Many small or solo franchisees, subsidiaries, and affiliates of larger businesses may think the California Consumer Privacy Act (CCPA), does not apply to your separate business entity because it does not meet one of the three threshold criteria for CCPA coverage: (1) your annual revenue is under $25 million; (2) you do not annually collect the personal information of 50,000 or more California residents, households or devices; and (3) you are not in the business of selling information. But upon closer inspection, you may be disappointed to learn that California’s groundbreaking new privacy law, which became effective January 1, 2020, may yet still apply to you based on a potentially broad "control" test.
Illinois has introduced new workplace privacy legislation governing the use of artificial intelligence during the job interview process. The state legislature unanimously passed the Artificial Intelligence Video Interview Act (“the AIVI Act”), HB2557, which imposes consent, transparency and data destruction requirements on employers using AI technology during the job interview process. This comes at a time as many employers are beginning to take advantage of AI for hiring as recently reported by the Washington Post in its profile of the video interviewing software HireVue.
Governor Gavin Newsom just signed into law two amendments to the California Consumer Privacy Act (CCPA) that will have a direct impact on employers doing business in the state. The new amendments, signed on October 11, 2019 and taking effect on January 1, 2020, require covered businesses meeting a certain revenue threshold or other criteria to implement policies and procedures that provide consumers – which includes employees – certain privacy rights not previously available under existing law.
On July 25, 2019, New York Governor Anthony Cuomo signed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) into law. The Act creates additional protections for the residents of New York and their private information. It also endeavors to improve cybersecurity measures for those who possess private information about New York residents.
Alright. So, you’ve battened down the hatches of your company’s premises, to protect your employees and your information. Employees are required to create secret computer passwords they’re not to share with anyone, even colleagues. Your policy requires changing passwords every 45 days. You’ve installed security guards at the front desk, distributed security badges to limit access to your premises, conducted background checks on your new hires. You require signed Confidentiality, Non-solicitation, and Non-competition Agreements with employees to whom you’ve provided access to your secrets. You’ve erected firewalls to protect your servers.
Thanks to recent negotiations among state lawmakers, it appears that California employers may get a temporary reprieve on some of the more sweeping data privacy requirements that were set to take effect in just a few short months.
Early last year, I posted about tougher, bi-partisan privacy and data security legislation in the works in North Carolina. North Carolina State Representative Jason Saine (R), Senior Appropriations Chair, teamed-up with North Carolina Attorney General Josh Stein (D) and issued a fact sheet outlining what the new legislation would include.
An amendment to New Jersey’s data breach notification requirements of the Consumer Fraud Act is currently awaiting signature by State Governor Phil Murphy. The bill, Assembly No. 3245, was recently passed by both the New Jersey Senate and Assembly. If signed into law as expected, the amendment will expand the definition of personal information to include “user name, email address, or any other account holder identifying information, in combination with any password or security question and answer that would permit access to an online account.” In turn, it would require businesses to notify consumers of online account security breaches – thereby eliminating a business’s ability, under the current law, to avoid notifying consumers when there is a breach of online information. The bill’s statement indicates that its purpose is to provide consumers with the opportunity to quickly change online account information to prevent outside access to online accounts, and to put consumers on notice to monitor for potential identity theft.
By now, we are all too familiar with the issues and pitfalls associated with cybersecurity breaches in a multitude of industries. Consider Equifax, Home Depot, Yahoo or Target, to name a few. Those well-publicized incidents overwhelmingly concerned customer and/or consumer privacy invasions, but touched barely, if at all, on whether those breaches compromised employees’ private information, or whether those companies should have done more to protect not only their customers’ information, but their employees’ as well. Should this be of concern and if so, what should employers be doing about it?
On January 25, 2019, the Illinois State Supreme Court ruled that the state’s Biometric Information Privacy Act (BIPA) only requires individuals to show violation of the law to bring suit. Businesses with a presence in Illinois that gather “biometric identifiers”, which include a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry, are now at a greater risk of liability if they do not follow legally required procedures for such data collected or stored in the state. BIPA’s applicability at the federal level remains to be seen, but similar laws are being considered throughout the states, raising potential liability for employers elsewhere.