Outten & Golden: Empowering Employees in the Workplace

Posts Tagged ‘workplace privacy’

Wild West: Firms interpret California’s privacy law as they see fit

Monday, January 13th, 2020

Katy Murphy For all the angst it’s already caused in corporate America, the strongest data privacy law in the nation landed on the West Coast last week with a relative whimper. But the flurry of legal notices that accompanied the California Consumer Privacy Act point to regulatory and political drama ahead this election year.

The landmark California law — which has put Sacramento at the center of the national tech regulatory storm — has now been in effect for one week, giving residents the right to know what information companies collect about them and some measure of control over that data.

But a sampling of major retail, financial services and media websites found that companies are reacting to the Privacy Act in different ways based upon their own interpretations of the complex law and its unresolved regulations.

The patchwork of industry responses to California’s new privacy regime, which won’t be enforced until at least July 1, ensure the law will remain in dispute for many months to come. Adding to the uncertainty, a wealthy privacy champion is preparing a ballot initiative to rewrite the Privacy Act, state Attorney General Xavier Becerra expects legal challenges, and Congress is under intense industry pressure to pass a federal standard that would supersede state laws like California’s.

Perhaps the most visible change California promised to deliver to those tired of being tracked online is easy to miss, even if you are looking.

The law requires companies that sell consumers’ personal information to post a prominent “Do Not Sell My Info” link. But large retailers like Walmart and Lowe’s put their “Do Not Sell” links in the same footnote-like font and location commonly used for privacy policies. And they were nowhere to be found on other websites, such as Whole Foods Market, Albertsons-owned grocery stores, Visa or Bank of America. Those companies assert elsewhere on their sites that they don’t sell consumer data, which would mean they don’t have to include the links.

Likewise, “Do Not Sell” buttons or links do not appear on Google, Facebook, or Amazon’s homepages. Those companies — including two of the biggest players in online advertising and data collection — also contend that’s because they don’t sell consumer information anyway.

“We never sell your personal information,” read a pop-up window last week on Google search.

A “Do Not Sell” link appears at the bottom of the New York Times and Washington Post homepages, at least in California. The Los Angeles Times’ link takes readers to a page with information about their new rights — and a warning. Blocking the sale of one’s information also stops personalized advertising, it says, “an essential source of revenue” that “allows us to consistently deliver the Pulitzer-Prize winning journalism you’ve come to expect from the Los Angeles Times and its affiliates.”

(POLITICO’s homepage did not include such a link as of Wednesday. Brad Dayspring, the company’s vice president for marketing and communications, said that “POLITICO’s privacy policy is being updated and operational procedures to ensure compliance with CCPA are being finalized and will be visible in the coming days.”)

Spotify concedes in its California privacy notice that “it is currently unclear whether the use of certain types of advertising partners would be considered a sale under CCPA.” The company doesn’t offer a “Do Not Sell” link but gives listeners a chance to opt out of tailored advertising.

None of this hedging is a surprise to Jennifer King, director of consumer privacy at Stanford’s Center for Internet and Society. That’s especially true, she said, given that the Privacy Act won’t be enforced until July 1 and regulations are still being finalized.

“There is a six-month window where we’re going to see a lot of wiggling around,” King said. “No one wants to have to admit they’re selling if they can work their way around the regulations.”

As companies, consumers and the attorney general wrestle with the new law this year, here are other things to watch for:

— Cracking down: Only California’s attorney general will have the power to sue companies for most CCPA violations, and not until July 1, after the final regulations are expected to be released. But Becerra might weigh in earlier on the type of data-sharing that constitutes the sale of personal information under the law, and other murky areas. He also has repeatedly warned that the first six months will not be a free period, and that he can retroactively ding companies for early violations. Becerra recently told reporters that he will prioritize mishandling of children’s data. Companies may not sell data about children under 16 without permission from teens or the parents of young children.

— Opt-out outsourcing: The CCPA and its proposed rules allow for services that would help consumers exercise their privacy rights even if they are not inclined to spend their free time hunting down links and filling out forms. Brent Blackaby, who hails from the digital strategy and marketing world, is already beta testing such services for the Bay Area startup he co-founded, Confidently.com. Common Sense Media, a consumer advocacy group, did some of the legwork through its public awareness campaign by posting partially filled-out CCPA request forms for the publishers of three apps popular with kids: Snapchat, Spotify and TikTok. And GitHub has posted a directory of crowd-sourced links to dozens of companies’ CCPA pages.

