Employee Privacy


Employers collect, store and manage more data about their employees than ever before, creating unprecedented privacy complexities as well as significant compliance issues. Evolving technologies designed to support employer efficiencies, such as digital monitoring and biometric authentication, as well as the collection and use of sensitive personal information for diversity initiatives and other employee programs, create new and novel risks. Moreover, companies that previously had no need to collect sensitive health information from employees have grappled with issues relating to the collection of temperature data, vaccine information and COVID-19 test data, as well as the appropriate retention of this information, as a result of the global pandemic. 

In January 2023, through the enactment of the California Privacy Rights Act (CPRA), California is positioned to become the first U.S. state to enact a comprehensive data privacy law covering employee data, bringing this data into the scope of one of the most rigid data protection regulations in the world. Employers face many challenges in preparing their businesses for CPRA readiness, including the unstructured nature of employee data and the complicated intersection of data protection and employment laws.

Ransomware and other cybercrimes can expose data and disrupt business operations, and even unwitting employee error can result in a data breach. Many companies have undergone an abrupt shift to hybrid workplaces and work-from-home arrangements, presenting various additional risks that sensitive information will be exposed or threatened.

Our team combines the strengths of two powerhouse practice groups – Labor and Employment and Digital Assets and Data Management (DADM) – to deliver best-in-class counsel on myriad federal, state and local laws relating to data privacy protection in order to avoid contentious matters such as litigation, government enforcement actions and negative publicity. We are well equipped to lead and defend your company in this high-stakes arena and help you best prepare for and navigate government investigations or enforcement actions should these arise.

We excel at helping employers discover where they are vulnerable, and we help strengthen their defenses and employ best practices across the enormous range of employee privacy-related areas, including bring-your-own-device (BYOD) practices, social media, background checks, contact tracing, biometric authentication, artificial intelligence programs, payroll and third-party vendors.

Our labor and employment and privacy attorneys are deeply experienced and nationally recognized as leaders in their fields, and support businesses of all sizes with smart, timely and effective counsel. Our multidisciplinary team of labor and employment and DADM attorneys provides strategic counseling on compliance with data privacy laws, conducts data privacy audits, provides proactive training and risk assessments, responds to security and compliance incidents, negotiates and responds to consumer or regulator inquiries on behalf of employers, and handles all the complexities of privacy-related matters, including litigation and class actions.

We are experienced in advising and counseling our clients on:

  • Federal, state and international laws and regulations, including the CPRA, the California Consumer Privacy Act (CCPA),the General Data Protection Regulation (GDPR), the Illinois Biometric Information Privacy Act (BIPA), the Health Insurance Portability and Accountability Act, the Computer Fraud and Abuse Act (CFAA), the Electronic Communications Privacy Act, the Wiretap Act, the Stored Communications Act, the Fair Credit Reporting Act (FCRA), the Fair and Accurate Credit Transactions Act, and others.
  • Management of workplace data and records, including the implementation and management of companywide compliance and information governance programs, policies and procedures; the management and protection of personal data, trade secrets and competitive confidential information; and the implementation and enforcement of social media policies and BYOD policies.
  • Drafting global applicant and employee privacy notices and strategic counseling regarding new employee privacy notice requirements under the CPRA.
  • Drafting policies on monitoring, remote work, social media productivity management software, email, text messaging and Internet usage as well as the use of evolving technologies for tracking employees and other workers, especially in a remote work environment.
  • Employee privacy rights under the CPRA and the GDPR, including strategic counseling relating to applicable exceptions to deletion and correction of, as well as access to employee data.
  • Healthcare and medical privacy-related issues and biometrics.
  • Timekeeping compliance and tracking and monitoring of company-provided devices.
  • Privacy-related issues, including background investigations, associated with hiring employees and contractors.
  • Compliance with the National Labor Relations Act workplace rights and collective bargaining issues associated with workplace privacy and monitoring.
  • Meeting government contract regulations and managing vendor relationships, including the drafting of data security agreements.
  • Responding to data protection authorities and privacy regulators in response to privacy complaints received from employees or former employees.
  • Responding to, investigating, and mitigating data breach incidents as well as defending if litigation ensues.
  • Conducting workplace privacy audits and making recommendations in coordination with privacy decision-makers, including human resources personnel, privacy officers, information technology staff and boards.


Name Title Office Email
Associate Atlanta
Associate San Francisco
Associate New York
Partner Atlanta
Associate Orlando
Counsel New York
Associate Los Angeles
Partner Chicago
Partner Houston
Partner Chicago
Partner New York
Partner Cincinnati
Partner New York
Partner Los Angeles
Associate Washington, D.C.
Associate Cincinnati
Partner New York
Partner Chicago
Partner Los Angeles


Select Experience

  • Successfully defending purported class action employee privacy claims resulting from an alleged data breach.
  • Obtaining dismissal of FCRA claims resulting from an alleged data breach.
  • Successfully litigating online defamation claims for businesses and obtaining an injunction prohibiting a former employee’s cyberattacks.
  • Winning a published appellate opinion breaking new ground on privacy and confidentiality.
  • Successfully litigating Illinois BIPA claims.
  • Advising companies concerning managing workplace data in the work-from-home and hybrid work environments, including internationally.
  • Advised on compliant design of employers’ COVID-19 health and safety programs, including the appropriate collection and retention of temperature, test and symptom data.
  • Counseling about, advising on compliance with and litigating matters involving interception and surveillance issues, including the CFAA, the Electronic Communications Privacy Act, the Stored Communications Act and the Wiretap Act.
  • Litigating defamation, invasion of privacy, intrusion upon seclusion, public disclosure of private facts, false light and misappropriation claims.
  • Assisting clients with data retention and governance policies and practices.



In The Blogs

Previous Next
Data Counsel
CCPA Employee and B2B Exemptions Set to Expire on Jan. 1, 2023
By Jerel Pacis Agatep, Shruti Bhutani Arora, Jeewon K. Serrato
September 7, 2022
The California Consumer Privacy Act (CCPA) exemptions for employee and business-to-business Personal Information (PI) likely will not be extended. Aug. 31, 2022 was the last day for each house to pass bills, per the California Constitution...
Data Counsel
Part 2 of BakerHostetler's Countdown to CPRA – Top 5 FAQs to Evaluate Compliance Strategy for Employees
By Jennifer L. Mitchell
April 1, 2022
In Part 1 of BakerHostetler’s Countdown to CPRA blog series, we provided initial guidance to businesses on key California Privacy Rights Act (CPRA) compliance readiness considerations. On January 1, 2023, California could become the first...
Data Counsel
A Road Map for CPRA Compliance
March 8, 2022
For companies preparing to comply with the California Privacy Rights Act (CPRA), operative on Jan. 1, 2023, this Road Map summarizes the provisions of the California Consumer Privacy Act (CCPA), which the CPRA amends, and the new...
Data Counsel
CPRA Rulemaking Explained and CPRA Amendments Push Forward, Including Employee and Business-to-Business Exemptions
By Jeewon K. Serrato
February 24, 2022
On Feb. 18, Chairperson Jennifer Urban of the California Privacy Protection Agency (CPPA) addressed the California state bar and clarified the announcements that were made during the CPPA board meeting on Feb. 17. Read on for an...
Data Counsel
Countdown to the CPRA
By Taylor A. Bloom, Jennifer L. Mitchell, Justin T. Yedor
February 15, 2022
On Oct. 15, 2021, BakerHostetler reported on the status of the California Privacy Protection Agency’s rulemaking process and the challenges the agency faces issuing regulations under the California Privacy Rights Act (CPRA) before the July...