Employers collect, store and manage more data about their employees than ever before, creating unprecedented privacy complexities as well as significant compliance issues. Evolving technologies designed to support employer efficiencies, such as digital monitoring and biometric authentication, as well as the collection and use of sensitive personal information for diversity initiatives and other employee programs, create new and novel risks. Moreover, companies that previously had no need to collect sensitive health information from employees have grappled with issues relating to the collection of temperature data, vaccine information and COVID-19 test data, as well as the appropriate retention of this information, as a result of the global pandemic.
In January 2023, through the enactment of the California Privacy Rights Act (CPRA), California is positioned to become the first U.S. state to enact a comprehensive data privacy law covering employee data, bringing this data into the scope of one of the most rigid data protection regulations in the world. Employers face many challenges in preparing their businesses for CPRA readiness, including the unstructured nature of employee data and the complicated intersection of data protection and employment laws.
Ransomware and other cybercrimes can expose data and disrupt business operations, and even unwitting employee error can result in a data breach. Many companies have undergone an abrupt shift to hybrid workplaces and work-from-home arrangements, presenting various additional risks that sensitive information will be exposed or threatened.
Our team combines the strengths of two powerhouse practice groups – Labor and Employment and Digital Assets and Data Management (DADM) – to deliver best-in-class counsel on myriad federal, state and local laws relating to data privacy protection in order to avoid contentious matters such as litigation, government enforcement actions and negative publicity. We are well equipped to lead and defend your company in this high-stakes arena and help you best prepare for and navigate government investigations or enforcement actions should these arise.
We excel at helping employers discover where they are vulnerable, and we help strengthen their defenses and employ best practices across the enormous range of employee privacy-related areas, including bring-your-own-device (BYOD) practices, social media, background checks, contact tracing, biometric authentication, artificial intelligence programs, payroll and third-party vendors.
Our labor and employment and privacy attorneys are deeply experienced and nationally recognized as leaders in their fields, and support businesses of all sizes with smart, timely and effective counsel. Our multidisciplinary team of labor and employment and DADM attorneys provides strategic counseling on compliance with data privacy laws, conducts data privacy audits, provides proactive training and risk assessments, responds to security and compliance incidents, negotiates and responds to consumer or regulator inquiries on behalf of employers, and handles all the complexities of privacy-related matters, including litigation and class actions.
We are experienced in advising and counseling our clients on:
- Federal, state and international laws and regulations, including the CPRA, the California Consumer Privacy Act (CCPA),the General Data Protection Regulation (GDPR), the Illinois Biometric Information Privacy Act (BIPA), the Health Insurance Portability and Accountability Act, the Computer Fraud and Abuse Act (CFAA), the Electronic Communications Privacy Act, the Wiretap Act, the Stored Communications Act, the Fair Credit Reporting Act (FCRA), the Fair and Accurate Credit Transactions Act, and others.
- Management of workplace data and records, including the implementation and management of companywide compliance and information governance programs, policies and procedures; the management and protection of personal data, trade secrets and competitive confidential information; and the implementation and enforcement of social media policies and BYOD policies.
- Drafting global applicant and employee privacy notices and strategic counseling regarding new employee privacy notice requirements under the CPRA.
- Drafting policies on monitoring, remote work, social media productivity management software, email, text messaging and Internet usage as well as the use of evolving technologies for tracking employees and other workers, especially in a remote work environment.
- Employee privacy rights under the CPRA and the GDPR, including strategic counseling relating to applicable exceptions to deletion and correction of, as well as access to employee data.
- Healthcare and medical privacy-related issues and biometrics.
- Timekeeping compliance and tracking and monitoring of company-provided devices.
- Privacy-related issues, including background investigations, associated with hiring employees and contractors.
- Compliance with the National Labor Relations Act workplace rights and collective bargaining issues associated with workplace privacy and monitoring.
- Meeting government contract regulations and managing vendor relationships, including the drafting of data security agreements.
- Responding to data protection authorities and privacy regulators in response to privacy complaints received from employees or former employees.
- Responding to, investigating, and mitigating data breach incidents as well as defending if litigation ensues.
- Conducting workplace privacy audits and making recommendations in coordination with privacy decision-makers, including human resources personnel, privacy officers, information technology staff and boards.