2023 Mid-Year Report: Data Privacy

Copy

Alithea Facon;

Regardless of the month or year, employers can count on one thing, changes in workplace law. As we reach the halfway point of the year, 2023 looks no different. The Getting Jobs Podcast is one of a series of short programs that will accompany the Jackson Lewis 2023 Mid-Year Report. Bringing you the legislative, regulatory and litigation insights that have shaped the year so far and will continue to do so. We invite you and others in your organization to experience the report in its entirety on JacksonLewis.com, or turn to any streaming platform for compelling content and listen to the podcast series. Thanks for joining us.

Damon Silver:

Thank you for joining our mid-year podcast on key data privacy and security issues. My name is Damon Silver and I am the principal and member of the firm’s New York City office and the firm’s data privacy and cybersecurity team. Today I’m joined by my colleague Mary Costigan from our Berkeley Heights office, who is another member of our core team.

Data privacy and security is a vast and fast-moving area, and Mary and I spend a lot of time working with our clients to enable them to continue pursuing their business objectives without having to worry about unacceptable data privacy and security risks. In order to give our listeners insight into the most pressing issues for our clients, both in the near and long term, Mary and I will address four frequently asked questions. The first of the questions, Mary, is that we are seeing many states enacting new privacy laws. I think as many as 10 governments now have comprehensive privacy laws on their books. How do we know as an organization whether we are in compliance with some or most of these laws, and what are our best options for coming into compliance efficiently and effectively?

Mary Costigan:

Hey Damon, so you’re right. This is a frequent question we hear from customers. Since the passage of the CCPA, California’s consumer privacy law, for those of you unfamiliar with the CCPA, 10 other states have enacted comprehensive consumer data protection laws, and the number is growing. So the good news for employers is that unlike the CCPA, these rules don’t apply to applicant or employee data, but for companies that still want to know whether these rules apply to their customer data, the good test is slightly different from the CCPA test. The test for companies operating in these states is not revenue, but the number of residents they collect personal data from. Therefore, in order to comply with these state laws, you must collect more than a certain amount of personal information of state residents.

Depending on the state, this can be the data of 50,000, 75,000 or one hundred thousand residents, but if you sell PI or personal information of residents, a different test can be applied. So outside of this test, these rules are very similar to the CCPA. All require data protection language and your supplier agreements, including performing a data protection impact assessment and providing notice to users of your data collection activities, including the right to access or control data usage. There are many new consumer data protection laws, but the good news is that there is significant overlap when it comes to compliance. Therefore, customers should be able to use specific targeted adjustments to their data maps, notices, policies, and even practices to comply with these state laws. So Damon, I have a question. What is the deal with all these class action lawsuits related to website tracking technologies and how does this relate to data protection?

Damon Silver:

Yes, great question, Mary. So for advertising, marketing, site maintenance, and various other purposes, many organizations are using technologies on their websites that tell users what pages they visit, what they click on, what they search for, what videos they watch, and what they talk about through chat and other communication tools. In many cases, with many customers we’ve talked to, they don’t even realize some of these technologies are in use. For example, they may have been installed years ago by a salesperson or marketing director and are still on the customer’s site even though no one is actively using the data collected or aware that they will use the data collected by these devices in any event, and we are seeing many cases where our customers have certain tracking technologies used in their sites, but these are not full capabilities.

In particular, you may not be aware that some of these tools are not only collecting information from users, but also disclosing that information to third parties, such as organizations that provide targeted advertising services. To some extent, the plaintiff’s bar is that use of these technologies may violate federal and state wiretapping laws, which, for the uninitiated, prohibit unauthorized interception of communications, and these technologies may violate protections against invasion of privacy and disclosure of sensitive information. Because of all this, in the last year or so we have seen an explosion in the pursuit of class actions on the web, and there are all signs that this trend is increasing.

So one of the things we do with many of our clients to try and get out of this litigation risk is to partner with a data analytics firm to examine the client’s website to identify what tracking technologies are being used and what those technologies are doing, and then we can work with the client to analyze the associated legal risks and begin developing strategies to better manage that risk. So Mary, sticking with the topic of tracking technologies, a question we get from many clients is whether they are interested in using various tracking technologies to track their employees’ physical location, websites they visit, searches, what they say in emails. And what are the legal risks involved with how these technologies are used and with our clients?

