The Online Privacy Act has been marketed by its authors as stronger than the California Consumer Privacy Act (CCPA). It would give users the right to:
- Access, correct, delete, and transfer data about them;
- Request a human review of automated decisions, including in hiring and potentially other HR-related contexts;
- Give opt-in consent before a company can use their data for machine learning/A.I. algorithms;
- Be informed if a covered entity has collected personal information; and
- Choose for how long their data can be kept.
However, the bill exempts “[r]ecords about employees or employment status collected and used by that employee’s employer for employer-employee purposes (so long as it’s the kind of personal information one would expect to be collected while working and didn’t come from a third party).” HR Policy and several member companies have advocated for the exemption of HR data in consumer data-focused privacy measures.
The employee data exemption falls short of the CCPA’s AB 25, which exempts several categories of worker in addition to employees. The exemption further fails to recognize that businesses often contract out the processing of worker data for purposes solely within the HR context.
Security requirements: The measure would create a “Data Privacy Agency,” which would be empowered to issue data privacy regulations and enforce the legislation. The Agency would promulgate regulations requiring companies to implement security policies, including adopting a security policy, identifying an information security officer, a process to mitigate vulnerabilities, a process to discard unneeded personal information, employee training, and a data breach response plan.
Enforcement: The Agency would have the authority to levy fines among other enforcement mechanisms. In addition, the measure includes a robust private right of action, with penalties of up to $42,530 per individual.
Outlook: The bill is significant in its recognition—albeit imperfect—of HR data as distinct from that of consumer data. However, House Republicans have already deemed this effort “dead on arrival” for various reasons, among which is the bill’s not providing preemption and including a private right of action. While the window for congressional action on data privacy is quickly closing this year, the Lofgren-Eshoo bill contains a wish-list of items that may reemerge in later efforts. The bill further underlines increased attention by policymakers on artificial intelligence-driven technologies, and particularly concerns regarding privacy and bias, as has been additionally highlighted by several recent developments.
