Data privacy concerns have undoubtedly spiked during the pandemic due to new categories of identifiable personal data being collected from employees. Given this rise in accumulated personal information, data privacy law has the potential to be implicated, owing to the collection and disclosure of employees’ confidential personal information.
Due to COVID-19, many employers gathered and collected personal employee data as it relates to managing the risks from the pandemic. Accordingly, employers essentially became the primary custodians of employee personal information and adjusted their work policies and practices to protect various forms of identifiable data. Personal information includes data that directly identifies an individual’s name, address, social security number, gender, race, birth date, and geographic location. Even though the collection of personal information was undeniably critical for workplace health and safety at the onset of the pandemic, the reality is that if it is not collected and stored appropriately, employers could assume the risk of violating data privacy laws. In a post-pandemic world, the concern could shift to whether the workplace practices for personal information collection should be modified from their current procedures.
To date, there are federal laws that restrict employers from disclosing confidential information of employees such as the Americans with Disabilities Act (ADA), the Equal Employment Opportunity Commission (EEOC), and the Health Insurance Portability and Accountability Act (HIPPA). Some states have taken an additional step to create laws that further address the violation of data privacy while other states have adopted a wait and see approach. No matter the action (or inaction) of states, it is increasingly clear that as we continue to address the pandemic, more complex laws will become necessary to protect and address employee data privacy concerns. The pandemic has shown us that state lawmakers need to go a step further.
State legislatures should pay careful attention to the actions of California and New York. In January 2020, California implemented the California Consumer Privacy Act (CCPA) which provided California residents with the right to request and control the personal information that businesses collect from them. The CCPA includes an employee information exemption until January 1, 2023. This exemption temporarily excludes employees from most of the CCPAs protection which could become worrisome in a post-pandemic world. However, under the CCPA, employers are still mandated to provide employees with notice of the personal information they collect.
Another state that followed suit was New York. Made effective in March 2020, the New York SHIELD Act added new data security provisions which mandate the implementation of policies and safeguards that protects data. Due to the broad nature of the Act, it applies to all companies holding New York resident data. A business that is not compliant with the Act faces great legal liability, which essentially forces the entity to adequately protect the personal data of New York residents and employees.
As we anticipate a post-pandemic world, it will be crucial that more states follow the example of California and New York, implementing new state data privacy laws. Doing so would broadly provide necessary protection to individuals and employees.
Lashania White is a third-year law student at Wake Forest University School of Law. She holds a Bachelor of Laws from the University of the West Indies and a Master of Laws from Wake Forest University School of Law.