Business Law
Workplace Surveillance: What Employers in California Need to Know
Ruth Yohannes[i]
Employee monitoring is not a new phenomenon in the United States. Badge swipes, website traffic monitoring and security cameras were commonplace, even before the pandemic.[ii] However, with the rise of remote work and the availability of new technologies, businesses have increased their monitoring efforts, citing a growing concern over their ability to manage their employees without the traditional access and oversight that an in-person workplace offers.[iii]
Over the last two years, emerging monitoring technologies have allowed businesses to track employee performance and productivity. A New York Times article reported businesses are using detailed productivity monitoring – producing metrics such as idle time, clicks and keystrokes – and using the data to determine pay, bonuses and promotions.[iv] This phenomenon is not limited to a few businesses, either. As of September 2021, 60% of large businesses with a remote workforce were using employee monitoring technology, and another 17% were considering doing so.[v] Employees have expressed concern that such monitoring could also be used to create a sense of “constant surveillance” that deter workers from exercising rights, such as unionizing.[vi]
The concern over underregulated employee monitoring has reached regulators as well. In March 2023, the National Labor and Relations Board (“NLRB”) and Consumer Financial Protection Bureau (“CFPB”) announced a new partnership to address growing practices of employer surveillance, monitoring, and data collection.[vii] Further, several states have taken steps to implement safeguards on the use of employee monitoring technologies in the workplace.
In California, the discussion over employees’ privacy rights has led to significant developments over the last few years. Below is an overview of privacy protections for employees in California, and key considerations for employers moving forward.
Introduced in January 2022, California’s AB 1651 was designed to place limitations on businesses’ use of surveillance technologies in the workplace. Similar to the California Privacy Rights Act’s (“CPRA”) current provisions, AB 1651 would have required advance notice to employees about any monitoring technology that is being used, and would have granted workers a right to access and to correct data about themselves. [viii] Further, AB 1651 would have prohibited remote worker monitoring unless it was strictly necessary to fulfill compelling purposes such as worker safety and security of employer data. [ix] The bill, however, was met with significant pushback from business advocacy groups, who have labeled it as “unworkable” and “overly prescriptive,” claiming the new law would impede on employers’ ability to manage their workforce.[x] Ultimately, AB 1651 died in committee in August 2022.
Currently, the California Privacy Rights Act (“CPRA”) is the main source of privacy protection for employees regarding data collected by their employers. Unlike AB 1651, which directly addressed employee privacy concerns, the CPRA is broadly aimed at consumers and includes employees within that definition. While the CPRA and AB 1651 share similar provisions – such as the notice requirement, right to access and right to correct, AB 1651 was specifically targeting remote work monitoring, an issue that the CPRA does not directly address.
Nonetheless, the CPRA does provide important protections for employees. Most notably, the CPRA includes employees in the definition of “consumers,” thereby effectively extending all requirements regarding businesses’ handling of consumer personal information to employee data.[xi] Before it was amended by the CPRA, the California Consumer Privacy Act (“CCPA”) provided limited exemptions for employee data that was collected in relation to their role as employee, applicant, or independent contractor.[xii] Businesses were required to adequately safeguard employee personal information, and notify them of the categories of data that would be collected and the purposes for which the data would be used. However, the CCPA did not give employees other consumer rights, such as the right to access and deletion.[xiii]
This exemption expressly expired on January 1, 2023, which means that all of the CCPA requirements with respect to consumer data – including the right to know, the right to delete, the right to non-discrimination for exercising rights, and the right to opt-out of the sale of personal information – now apply to employee data as well. Also effective in January 2023, the CPRA grants consumers new rights, such as the right to correct inaccurate personal information, the right to know about automated decision making and to opt out of it, and the right to limit the use of sensitive personal information.