 Data broker registry: How can you tell a company you’ve never heard of to stop selling your data? By the end of the month, those in the business of buying and selling details about people with whom they have no direct relationship will have to register annually on a new public database managed by the California attorney general. The registry, inspired by a similar one in Vermont, is live — but had no businesses listed — as of early Tuesday. Data brokers that don’t register by Jan. 31 will face fines of $100 per day.

 Already rewriting the rules: Just as the new law finds its footing, Californians might rewrite it. Bay Area developer Alastair Mactaggart, whose previous initiative pursuit led to the CCPA, is leading a new effort to qualify a November ballot proposal that would change the law. The initiative would create a separate agency to enforce the state’s privacy regime; add restrictions on the use of sensitive personal information; and prevent the Legislature from watering down the law, among other revisions. Tech and telecom companies have not taken public positions on the initiative, nor has a coalition of consumer privacy groups. Of course, businesses could just be waiting to see if proponents manage to qualify the initiative, as expected, before spending big to defeat it. Mactaggart said he is getting early reports that “folks are eager to sign” and “no one is saying no.”

This article was originally published at Politico on January 19, 2019. Reprinted with permission. 

About the Author: Katy Murphy covers consumer regulations with a focus on data privacy for POLITICO California. Before joining the team, she was a one-woman Capitol bureau for the The Mercury News and East Bay Times and previously covered K-12 and higher education for more than a decade, based in the Bay Area.

A Chicago-area native, she graduated from the University of Notre Dame and had stints in Puerto Rico and Indiana before moving west. She lives with her husband and young daughter and has memorized every episode of Peppa Pig. In her copious spare time, she enjoys reading fiction, taking scenic hikes that aren’t overly strenuous and glamping in the mountains with people who really know how to cook.

From Whole Foods to Amazon, Invasive Technology Controlling Workers Is More Dystopian Than You Think

Thursday, June 6th, 2019

thor bensonYou’ve been fired. According to your employer’s data, your facial expressions showed you were insubordinate and not trustworthy. You also move your hands at a rate that is considered substandard. Other companies you may want to work for could receive this data, making it difficult for you to find other work in this field.

That may sound like a scenario straight out of a George Orwell novel, but it’s the future many American workers could soon be facing.

In early February, media outlets reported that Amazon had received a patent for ultrasonic wristbands that could track the movement of warehouse workers’ hands during their shifts. If workers’ hands began moving in the wrong direction, the wristband would buzz, issuing an electronic corrective. If employed, this technology could easily be used to further surveil employees who already work under intense supervision.

Whole Foods, which is now owned by Amazon, recently instituted a complex and punitive inventory system where employees are graded based on everything from how quickly and effectively they stock shelves to how they report theft. The system is so harsh it reportedly causes employees enough stress to bring them to tears on a regular basis.

UPS drivers, who often operate individually on the road, are now becoming increasingly surveilled. Sensors in every UPS truck track when drivers’ seatbelts are put on, when doors open and close and when the engines start in order to monitor employee productivity at all times.

The technology company Steelcase has experimented with monitoring employees’ faces to judge their expressions. The company claims that this innovation, which monitors and analyzes workers’ facial movements throughout the work day, is being used for research and to inform best practices on the job. Other companies are also taking interest in this kind of mood-observing technology, from Bank of America to Cubist Pharmaceuticals Inc.

These developments are part of a larger trend of workers being watched and judged—often at jobs that offer low pay and demand long hours. Beyond simply tracking worker performance, it is becoming more common for companies to monitor the emails and phone calls their employees make, analyzing personal traits along with output.

Some companies are now using monitoring techniques—referred to as “people analytics”—to learn as much as they can about you, from your communication patterns to what types of websites you visit to how often you use the bathroom. This type of privacy invasion can cause employees immense stress, as they work with the constant knowledge that their boss is aware of their every behavior—and able to use that against them as they see fit.

