What laws apply to the collection and use of individuals’ personal information?
Data privacy laws have become more prominent in recent years. As the amount of personal information available online has grown substantially, there has been an enhanced focus on the processing of personal data, as well as the enforcement of such laws.
There is no overarching law with respect to employee privacy in the United States. Rather, employers are subject to a patchwork of federal and state laws, depending on the type of information and particular context described:
Background Reports: In order to request background check reports on applicants or employees from consumer reporting agencies, companies need to comply with the requirements of the Fair Credit Reporting Act (FCRA) and state laws. Before obtaining such a report, an employer must get the individual's consent using a stand-alone form which discloses that the employer may use the information for decisions related to employment.
If an adverse action will be taken based on the results of the report, notify the individual in advance of taking the adverse action. This includes giving the individual a copy of the consumer report and a copy of “A Summary of Your Rights Under the Fair Credit Reporting Act,” along with any state required notice.
Finally, after adverse an action is taken (if applicable), give the applicant or employee a final adverse action notice, including the identity and contact information for the source of the report, a statement that that entity (i.e. the background check vendor) did not take the adverse action and cannot explain why it was taken, and a notice of the right to dispute accuracy or completeness and to get an additional free copy of the report within 60 days.
Criminal History: Many states, cities and counties have enacted laws which prohibit employers from asking applicants about criminal history on job applications (aka ban-the-box). These laws require that employers wait until later in the recruiting process before asking applicants about their criminal history or conducting background checks. In certain cases, these laws require that employers wait until after the conditional offer of employment before obtaining information from any source about a job applicant’s criminal history.
Credit Checks: Some states and cities have a general prohibition on giving employers access to a job applicant’s credit history. These laws contain varying exceptions for different categories of employees, such as employees with: significant supervisory authority, access to confidential business information, the authority to execute contracts or, engage in significant financial transactions.
Drug Tests: Several states require employers to provide notice and/or obtain the individual’s consent before conducting drug tests on applicants and employees. In addition, the Federal Motor Carrier Safety Administration has established requirements for conducting drug tests in the trucking industry.
Employee Monitoring: Because electronic monitoring of employees raises the potential for liability under the Wiretap Act (18 USC § 2510-22) and state corollaries, including state laws specifically governing electronic monitoring in the workplace (e.g., Connecticut Employee Monitoring Law, Ct. Gen. Stat. 31-46d) employers should:
- inform employees through an employee electronic resources policy, telephone monitoring policy or handbook regarding the monitoring of employees’ workspaces and devices, including work email, phone calls, or more unexpected technologies (such as keystroke logging) and obtain the employee’s consent;
- limit electronic monitoring to what is reasonably necessary and narrowly tailored to the legitimate workplace interests in monitoring productivity, preventing violations of company policy and legal violations, and maintaining a non-hostile workplace environment.
Note that under decisions from the National Labor Relations Board (NLRB), use of video surveillance in the workplace can be a subject of mandatory collective bargaining, and must be addressed with a labor union, if applicable (e.g., Colgate-Palmolive Co., 323 NLRB 515, 515 (1997) (holding that use of hidden cameras in the workplace is sufficiently “germane to the work environment and outside the scope of managerial decisions lying at the core of entrepreneurial control” as to require an employer to bargain over them)).
In addition, many states regulate the use of tracking devices. This is generally limited to vehicle tracking and an exception is provided for location tracking by the vehicle’s owner. That said, a few statutes require an individual’s consent in order to conduct location tracking.
Social Security Numbers (SSNs): Laws in certain states require companies to take extra care regarding the collection and use of SSNs (e.g., Cal. Civ. Code § 1789.85; NY Gen. Bus. Law § 388-ddd; N.Y.S. Lab. Law § 203-d). Generally, without express consent of the individual, a company needs to:
- never publicly post SSNs;
- limit access to SSNs to employees who need to know due to their job responsibilities;
- avoid transmission of SSNs over the internet, unless through a secure connection or with encryption;
- prohibit using SSNs as an account number or other regular identifier; and,
- limit printing SSNs on hard copy documents where possible and ensure that any hard copy documents with SSNs are properly disposed of through cross-shredding or similar methods.
Biometric Information: Laws in certain states limit collection and use of biometric information. Examples include the Illinois Biometric Information Privacy Act and Tex. Bus. & Comm. Code Ann. These laws:
- require a written policy which sets out the retention schedule for the information (no longer than three years after the individual's last interaction with the business) and guidelines for destruction;
- require disclosure and express written consent;
- prohibit the sale of information; and,
- require the employer to protect biometric information as it would protect other confidential and sensitive information.
Health Information: Under the federal Health Insurance Portability and Accountability Act (HIPAA), Family and Medical Leave Act (FMLA), Americans with Disabilities Act (ADA) and Genetic Information Nondiscrimination Act (GINA), employers must maintain the confidentiality of certain health-related information and limit access to a need-to-know basis.