COVID-19 was a catalyst for the widespread adoption of a remote-work business model and prompted many employers to implement tracking and monitoring measures to ensure worker productivity. These measures may include GPS tracking of employee work devices and vehicles, website and application activity and login monitoring (i.e. Slack, Microsoft Teams, Google Workspace, time trackers, etc.), and even tracking social media and internet activity to see if they are being used for non-work purposes. Consequently, these measures have also sparked discussion amongst California workers regarding invasion of privacy and are leading to serious lawsuits. 

While employers have a legal obligation to provide a safe and healthy work environment for both remote and in-office work, the use of productivity tracking and keystroke monitoring must be used judiciously. If you are a California employer that uses or plans to use tracking and monitoring technology for your business, you should be well-versed in privacy laws to avoid being sued for invasion of privacy. 

The Electronic Communications Privacy Act of 1986 (EPCA)

The Electronic Communications Privacy Act of 1986 (EPCA) provides federal guidelines for employers pertaining to electronic communication and monitoring in the workplace. Generally speaking, Title I of the Act prohibits the intentional, actual, or attempted interception, and use, disclosure, or “procure[ment] [of] any other person to intercept or endeavor to intercept any wire, oral, or electronic communication.” It also prohibits the usage of illegally gathered communications as evidence. 

There are some exceptions and circumstances that allow employers to legally monitor electronic communication. One example is the Business Purpose Exception, which allows employers to intercept communications if they can prove there is a legitimate business reason for doing so. A second circumstance where employers are allowed to intercept and track employees is if the employees have provided written consent for their employers to monitor and intercept their oral, wire, and electronic work communications. This often occurs during orientation or when completing onboarding documents with your employees. 

If you wish to monitor your employees’ oral and written communications to ensure that they are complying with their duties as stated in their contract, you must receive verifiable consent beforehand. Remote work allows employers the ability to hire employees from both in and out-of-state and, while federal law does not require employers to disclose every instance they are monitoring a worker, certain state laws dictate that consent must be given to proceed with employee tracking.

The California Consumer Privacy Act (CCPA) and The California Privacy Rights Act (CPRA)

In June 2018, California signed into law the Consumer Privacy Act (CCPA), granting consumers a plethora of rights to their personal data being collected and sold. These regulations went into full effect on January 1st, 2020, and have provided citizens with much-needed protection and peace of mind. However, in light of the recent events prompted by the pandemic, new regulations have been finalized and California will institute a new level of privacy protection in 2023. 

On January 1st, 2023, the California Privacy Rights Act (CPRA) will take effect and effectively substitute the CCPA. CPRA seeks to amend and expand upon many aspects of existing consumer privacy rights as established under the CCPA while also introducing additional enforcement mechanisms for businesses that fail to abide by these new regulations.

CPRA was inspired by the European Union’s 2018 General Data Protection Regulation (GDPR and is now the state’s definitive law when it comes to safeguarding digital privacy for its citizens. Businesses must inspect their data collection, storage, processing, and sharing systems to guarantee they remain in compliance with this act. The California Privacy Rights Act insists that all commercial entities conducting business in the state and managing personally identifiable data make a concerted effort to protect this information and maintain the privacy of those it affects. This applies if any of three qualifiers are met: 

1. The business has at least 100,000 consumers or household personal information (PI) accounts. This is a more advantageous rule for small-to-medium enterprises than the CCPA which stipulated a lower amount of 50,000 consumers.
2. The business has made $25 million in gross revenue by January 1 of the preceding year.
3. The business receives 50% or more of its gross revenues from sharing or selling personal information collected from users.

With the implementation of CPRA, employees now have a choice when it comes to managing their personal data and information. Not only are they entitled to access, delete, or opt out from any sale involving that info, but employers must also create systems for these requests upon request. Furthermore, staff will now know where, when, and why their employers are utilizing sensitive personally identifiable details about them.

Essentially you should consider preparing for CPRA regulations immediately, although full enforcement won’t begin until July. Employers will still be permitted to monitor employee computer activity but with this new law comes additional rights for employees about their data in comparison to what consumers are already entitled to under the CCPA. Here are a few easy things that employers can do to remain CPRA compliant when it comes to employee tracking and California employment law:

• Limit Storage of Sensitive Data: To avoid any possible consequences of a data breach to your employees, the information obtained through an employee computer monitoring software should not be kept for too long. Once it is no longer useful for business operations, delete the collected data immediately to minimize potential risks.
• Update and Increase Data Security: Companies must safeguard their employee data from unauthorized access and cyberattacks. Those employers who fail to properly protect this information can be subjected to exorbitant penalties, ranging anywhere between $2,500-$7,500 per violation. 
• Provide Transparency: It is essential for employers to be clear and honest with their employees regarding the collection of data, including that gathered through employee computer monitoring software. The notice must provide details about what type of data will be collected as well as its purpose.

How To Avoid Invasion of Privacy Lawsuits in California Concerning Employee Monitoring and Tracking 

Employers generally are allowed to monitor an employee’s activity on a workplace computer,  workstation, and network since they own and have provided the devices. And with the myriad of advanced technologies enabling businesses to monitor and track employee activity, such tools can observe aspects of computer or workstation utilization, with the three more prominent software being: 

1. Those which allow employers to see what is on the screen or stored in the employees’ computer terminals and hard disks.
2. Those which allow employers to keep track of the amount of time an employee spends away from the computer or idle time at the terminal.
3. Those which allow for keystroke logging that allows employers to monitor how many keystrokes per hour an employee is performing. 

Employees are safeguarded from computer and other forms of electronic surveillance in particular conditions. For instance, unions may impose limitations on employers’ authority to monitor their employees. Additionally, public sector workers might be provided minimal security under the United States Constitution’s Fourth Amendment which defends against unfair search and seizure activities. California state law also provides additional defense for employees using workplace computers. 

By having clear technology policies and providing transparency when it comes to tracking your employees, you can better prevent the possibility of an invasion of privacy lawsuit. Business owners and companies should particularly avoid monitoring or tracking their employees outside of the workplace to prevent any unneeded data collection. 

Ensuring a high level of security on data obtained from employee tracking and monitoring use is of the utmost importance. Failing to do so could result in invasive information getting into the wrong hands, jeopardizing both employees’ privacy and their company’s reputation. Worse still, it can leave them vulnerable to legal action initiated by an aggrieved employee. Protecting data should be seen as a priority rather than an afterthought if businesses hope to avoid such issues.

Key Takeaways 

The new year will bring a lot of changes when it comes to data privacy thanks to the inception of the California Privacy Rights Act. As an employer, it’s important to remain up to date on these privacy laws. As more of them go into place, invasion of privacy class action lawsuits will be on the rise. Be proactive and prepare your workplace to adhere to these new laws to ensure compliance and avoid potential lawsuits. 

As California employment law specialists, Hackler Flynn and Associates is here to serve as legal counsel and representation for employers that need help understanding or overcoming monitoring or tracking issues. Reach out to us today if you have any questions or concerns: https://hacklerflynnlaw.com/