Lewis Maltby, president of the National Workrights Institute at Cornell University, tells In These Times that the level of surveillance workers are facing is increasing exponentially.

“If you look at what some people call ‘people analytics,’ it’s positively frightening,” Maltby says. “People analytics devices get how often you talk, the tone of your voice, where you are every single second you’re at work, your body language, your facial expressions and something called ‘patterns of interaction.’” He explains that some of these devices even record what employees say at work.

According to some experts, this high level of employee surveillance may actually harm the companies that use these techniques.

“In general, people experience more stress when they feel that someone is looking over their shoulder, real or virtual,” Michael Childers, director at the School for Workers, tells In These Times. “There is a large body of research documenting that stressful workplaces can potentially lead to many problems that reduce company profits, including increased turnover, more sick days used, higher workplace compensation costs, and ironically, even lower productivity.”

Richard Wolff, a professor of economics emeritus at the University of Massachusetts, tells In These Times that this type of surveillance “deepens the antagonism, mutual suspicion, and hostility of employer relative to employee. It degrades worker morale and will probably fail—leading employers to conclude not that such surveillance is a bad idea, but rather than they need to automate to get rid of workers altogether.”

While this level of worker surveillance may be alarming, it has so far gone largely unchecked. Congress has never passed a law to regulate employee surveillance, Maltby says, and he doesn’t think it will any time soon. However, he says that either Congress or the Supreme Court could finally decide that employers have gone too far when they start tracking employee movement during a worker’s time off.

“The fight we’re gearing up for is [tracking] behavior off duty,” Maltby says. “Every cell phone in America has GPS capabilities baked into it,” along with cameras and microphones. Maltby worries that employers could soon begin using this technology to track the behavior of their employees outside of work. If this were to happen, Maltby believes U.S. lawmakers could be compelled to step in.

One the of the fears that labor and privacy advocates hold is that, over time, workers could get used to these types of invasions, and begin accepting them as a normal part of the job.

“The first time people hear about the newest privacy invasion, they get extremely angry, but eventually they just get used to it,” Maltby says. For example, at many jobs drug tests are now seen as standard, despite the fact that they invade employees’ private lives by monitoring their behaviors outside of work.

At a time of soaring inequality, low-wage workers are bearing the brunt of efforts to increase productivity and profits. The rise of these new tracking techniques show that companies are moving toward increasing their control over the lives of their employees.

While workers at the bottom of the wage scale may be the first to face such dystopian working conditions, other industries could soon embrace them. If we don’t want to live and work under the constant supervision of a far-away boss, now is the time to speak up and push back.

This article was originally published in In These Times on June 4, 2019. Reprinted with permission. 

About the Author: Thor Benson is a traveling writer, currently located in Los Angeles, Calif. Benson was born in Vancouver, B.C., Canada. His journalism has been featured in: The Atlantic, Wired, Rolling Stone, The Daily Beast, MTV News, Slate, Salon, Vice, ATTN:, Mic, In These Times, Paste, The New Republic, The Verge, Fast Company, Truthdig and elsewhere. He has been interviewed on The Big Picture with Thom Hartmann, Ring of Fire, HuffPost Live, The Lip, The Young Turks, in upcoming documentaries and elsewhere. 

It's Unanimous: Supreme Court Permits Search of Employees' Electronic Communications

Thursday, June 24th, 2010

Molly DiBiancaIn Quon v. City of Ontario, the 9th Circuit held that a California police department’s review of an officer’s text messages was an invasion of the officer’s right to privacy. In a unanimous ruling issued yesterday, the U.S. Supreme Court overturned the Quon decision and ruled that the police department’s review of the provocative text messages sent by the officer to his wife and to his mistress from his employer-issued pager, did not constitute an invasion of the officer’s privacy. (Link to the full opinion in City of Ontario v. Quon).

For employers, the key component of the decision is the Court’s focus on the fact that the police department-employer’s review of the messages comported with its policy and was conducted for a legitimate business reason. The department’s policy provided that messages would not be reviewed unless the employee went over the allotted monthly usage. In Quon, the officer had exceeded the monthly limit and the department reviewed the messages to determine whether the overages were work-related. Officers were responsible for costs incurred for non-work-related messages if they went over the monthly limit.