Mary Costigan:

for sure. So this is an area where we advise customers to proceed with caution. As you point out, the need to track employees is growing, especially with a remote workforce. We are seeing customers use different technologies to do this monitoring. It could be keystroke loggers, screen recording and browser tracking, GPS, CCTV and even smart cards. And this is just a small representation of the types of technology you can track right now. Usually the companies have legitimate interests or needs to make this money, but as I said before, it has high risks. So proceed carefully, some of the dangers. For example, we see more and more states enacting laws regulating employee supervision. What makes this compliance challenging is if you have employees in different states. These state laws vary. They differ in the type of monitoring they cover.

They vary according to the type of advertisement and how it is given, as well as whether or not consent is required. In addition to state laws, you may have surveillance activities that could pose a risk if surveillance cannot access sensitive information such as an employee’s personal email, their sensitive personal information such as financial or health information, contact information with their attorney, or personal photos.

Therefore, this type of access can lead to invasion of privacy claims and even discrimination claims against the company. So you have state laws that you need to navigate. You have certain surveillance activities that may result in violations of the Electronic Communications Privacy Act. Also, if you are pursuing employee relations, this may be a violation of the National Labor Relations Act, and the NLRA protects an employee’s ability to exercise certain rights, including having union-protected discussions. Therefore, there are several factors to consider carefully before starting a monitoring program.

Damon, another topic that’s generating a lot of questions that we’re getting right now is AI. What are the key AI-related risks we should be aware of?

Damon Silver:

Yes, so Mary, this is a broad topic and it’s definitely changing fast. Our AI team, of which Mary and I are both members, have been closely monitoring legal developments in this area. And in terms of recruitment, there are two areas that are coming into focus. First is the use of automated decision-making tools to help decide which employees to hire and promote. The second is how to manage employee-generated AI tools like Chat GPT. Under the first title of the new New York City law, employers who use AEDT or automated employment decision tools must verify that those tools have conducted a bias audit in the past year. They must publish the results of those audits, and provide advanced notice to applicants’ employees about the use of those tools, as well as employers, on issues related to data privacy and security practices.

We’ve seen several other states consider similar legislation, and the EEEE has made role and workplace discrimination a focus point. Regarding the use of labor generator AI. One of the key issues we’ve been discussing with clients is preventing employees from unwittingly disclosing sensitive information by entering it into tools like Chat GPT. Another thing is to rely on the information of employees in one of these tools, which is very refined and very reliable, but it is probably completely false, and there are different ideas of intellectual property. And of course, like the first issue I touched on, there’s a concern about hidden biases in these tools and what that might mean for businesses whose employees use these tools for different jobs.

For listeners interested in diving deeper into these topics, our AI team co-leaders Joe Lazzarotti and Eric Felsberg recorded a mid-year podcast on this topic, which we encourage you to check out.

Mary Costigan:

Thanks, Damon. So a few thoughts to wrap up. Damon, as we have already mentioned, has become such an active area in the law and litigation of data protection. We are constantly hearing from our clients how difficult it is to keep up with new developments in their day-to-day responsibilities. So we wanted to take this time to help answer some common questions we think you might have. But in our Jackson Lewis Privacy and Cybersecurity practice group, we frequently blog about new data protection laws, compliance, best practices, and even trending litigation issues. So please feel free to check out our Workplace Privacy Blog. Available on the Jackson Lewis website or contact us. We are always happy to help. Damon, it’s always a pleasure meeting you.

Damon Silver:

Same goes for you, Mary.

Alithea Facon;

Thanks for joining us on We Get Work™. Please stay tuned for our next episode where we will tell you what is not only legal but also effective. We Get Work™ is available for streaming and subscription on Apple Podcasts, Google Podcasts, Libcine, Pandora, SoundCloud, Spotify, Stitcher and YouTube. For more information on today’s topic, our vendors and other Jackson Lewis resources, visit JacksonLewis.com. As a reminder, this material is provided for informational purposes only. It is not intended to constitute legal advice, nor does it create an attorney-client relationship between Jackson Lewis and any recipient.