Workforce Bulletin

The California Privacy Protection Agency Board (the “Board”) held a public meeting on February 3, 2023, adopting and approving the current set of draft rules (the “Draft Rules”), which implement and clarify the California Consumer Privacy Act of 2018 (“CCPA”) as amended by the California Privacy Rights Act of 2020 (“CPRA”). The Draft Rules cover many CCPA requirements, including restrictions on the collection and use of personal information, transparency obligations, consumer rights and responding to consumer requests, and service provider contract requirements. At the meeting, the Board also addressed additional proposed rulemaking processes concerning cybersecurity audits, risk assessments, and automated decision-making. 

In our previous blog, we featured the California Privacy Rights Act’s Enhanced Cybersecurity Safeguards.[1] We now highlight significant privacy safeguards under the California Privacy Rights Act (“CPRA”) that will require advance planning in preparation for its January 1, 2023 effective date.[2] These new requirements will impact the collection and use of personal information across each organization. In particular, businesses, at a minimum, will need to assess and plan for:

• the effective implementation of data minimization policies, practices, and ...

The California Privacy Rights Act (“CPRA”) leaps forward on cybersecurity by amending the California Consumer Privacy Act (“CCPA”) to impose enhanced protections. The CPRA enhancements apply to “for profit” companies and other organizations: (a) with more than $25 million in gross revenues in the preceding calendar year, or (b) that annually buy, sell or share the personal information of 100,000 or more consumers or households, or (c) that derive at least 50 percent of their annual revenue from selling or sharing consumer personal information ...

On November 11, 2020, the European Data Protection Board (EDPB) issued eagerly awaited guidance for complying with the requirements of the General Data Protection Regulation (GDPR) for protecting the privacy rights of individuals in their personal data subject to potential transfer from the European Union (EU) to the United States and other countries. The guidance comes in the wake of the uncertainly following the Court of Justice’s July 16, 2020 decision in Schrems II invalidating the EU-US Privacy Shield and upholding the use of standard contractual clauses as a permissible ...

As the COVID-19 pandemic continues to affect workplaces throughout the world, employers are considering new ways to ensure a safe workplace when employees return to the office. Outside the US, employers must balance their duty of care to protect the health and safety of all their employees with safeguarding employees’ privacy and complying with data protection regulations. Many employers already have analyzed whether they may require or request employees to (i) submit to COVID-19 testing at the workplace, (ii) certify certain health information regarding exposure to ...

Our colleague Brian Cesaratto at Epstein Becker Green has a post on the Health Law Advisor Blog that will be of interest to our readers in the technology industry: "Harden Your Organization’s Domain Name System (DNS) Security to Protect Against Damaging Data Loss and Insider Threat."

Following is an excerpt:

Although there is no specific mention of DNS in HIPAA, the Gramm Leach Bliley Act, the GDPR or State cybersecurity laws or regulations, including California, Massachusetts or New York, an organization cannot comply with those regulatory frameworks requiring ...

Washington State is considering sweeping legislation (SB 5376) to govern the security and privacy of personal data similar to the requirements of the European Union’s General Data Protection Regulation (“GDPR”). Under the proposed legislation, Washington residents will gain comprehensive rights in their personal data. Residents will have the right, subject to certain exceptions, to request that data errors be corrected, to withdraw consent to continued processing and to deletion of their data. Residents may require an organization to confirm whether it is processing ...

There is a visceral and palpable dynamic emerging in global workplaces: tension.

Tension between what is potentially knowable—and what is actually known.   Tension between the present and the future state of work.  Tension between what was, is, and what might become (and when).  Tension between the nature, function, and limits of data and technology.

The present-future of work is being shaped daily, dynamically, and profoundly by a host of factors—led by the exponential proliferation of data, new technologies, and artificial intelligence (“AI”)—whose impact cannot be understated.  Modern employers have access to an unprecedented amount of data impacting their workforce, from data concerning the trends and patterns in employee behaviors and data concerning the people analytics used in hiring, compensation, and employee benefits, to data that analyzes the composition of the employee workforce itself.  To be sure, AI will continue to disrupt how virtually every employer views its human capital model on an enterprise basis. On a micro level, employers are already analyzing which functions or groups of roles might be automated, augmented, or better aligned to meet their future business models.

And, yet, there is an equal, counterbalancing force at play—the increased demand for accountability, transparency, civility, and equity.  We have already seen this force playing out in real time, most notably in the #MeToo, pay equity, and data privacy and security movements.  We expect that these movements and trends will continue to gain traction and momentum in litigation, regulation, and international conversation into 2019 and beyond.

We have invited Epstein Becker Green attorneys from our Technology, Media & Telecommunications (“TMT”) service team to reflect and opine on the most significant developments of the year.  In each, we endeavor to provide practical insights to enable employers to think strategically through these emergent tensions and business realities—to continue to deliver value to their organizations and safeguard their goodwill and reputation.

The European Union’s (“EU’s”) General Data Protection Regulations (“GDPR”) go into effect on May 25, 2018, and they clearly apply to U.S. companies doing business in Europe or offering goods and services online that EU residents can purchase. Given that many U.S. companies, particularly in the health care space, increasingly are establishing operations and commercial relationships outside the United States generally, and in Europe particularly, many may be asking questions akin to the following recent inquiries that I have fielded concerning the reach of the ...