The 9th Circuit ruled that this review constituted an unreasonable search and seizure in violation of the Fourth Amendment. That decision was based largely on the fact that the officer’s supervisor had told the officer that messages were never reviewed by the department. The federal appellate court found that, because he’d been permitted to use the pager for both personal and work-related use, the officer had a reasonable expectation of privacy in those communications.

This important decision is the Supreme Court’s first in the area of an employer’s right to monitor the electronic communications of its employees sent and received during working time or with work-issued devices.

The decision was not a free-for-all pass for employers who want to review employees’ electronic messages. The Supreme Court warned employers of the possibility that an expectation of privacy may exist in certain circumstances. Interestingly, the Court noted that the expectation of privacy may exist due to to the pervasiveness of electronic communications. Justice Kennedy, writing for the Court, explained that “cellphone and text message communications are so pervasive that some persons may consider them to be essential means or necessary instruments for self-expression, even self-identification.”

But the Court also recognized that the pervasiveness of cellphones and other electronic-communication devices, has also driven down the cost of such devices, making them “generally affordable.” The low cost of electronic-communication devices, the Court found, supports the argument that there is a very low or no expectation of privacy because an employee who needs a cellphone for personal use can buy one and avoid having to use the work-issued device for anything other than work-related communications.

The decision is a critical one for employers who want to ensure employee compliance with company rules and policies without violating the employee’s privacy rights and, in turn, exposing the organization to legal liability. The Quon opinion has two key components for employers:

1. Any workplace monitoring must comply with the employer’s policy—if you don’t have a clear policy, now is the time to get one; and

2. A search of electronic communications should not go beyond what is necessary to accomplish the legitimate business purpose behind the policy—use the least intrusive means possible to make the determination at issue.

About The Author:

Margaret (Molly) M. DiBianca maintains a legal practice consisting of equal parts litigation and client counseling. She represents employers in a variety of industries in employment rights claims, discrimination matters and equal employment disputes at the state and federal court level.

Employee Has Privacy Interest In E-Mail Communications To Attorney On Company Computer

Thursday, April 15th, 2010

Employee’s E-Mails To Lawyer On Company Laptop Are Off Limits

The decision by the Supreme Court of New Jersey in Stengart v. Loving Care Agency has a lot  of lawyers talking. The case has to do with the privacy interests of an employee’s personal e-mail on a company computer and the attorney-client privilege.

The reason the case made ripples through the employment law community is because there simply aren’t many decisions on the issue and it hits a topic of real practical concern for both employers and employees.

What Happened In The Case

Marina Stengart worked for Loving Care Agency, Inc. (“Loving Care”), a home health care agency, as an Executive Director of Nursing.  Like many employers, Loving Care provided Stengart a laptop computer for company business. Stengart could send e-mails using her company e-mail account from the laptop and she could also access the Internet through Loving Care’s server.

In December of 2007, Stengart used her computer to access a personal, password-protected e-mail account on Yahoo’s website to communicate with an attorney about her situation at work. She never saved her Yahoo ID or password on the company laptop.

When she sent the personal e-mails Stengart didn’t know  that Loving Care’s browser software automatically saved a copy of each web page she viewed on the computer’s hard drive in a “cache” folder of temporary Internet files.

Stengart left Loving Care and returned the laptop computer.  A couple of months later, she filed a lawsuit with claims of discrimination, harassment and retaliation.

After the lawsuit was filed, Loving Care hired experts to create a forensic image of the laptop’s hard drive. Among the items retrieved were the e-mails Stengart exchanged with her lawyer via the personal Yahoo account.

Loving Care’s lawyers used the e-mails in the lawsuit. Stengart’s lawyers demanded that the e-mails be identified and returned. Loving Care’s Lawyers argued that Stengart had no expectation of privacy in light of the company’s electronic communications policy which stated in part:

  • Loving Care may review, access, and disclose all matters on the company’s media systems and services at any time
  • e-mails, Internet communications and computer files are the company’s business records and are not to be considered private or personal to any individual employee
  • occasional personal use of the computer is permitted

Stengart’s lawyers asked the trial court to order a return of the e-mails and disqualification of  Loving Care’s lawyers. The judge denied the request, concluding that Stengart waived the attorney client privilege by sending e-mails on the company computer.

