In "Cyberspace and the Law of the Horse," Frank Easterbrook, a judge for the U.S. Court of Appeals for the Seventh Circuit and senior lecturer at the University of Chicago, tells the story of how the school's dean once boasted the school did not offer a course on "The Law of the Horse." As Easterbrook explained: "Lots of cases deal with sales of horses; others deal with people kicked by horses; still more deal with the licensing and racing of horses, or with the care veterinarians give to horses, or with prizes at horse shows … (But) any effort to collect these strands into a course on 'The Law of the Horse' is doomed to be shallow and to miss unifying principles."
The danger Easterbrook tried to warn of several decades ago goes beyond semantics and into how any emerging area of law should be defined, understood in principle and applied in practice. Thus, with this caution in mind, one should attempt to elucidate the contours of the diverse set of laws that regulate the information generated by and collected about workers by and at their places of employment.
The law of workplace privacy
At least in the U.S., there is truly no singular or hallmark law of workplace privacy. Instead, privacy protections for workers are mostly granted through the penumbras of an assortment of disparate laws. Indeed, much of the privacy protections that applicants, employees and independent contractors enjoy within their relationships with employers are benefits of the long shadows cast by laws such as the Health Insurance Portability and Accountability Act, Americans with Disabilities Act, and Genetic Information Nondiscrimination Act.
For example, HIPAA's Privacy Rule requires employers to ensure the confidentiality of employee medical information derived from a group health plan. Likewise, the federal ADA and its state counterparts require employers to keep medical records and other health-related information private and confidential. In an analogous way, the GINA provides workplace privacy protections by prohibiting employers from making job-related decisions, such as hiring and firing, based on genetic information. In a similar vein, the 50 state-level data breach notification laws impose obligations for businesses to keep the personal information they collect and process secure, which naturally extends to employers and the data they collect about job applicants, employees and independent contractors.
Several laws establish privacy protections for personal information held by federal agencies, or the offices and departments of the executive branch, which apply to data held about government workers. Namely, the Privacy Act of 1974 established a "code of fair information practice" governing the collection, processing and sharing of personally identifiable information about individuals maintained in systems of records by federal agencies. The Privacy Act's "No Disclosure without Consent" rule generally prohibits agencies from disclosing records about an individual without the prior written consent of that individual, unless one of twelve statutory exceptions apply. It also provides individuals with the rights to access and amend, i.e., correct, append or delete, their records. Federal agencies must also publish notices in the Federal Register about their systems of records, which contain information retrieved by an individual's name or other unique identifier. In addition, the e-Government Act of 2002 requires federal agencies to conduct privacy impact assessments pursuant to the personal information they collect.
Another vehicle for what might be understood as employee privacy rights are off-duty discrimination statutes, enacted in California, Colorado, New York and North Dakota, which provide employees with freedom from observation by an employer during nonworking hours. In general, these laws prevent employers from taking adverse employment actions against job seekers or employees as a result of any lawful activity that occurs off the employer's premises during nonworking hours.
Against this background, the body of law that concerns workplace privacy in the U.S. continues to grow in scale and complexity. At least two states — California and Colorado — have enshrined some sort of protections for employee data within their comprehensive privacy laws. Various states also continue to consider other bills that aim to further enhance employee privacy protections. For instance, in California, the Workplace Technology Accountability Act was a proposal to reign in invasive workplace surveillance and monitoring practices supported by technology. Indeed, an increasing number of workplace-privacy-focused legislative proposals and policies have been taking shape at both the state and federal levels.
Employee data protections in US state privacy laws
All comprehensive U.S. state privacy laws, except, the California Consumer Privacy Act, provide a data-level exemption for employee data. In other words, U.S. state privacy laws generally exclude data collected by employers from their scope. Only the CCPA applies broadly to California employers' collection of the personal information of their applicants, employees and independent contractors. In essence, the CCPA requires employers to extend privacy rights to these groups, as any business would to the consumers from whom they collect data. Also noteworthy, the CCPA's private right of action, which only applies to data breaches, can be exercised by an applicant, employee or independent contractor against a negligent employer in the event of a data breach.
