residents, a 53% reduction from the week before. If case rates continue to drop, LA County could lift its mask mandate as early as March. Elsewhere, though the state of Pennsylvania has no current mask mandate, Philadelphia city officials have reportedly said that Philadelphia’s mask mandate could remain for months. And even where counties have announced that they will lift mask mandates, those easing of restrictions may come with other requirements such as proof of vaccination and boosters.
  • Employers should also watch out for other, non-mask-related COVID-19 requirements that may still apply. Word on the street is that Chicago will likely lift its mask mandate at the end of February along with Illinois, and it has been reported that Chicago’s proof of vaccination mandate (requiring employers to determine the vaccination status of each employee and require COVID-19 testing for those who are not fully vaccinated) could also be lifted by the end of the month–but only if a decline in COVID metrics allows.
  • One good way to stay on top of all of the quickly-changing developments: make it a habit to check in with our regularly-updated 50-State Tracker, which provides key recent developments in the 50 states plus Washington, D.C., identifies and links to state-wide orders and guidance important for reopening, and includes a “What’s Open table for each jurisdiction highlighting the reopening status in the office, manufacturing, retail and bars/restaurants sectors.

For assistance with mask mandates, reopening plans, and other employment matters, contact your Baker McKenzie employment attorney.