In light of these changes, businesses who wish to use monitoring technologies should be aware of their new obligations vis a vis employee personal data. First, businesses must provide employees with a privacy notice identifying the categories of sensitive personal information to be collected, whether that personal information is to be sold or shared, and the length of time for which the employer intends to retain that information. If businesses use a third-party service to collect personal information on their behalf, the business must inform employees in its privacy notice.[xiv] This means businesses will have to provide greater transparency in their monitoring methods. Employees will have to be made aware of when, how and why their personal information is being collected, and notice requirements will likely prevent businesses from recording employees’ screens without their knowledge.
Second, the right to restrict the use of sensitive personal information applies where businesses use sensitive personal information to “infer characteristics” about an individual.[xv] The CPRA includes in its definition of personal sensitive information any “mail, email and text messages unless the business is the intended recipient of the communication.”[xvi] This means that communications between employees could be considered sensitive personal information. Businesses should consider whether scanning the content of employees’ communications for purposes of evaluating their productivity would amount to inferring characteristics about individuals, in which case their processing activities would fall within the scope of this right.
Finally, when an employee requests to exercise their rights under the CPRA, businesses must implement the necessary processes to respond adequately to those requests. Even if some businesses’ processing activities do not require them to give employees the right to limit the use of sensitive personal data, employees may still exercise their right to know or delete information collected about them. The CPRA’s inclusion of employee personal information in its scope may mean that businesses need to fundamentally rethink their workforce monitoring methods. Moving forward, businesses should review the purposes of collecting employees’ personal data and update their internal compliance mechanisms in order to accommodate the CPRA’s new requirements.
[i] Ruth Yohannes is a J.D. and Privacy Law Certificate Candidate for the Class of 2023 at Santa Clara University School of Law.
[ii] Bart Ziegler, Should Companies Track Workers with Monitoring Technology? Wall Street Journal (Aug. 20, 2022) https://www.wsj.com/articles/companies-track-workers-technology-11660935634.
[iii] Id.
[iv] Jodi Kantor and Arya Sundaram, The Rise of the Worker Productivity Score NY Times (Aug. 14, 2022) https://www.nytimes.com/interactive/2022/08/14/business/worker-productivity-tracking.html.
[v] Caroline Castrillon, The Top Workforce Trends for 2023, Forbes (Dec. 11, 2022) https://www.forbes.com/sites/carolinecastrillon/2022/12/11/the-top-workplace-trends-for-2023/?sh=7ed86cf24e36.
[vi] Sarah Roach, Worker Surveillance is Making Employees Miserable, Protocol (Sept. 20, 2021) https://www.protocol.com/workplace/worker-surveillance-is-making-employees-miserable.
[vii] Press Release, National Relations Board, National Labor Relations Board and Consumer Financial Protection Bureau Announce New Partnership to Address Employer Surveillance, Monitoring, Data Collection, and Financial Practices in the Workplace (Mar. 7, 2023), https://www.nlrb.gov/news-outreach/news-story/national-labor-relations-board-and-consumer-financial-protection-bureau.
[viii] Jeewon Kim Serrato, Jerel Pacis Agatep, and Jenny Ha, AB-1651: As ‘Workplace’ Extends to Our Homes, Can Employers Still Conduct Worker Monitoring?, California Lawyers Association, (July 2022) https://calawyers.org/privacy-law/ab-1651-as-workplace-extends-to-our-homes-can-employers-still-conduct-worker-monitoring/.
[ix] Id.
[x] Ronak Daylami, CalChamber Tags AB 1651 as a Job Killer, CalChamber Advocacy, (Apr. 26, 2022) https://advocacy.calchamber.com/2022/04/26/calchamber-tags-ab-1651-as-a-job-killer/
[xi] Id.
[xii] Employee Data Under the CCPA: Expiration of Employer Exemptions Requires Compliance as of January 1, 2023, JD Supra (Oct. 5, 2022) https://www.jdsupra.com/legalnews/employee-data-under-the-ccpa-expiration-6993807/.
[xiii] Id.
[xiv] Id.
[xv] Cal. Civ. Code § 1798.21 (19) (d).
[xvi] Cal. Civ. Code § 1798.140 (ae) (1) (E).