Workforce Bulletin

California businesses, including employers, that have not already complied with their statutory data privacy obligations under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including as to employee and job applicant personal information, should be taking all necessary steps to do so. See No More Exceptions: What to Do When the California Privacy Exemptions for Employee, Applicant and B2B Data Expire on January 1, 2023. As background, a covered business is one that “does business” in California, and either has annual gross revenues of $25 million, annually buys sells or shares personal information of 100,00 consumers or households, or derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information. It also applies, in certain circumstances, to entities that control or are controlled by a covered business or joint ventures. Covered businesses may be exempt from obligations under certain enumerated entity-level or information-level carve-outs.

On Tuesday October 4, 2022, the White House Office of Science and Technology Policy (“OSTP”) released a document entitled “Blueprint for an AI Bill of Rights: Making Automated Systems Work for the American People” (the “Blueprint”) together with a companion document “From Principles to Practice: A Technical Companion to the Blueprint for an AI Bill of Rights” (the “Technical Companion”).

On November 11, 2020, the European Data Protection Board (EDPB) issued eagerly awaited guidance for complying with the requirements of the General Data Protection Regulation (GDPR) for protecting the privacy rights of individuals in their personal data subject to potential transfer from the European Union (EU) to the United States and other countries. The guidance comes in the wake of the uncertainly following the Court of Justice’s July 16, 2020 decision in Schrems II invalidating the EU-US Privacy Shield and upholding the use of standard contractual clauses as a permissible ...

As the COVID-19 pandemic continues to affect workplaces throughout the world, employers are considering new ways to ensure a safe workplace when employees return to the office. Outside the US, employers must balance their duty of care to protect the health and safety of all their employees with safeguarding employees’ privacy and complying with data protection regulations. Many employers already have analyzed whether they may require or request employees to (i) submit to COVID-19 testing at the workplace, (ii) certify certain health information regarding exposure to ...

Part 5 of a series featuring our video Rules of the Road: Return to Work in the Time of COVID-19.

By now, those who have been following this series know the basics. You’ve formulated (or are in the process of formulating) a “return to work” plan, which includes, among other things, implementing policies and guidelines consistent with CDC recommendations (wear masks), as well as other best practices that most of us learned, or should have learned, by the time we were potty-trained (wash your hands), if not by the time we were in elementary school (no touching).

But once businesses ...

Tracking diversity and inclusion efforts on a global basis is often a challenging task for in-house legal, human resources, and diversity and inclusion teams.  While employers may be interested in collecting applicants’ and/or employees’ diversity information for worthy reasons, such an effort is a fertile ground for potential litigation involving data privacy violations and discrimination claims.

Risks of Violating Data Privacy Requirements

Globally, diversity information typically constitutes personal data (and, in many jurisdictions, sensitive personal ...

The recently proposed amendment to the California Consumer Privacy Act (CCPA) should be a wake up call to those employers who are not already actively planning for the January 1, 2020 compliance deadline.

The amendment reaffirms that employers must (i) provide employees with notice of the categories of personal information collected and the purposes for which the information shall be used at or before collection; and (ii) implement reasonable cybersecurity safeguards to protect certain employee personal information or risk employee lawsuits, including class actions seeking ...

Today, Law360 published our article “Considering Best Data Practices for ERISA Fiduciaries.” (Download the full article in PDF format.)

In this article, we outline steps that ERISA plan fiduciaries can take to develop a policy concerning protection of plan data and prudent selection and monitoring of plan service providers who handle PII.  Benefit plan service providers, including technology-based outsourcing companies, should also consider these important guidelines and implement the appropriate safeguards to protect against infringement of plan and participant ...

In light of the many high profile cyber-attacks on businesses this past year, employers should assess their vulnerability relative to data breaches and take steps to protect themselves from hackers as well as more innocuous business practices that could result in data breaches. Businesses that handle protected health information are regulated under HIPAA to adopt administrative, technical, and physical safeguards to protect the confidentiality of this information. However, various state and federal laws place duties upon employers to protect non-HIPAA-covered sensitive ...

By Ian Carleton Schaefer

The newest issue of Take 5 is online, featuring contributions from Michelle Capezza, Nancy Gunzenhauser, Marshall Jackson Jr., Brandon Ge, Gregg Settembrino, and myself, colleagues in our firm’s Technology, Media, and Telecommunications (TMT) Strategic Industry Group.

In this issue, we cover employment issues in “The Cloud”:

1. Solving Rainy Day Problems While It's Only Partly Cloudy: Wage and Hour Concerns
2. PHI in the Cloud: HIPAA, Data Privacy, and Data Security
3. The Cloud, the Evolving Role of the CIO, and the Increasing Importance of Attracting ...