Gone are the days when you could share droves of personal information with your employer without fear that the company could share or even sell that data outside the company.
After all, unlike other countries, the U.S. lacks universal comprehensive data protection laws except for narrow areas such as for medical information.
Luckily, new state laws strengthen your ability to control your information.
Last year, California passed the nation’s first comprehensive law designed to give consumers and employees more control over who has their personal information and what they can do with it. Other states, as well as Congress, are watching the California Consumer Privacy Act (CCPA) and some are moving to enact their own data privacy laws.
Although the CCPA only covers California consumers and employees, it may be the new benchmark for how employee data should be handled. Companies with multi-state operations may end up adopting a single policy, instead of different ones for different states, and use the CCPA guidelines as their corporate practice. So what does this mean for workers in California and other states?
The CCPA: First things first.
California’s law took effect on Jan. 1, but it won’t be subject to enforcement until July 1. Employers have six additional months, until Jan. 1 of 2021, to get their act together, and not all companies are covered. Only private companies with revenues greater than $25 million, and those who market information of at least 50,000 consumers or who get half their annual revenue from marketing consumer information, are covered by the law.
However, whether your employer is subject to the CCPA or not, California’s new law is a good guide for how employers may handle worker information in the future as other states, and perhaps the federal government, move in the same direction.
What information can employers collect?
When you apply for a job, the employer typically requests a lot of sensitive information, including your phone number and home address and prior employment history. Once you start working, the employer has full legal authority to collect even more information like your Social Security number, salary, work performance and possibly medical information such as whether you are injured on the job, request an accommodation or go on medical leave.
What can employers do with your information?
Until recently, employers had a lot of latitude to use, share and even market your private information. Due to heightened media attention, as well as laws such as the CCPA, employers in California and other states are becoming increasingly restricted in what they can do. Nevertheless, it’s important to understand what’s happening with your data.
The CCPA requires employers to tell workers what type of data they’re collecting and why they’re collecting it. The law defines “data” to include “professional or employment-related information,” “education information,” “identifiers,” “characteristics of a protected category,” “biometric information,” “internet activity,” “inferences drawn regarding a consumer’s preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes,” and “geolocation data.” That’s a lot of legalese, but it captures historical data, as well as information about race, religion, sexual orientation and disabilities.
How can you protect your information?
If the California law covers your company, you will now have the ability to control what happens with your information. The CCPA gives California job applicants, employees, and independent contractors a right to request the following:
(1) that the business tell them what personal information it has collected, sold, or disclosed, and to whom;
(2) that the business delete their personal information (but see below);
(3) a copy of the information that has been collected, sold, or disclosed; and
(4) to opt out of the sale of their personal information.
Employees who are covered by the law may not be retaliated against in any way - such as with a demotion or bad review -- for exercising these rights.
If you’re not subject to the law, and you believe your employer is seeking information that is beyond what is required by law, you should ask your employer why it is requesting such information. Additionally, some states and local laws require employers to provide employees with their personnel files upon request. If you’re not covered by the CCPA, you may still be able to receive your personnel file to see what information your employer maintains about you.
How long can employers keep your information?
Your information might stay in your company’s files for a long time. The CCPA says that employers aren’t required to delete data that is being maintained solely for internal uses reasonably related to the purpose for which the data was originally collected (such as human resources or other employment-related purposes). It also allows them to retain information that is required to comply with a legal obligation.
After your employment ends, the company will probably hold onto your data for a few more years. The Equal Employment Opportunity Commission (EEOC) advises employers to keep employment records for at least a year after the date of termination, and federal age-bias law requires that payroll records be kept for three years. California employment laws require companies to maintain employment records for at least three or four years.
The bottom line is that deletion will not be required for most applicant, employee, and independent contractor data that would otherwise be subject to the CCPA’s protections. But just because they keep your data doesn’t mean employers can use it, and, upon request, they must delete everything once the time has run.
You Have Rights
As an employee, you deserve to know what personal information your employer is collecting and selling. Even if you aren’t covered by the CCPA, you can ask to see your personnel file and you should be able to push back if you believe employer-requested information has no lawful reason.
Sonya Goodwin, Senior Counsel at Sauer & Wagner LLP of Los Angeles, represents employees and employers in a wide range of claims, including wage and hour violations, discrimination, harassment, retaliation, wrongful termination, defamation, intentional infliction of emotional distress and breach of contract. She can be reached at sgoodwin@swattys.com or (310) 712-8110.