In addition, the Colorado Privacy Act, via the recent passage of the Privacy of Biometric Identifiers & Data amendment, now applies to employers' collection of biometric data of their employees and independent contractors. Namely, employers are restricted in their permissible reasons, e.g., permitting access to secure locations and improving or monitoring workplace safety, for obtaining an employee's consent for the collection of biometric identifiers. Outside of this limited set of purposes, the amended Colorado Privacy Act prohibits employers from requiring consent to collect biometric data from employees and contractors. Most importantly, perhaps, employers cannot use biometric data to track their employees' and independent contractors' locations or to learn how much time they spend using a certain hardware or software application.
Similarly, the Illinois Biometric Privacy Act requires employers who collect biometric information and identifiers of their Illinois employees to provide notice, obtain consent and implement data minimization. The BIPA is noteworthy, of course, for providing individuals with a private right of action that could be used by employees against an employer.
Electronic workplace monitoring
Particularly since the COVID-19 pandemic, when a significant portion of the workforce shifted to remote/hybrid work arrangements, privacy concerns about the monitoring of electronic communications in the workplace have become more prominent. Into 2024, federal agencies continue to craft policies and members of Congress propose legislation that would enhance workplace privacy protections, particularly in the realm of electronic workplace monitoring.
A prime example of this is the boldly named Stop Spying Bosses Act, bicameral versions of which were introduced in the Senate in 2023 and in the House of Representatives in 2024. The bill would require employers to disclose information to workers about their workplace surveillance practices, including the types of data collected, the manner of collection, the place and timing of collection, where the data is stored, the business purposes for which the data is used, the identity of any third party or service provider involved in the workplace, as well as how such workplace surveillance affects any employment-related decisions. It would also prohibit certain workplace surveillance practices, such as any use of surveillance to identify or monitor the activities of any individual with respect to labor organization activities; the collection of information on political opinions, religious views, health, disability or immigration status; the prediction of the workers' behavior that is unrelated to the work they perform for the employer; or the sale or licensing of the data collected.
In addition to receiving greater attention from Congress, workplace surveillance practices that could have an adverse effect on labor organizations have become a policy priority for federal agencies. In October 2022, National Labor Relations Board General Counsel Jennifer Abruzzo issued a memo hinting at future enforcement — independently and jointly with the Federal Trade Commission, Department of Justice and Department of Labor — against the use of technologies that electronically monitor and algorithmically manage employees.
In particular, the memo noted these advances in technology and employer practices may run afoul of workers' exercise of their Section 7 rights, or their rights to unionize, join together to advance their interests and keep that activity confidential from their employer. The NLRB's stated policy goal of "vigorously enforcing extant labor law and (applying) settled labor-law principles in new ways" seeks to curb the trend of "anti-union use of AI monitoring," which has become an "open secret" in some workplaces. Another workplace-related piece of proposed bicameral legislation is the No Robot Bosses Act, which would prohibit employers from relying exclusively on automated decision-making systems to make employment decisions and establish whistleblower protections for individuals seeking assistance from the government with respect to worker-privacy-related concerns. Within the Department of Labor, the bill would also establish a Technology and Worker Protection Division, which would have a key role in promulgating regulations and enforcing the law.
In a similar vein, in 2023, the Equal Employment Opportunity Commission released a technical assistance document on the use of algorithmic decision-making tools in employment decisions, from recruitment and hiring to retention, promotion, transfer, performance monitoring, demotion, dismissal and referral. While it centrally concerns how new algorithmic decision-making tools can cause disproportionately large negative effects on protected categories under Title VII of the Civil Rights Act of 1964, its focus on the use of artificial intelligence in employee monitoring intersects with workplace privacy.
Is there a law of workplace privacy?
Taking a high-level view of privacy protections for workers in the U.S. demonstrates a complex web of state and federal laws and policies, spanning decades, that can be said to constitute such a body of law. Yet workplace privacy protections in the U.S. are primarily an amalgamation of rights created by other, nonprivacy-specific laws.
Recent policy changes that have been announced, mostly by federal regulators, are also bringing greater scrutiny to workplace surveillance practices, particularly those driven by AI, that could lead to discrimination or suppression of organized labor. While not driven by privacy concerns per se, these measures could enhance worker privacy as a positive externality. Undoubtedly, these developments are further expanding the complex scope of workplace privacy law in the U.S.
Müge Fazlioglu, CIPP/E, CIPP/US, is the principal researcher, privacy law and policy, at the International Association of Privacy Professionals.