Data privacy

Subscribe to Data privacy via RSS

We are pleased to announce that the 2026 Global Data & Cyber Handbook is now available. This essential resource for businesses navigating the complex landscape of data and cyber regulation covers key data and cyber laws in over 50 jurisdictions.
 
The latest edition provides expanded overviews and comparative insights, offering a clear view of

This article was originally published by IAPP linked here.

When monitoring employees in the workplace in the U.S. and Canada, employers must be cognizant of their obligations under employment and data privacy laws. 

In the US, employers can mostly negate privacy expectations from developing in the workplace by providing clear notice of monitoring practices and which notice is required in certain states, such as New York. But under the California Consumer Privacy Act, data minimization requirements apply and monitoring practices must be justifiable as necessary and proportionate.

In Canada, employers are required to balance operational needs such as safety, security and productivity, with the privacy rights of their employees. Monitoring should be reasonable, proportionate and tied to a legitimate business purpose. Organizations must comply with applicable federal or provincial privacy legislation, which can include safeguarding any employee personal information collected, obtaining employee consent in certain circumstances, and providing notice to employees of monitoring practices. 

For federally regulated private-sector employers — such as banks, airlines and telecommunications companies — employee monitoring is generally governed by the Personal Information Protection and Electronic Documents Act. Provinces that have enacted privacy laws deemed “substantially similar” to PIPEDA are exempt from its collection, use and disclosure provisions under section 26(2)(b). Presently, only Alberta, British Columbia and Québec have privacy legislation that is substantially similar to PIPEDA.

US: A patchwork of requirements apply to employers

At the federal level in the U.S., employee monitoring is primarily governed by the Electronic Communications Privacy Act and the Stored Communications Act, which permit monitoring for legitimate business purposes but impose strict limits on unauthorized interception and access to private communications. Further, employers must conduct all workplace monitoring and surveillance in compliance with federal, state and local anti-discrimination laws. And, all employers, even those with a nonunionized workforce, must comply with the National Labor Relations Act when conducting workplace monitoring and surveillance. Continue Reading Employee Monitoring in the US and Canada: What Employers Need to Know

As California continues to set the pace for employment law regulation, 2026 looks to be another high-speed race filled with sharp turns and new obstacles. From restrictions on repayment agreements and expanded Cal WARN notice requirements to stricter pay equity rules, and much more, California employers are entering a compliance race where every second counts.

Fast Track to 2026: A 75-Minute Must-Attend Webinar for In-House Counsel

The legal landscape impacting California employers is evolving at breakneck speed. As we race toward 2026, employers need to stay agile, informed, and ready to shift gears. This high-impact session will cover the most pressing workplace trends, risks, and regulatory changes ahead for California

Shortly after taking office, President Trump rescinded Biden’s Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence. Biden’s Executive Order sought to regulate the development, deployment, and governance of artificial intelligence within the US, identifying security, privacy and discrimination as particular areas of concern. Trump signed his own executive order titled “Removing Barriers to American Leadership in Artificial Intelligence,” directing his advisers to coordinate with the heads of federal agencies and departments, among others, to develop an “action plan” to “sustain and enhance America’s global AI dominance” within 180 days.

While we wait to see if and how the federal government intends to combat potential algorithmic discrimination and bias in artificial intelligence platforms and systems, a patchwork of state and local laws is emerging. Colorado’s AI Act will soon require developers and deployers of high-risk AI systems to protect against algorithmic discrimination. Similarly, New York City’s Local Law 144 imposes strict requirements on employers that use automated employment decision tools, and Illinois’ H.B. 3773 prohibits employers from using AI to engage in unlawful discrimination in recruitment and other employment decisions and requires employers to notify applicants and employees of the use of AI in employment decisions. While well-intentioned, these regulations come with substantial new, and sometimes vague, obligations for covered employers.

California is likely to add to the patchwork of AI regulation in 2025 in two significant ways. First, California Assemblymember Rebecca Bauer-Kahan, Chair of the Assembly Privacy and Consumer Protection Committee, plans to reintroduce a bill to protect against algorithmic discrimination by imposing extensive risk mitigation measures on covered entities. Second, the California Privacy Protection Agency’s ongoing rulemaking under the California Consumer Privacy Act will likely result in regulations restricting the use of automated decision-making technology by imposing requirements to mitigate algorithmic discrimination.Continue Reading Passage of Reintroduced California AI Bill Would Result In Onerous New Compliance Obligations For Covered Employers

  • Key laws and regulations, including recent changes and expected developments over the next year
  • Foundational data privacy obligations including information and notification requirements, data subject rights, accountability and governance measures, and responsibilities of data controllers and

On January 1, 2024, businesses must post updated Privacy Policies under the California Consumer Privacy Act (CCPA), which requires annual updates of disclosures and fully applies in the job applicant and employment context since January 1, 2023.

With respect to job applicants and employees, businesses subject to the CCPA are required to:

  1. Issue detailed privacy notices with prescribed disclosures, terminology, and organization;
  2. Respond to data subject requests from employees and job candidates for copies of information about them, correction, and deletion;
  3. Offer opt-out rights regarding disclosures of information to service providers, vendors, or others, except to the extent they implement qualified agreements that contain particularly prescribed clauses; and
  4. Offer opt-out rights regarding the use of sensitive information except to the extent they have determined they use sensitive personal information only within the scope of statutory exceptions.

If employers sell, share for cross-context behavioral advertising, or use or disclose sensitive personal information outside of limited purposes, numerous additional compliance obligations apply. For more: see also our related previous post: Employers Must Prepare Now for New California Employee Privacy Rights.

Key recommendations to heed now

Continue Reading Looking ahead to 2024: California privacy law action items for employers

On October 30, 2023, President Biden issued a 63-page Executive Order to define the trajectory of artificial intelligence adoption, governance and usage within the United States government. The Executive Order outlines eight guiding principles and priorities for US federal agencies to adhere to as they adopt, govern and use AI. While safety and security are predictably high on the list, so too is a desire to make America a leader in the AI industry including AI development by the federal government. While executive orders are not a statute or regulation and do not require confirmation by Congress, they are binding and can have the force of law, usually based on existing statutory powers.

Instruction to Federal Agencies and Impact on Non-Governmental Entities

The Order directs a majority of federal agencies to address AI’s specific implications for their sectors, setting varied timelines ranging from 30 to 365 days for each applicable agency to implement specific requirements set forth in the Order.

The actions required of the federal agencies will impact non-government entities in a number of ways, because agencies will seek to impose contractual obligations to implement provisions of the Order or invoke statutory powers under the Defense Production Act for the national defense and the protection of critical infrastructure, including: (i) introducing reporting and other obligations for technology providers (both foundational model providers and IaaS providers); (ii) adding requirements for entities that work with the federal government in a contracting capacity; and (iii) influencing overall AI policy development.Continue Reading Biden’s Wide-Ranging Executive Order on Artificial Intelligence Sets Stage For Regulation, Investment, Oversight and Accountability

Many thanks to our data privacy colleague, Helena Engfeldt, for co-authoring this article.

Many organizations are proactively advancing diversity and inclusion goals globally to include a focus on recruitment and employee-directed initiatives. These efforts are consistent with organizational values and business goals, even in cases where diversity data collection may have the