Stenagart appealed.The Court of Appeals reversed.

It  found that Stengart had an expectation of privacy in the e-mails and that Loving Care’s lawyers violated the disciplinary rules by failing to alert Stengart’s lawyers that they had the e-mails before they read them.

It sent the case back to the trial court to determine whether disqualification of the firm, or some other sanction was appropriate. Loving Care appealed

The New Jersey Supreme Court Opinion

The Supreme Court of New Jersey agreed with Stengart and affirmed the Court of Appeals decision. In a long and thoughtful opinion, it framed the issue this way:

This case presents novel questions about the extent to which an employee can expect privacy and confidentiality  in personal e-mails with her attorney, which she accessed on a computer belonging to her employer.

Loving Care argued that its employees have no expectation of privacy in their use of company computers based on the company’s policy. It also contended that attorney client privilege either never attached or was waived.

Stengart argued that:

  1. she intended the e-mails with her lawyer to be confidential
  2. the company policy, even if it applied to her, failed to provide adequate warning that Loving Care would monitor the contents of e-mail sent from a personal account or save them on a hard drive
  3. when the lawyers encountered the e-mails, they should have been immediately returned

The Court found favor of Stengart.  In sum, this is what it held:

  • Under the circumstances, Stengart could reasonably expect that the e-mail communications with her lawyer through her personal, password protected, web-based e-mail account would remain private
  • Sending and receiving e-mails through the company laptop did not eliminate the attorney-client privilege that protected them
  • By using a personal e-mail account and not saving the password, Stengart had a subjective expectation of privacy
  • Her expectation of privacy was also objectively reasonable in light of the ambiguous language of the policy and the attorney-client nature of the communication
  • Stengart took reasonable steps to keep the messages confidential and did not know that Loving Care cold read communications sent on her Yahoo account

Regarding the company policy the Court wrote:

The Policy did not give Stengart, or a reasonable person in her position, cause to anticipate that Loving Care would be peering over her shoulder as she opened e-mails from her lawyer on her personal, password-protected Yahoo account.

None of this means that companies are prohibited from monitoring the use of workplace computers. As the Court stated:

Our conclusion that Stengart had an expectation of privacy in e-mails with her lawyer does not mean that employers cannot monitor or regulate the use of workplace computers.

Companies can adopt and enforce lawful policies relating to computer use to protect the assets, reputation, and productivity of a business and to ensure compliance with legitimate corporate policies…..

But employers have no need or basis to read the specific contents of personal, privileged, attorney-client communications in order to enforce corporate policy.

The Court also found that the defense lawyers should have promptly notified Stengart’s lawyers when they discovered the nature of the e-mails. It sent the case back to the trial court judge to determine whether the firm should be disqualified, costs should be imposed, or whether some other remedy was appropriate.

Take Away

I represent employees, and many communicate with me by e-mail. I am always concerned that somehow these e-mails are going to be read by their employers – so this case is very good news because it clearly states that these communications are privileged and protected.

Management lawyers who get these e-mails are prohibited from reading them, must return them, and can be disqualified or sanctioned if they don’t.

Having said that, employees should still be extremely careful if they don’t want their personal e-mails read by their employers —  which means that the best practice is not to use the company computer for personal e-mails or surfing the net.

As far as employers go,  you can bet (and others agree) that many are reviewing their policies and trying to figure out  and address the implications of this decision.

The bottom line is that employers do not have carte blanche to read employees’ private, confidential personal e-mails and even a very good corporate policy is not going to change that fact –at least  for now.

image: www.afcea.org

This post originally appeared in Employee Rights Post on April 13, 2010. Reprinted with permission from the author.

About the Author: Ellen Simon: is recognized as one of the leading  employment and civil rights lawyers in the United States.She offers legal advice to individuals on employment rights, age/gender/race and disability discrimination, retaliation and sexual harassment. With a unique grasp of the issues, Ellen’s a sought-after legal analyst who discusses high-profile civil cases, employment discrimination and woman’s issues. Her blog, Employee Rights Post has dedicated readers who turn to Ellen for her advice and opinion. For more information go to www.ellensimon.net.

Your Rights Job Survival The Issues Features Resources About This Blog