Privacy Lawyer Jennifer Mitchell on Employee Data Privacy Under the California Consumer Privacy Act

Intro  0:01  

Welcome to the She Said Privacy/He Said Security Podcast. Like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st century.

Jodi Daniels  0:22  

Hi, Jodi Daniels here. I’m the Founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels  0:36  

Hello, Justin Daniels here. I am a corporate M&A and Tech Transaction Equity Partner at the law firm Baker Donelson. I am passionate about helping companies solve complex cyber and privacy challenges during the lifecycle of their business. I am the cyber quarterback helping clients design and implement cyber plans as well as help them manage and recover from data breaches.

Jodi Daniels  0:58  

And this episode is brought to you by Red Clover Advisors. We help companies to comply with data privacy laws and established customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology, e-commerce, professional services, and digital media. In short, we use data privacy to transform the way companies do business. Together, we’re creating a future where there’s greater trust between companies and consumers. To learn more, and check out our best-selling book, Data Reimagined: Building Trust One Byte at a Time, visit redcloveradvisors.com. Well, hello. Happy Thursday. I was like a very underwhelming Happy Thursday, but

Justin Daniels  1:45  

That’s okay. Well, you started work at 6:45 this morning.

Jodi Daniels  1:50  

I see him for those of you who are listening, you’re like, Well, maybe it’s already 6:45. But that means that Justin has been working for quite a while. But we have a wonderful podcast guest today. This is very exciting. We have Jennifer Mitchell, who is at Baker Hostetler and she is in the firm’s Los Angeles in Costa Mesa practice working on digital assets and is the data management leader. Jennifer leverages more than 15 years of legal compliance and operational experience much of it in house as she helps clients navigate the growing complex landscape of global and strategic privacy matters. Having most recently served in an executive privacy leadership role for two Global Fortune 100 companies, Jennifer provides practical business solutions to maintaining compliance with truly the evolving US state privacy laws and global privacy framework. So Jennifer, it is so lovely to have you here today. Thank you, Jodi.

Jennifer Mitchell  2:47  

Thank you, Jodi. Thanks, Justin. It’s great to be here. I appreciate it.

Jodi Daniels  2:50  

I know we’ve been planning this for a long time. So I’m really excited to have this recording today.

Jennifer Mitchell  2:55  

We made it happen.

Justin Daniels  2:59  

Where did you start out? And how did you evolve to your current role today?

Jennifer Mitchell  3:05  

Yeah, that’s a great question. And I love hearing the answer to this question from other privacy professionals because I still view it as sort of an emerging practice. And it’s just great that we all have different backgrounds, including IP and litigation. For me, getting into privacy is definitely a journey that I didn’t anticipate or plan for. I did not take any privacy courses, nor were they available when I went to law school. And so it wasn’t my first area of specialty. I started my practice in white collar criminal defense and investigations at an international law firm where I practice for over seven years. And our practice, my practice in white collar was really supporting the healthcare industry. And so I took my first full time privacy role in 2014, working for an academic medical center, which was a little bit of a leap of faith, leaving private practice and taking a full time privacy role, but it was very focused on HIPAA, which aligned with my background supporting the healthcare industry. And from there, I expanded my horizons with the GDPR really following all of the, you know, the expansion of privacy laws, and I moved into a consulting role, where I provided companies with more business advice and implementation advice on compliance with GDPR and other privacy laws. And from there, I moved into two fantastic corporate privacy roles, one in the medical device industry, and one in entertainment, so very different industries, but tackled, you know, the challenging privacy issues of building out compliance programs, and I was responsible in those roles for overseeing global privacy programs, including the consumer side and the employee side. And, as mentioned in my intro, I returned to private practice at Baker Hostetler about two years ago So it’s been really exciting to be back in at a firm. And I’m really grateful for having, you know, all that experience in house because I think it’s made me a better lawyer to my clients.

Jodi Daniels  5:09  

You joined right at the time where it’s exploding. Various US privacy laws really good timing on your part. Congratulations.

Thanks so much.

I know you have that crystal ball. But one of the big topic areas that is, you know, causing a lot of companies heartache and confusion is employee privacy. Let’s start with our friends in California. Can you share what are the CCPA’s obligations as it relates to employee privacy?

Jennifer Mitchell  5:45  

Yes, such a big topic still. So just as a reminder, as, as our listeners, I’m sure know, California is the only state among the new comprehensive state privacy laws, the five new laws taking effect this year, and many more to come. That includes employees and the definition of consumers. So that means that the amended CCPA doesn’t just apply to the traditional consumer. And this, you know, really represents a significant change in the privacy rights that are available to California workers. And before this year, before the amended CCPA, the CPRA took effect, the CCPA’s application to employees was really limited, and employees were exempt from most of the CCPA requirements. But now, the exemption is fully lifted. And that means that CCPA requirements and rights basically applied to all persons who are California residents. And in the employment context, that means all workers, including traditional employees, job applicants, independent contractors and former employees. And so when we think about the new obligations, they are vast, but I would say that the top three requirements to think about are really preparing updates to California privacy notices, and which is essentially the disclosures of a company’s privacy practices to the worker, to updating vendor contracts with new data processing agreements that cover any processing activities in the HR world. And those requirements include specific provisions required under the CCPA. And three developing a program around intaking and responding to privacy rights requests for California workers.

Jodi Daniels  7:26  

Well, thank you for sharing. I’m kind of curious, we’re guarding those privacy notices. Sometimes people are including applicants in the employee notice. And sometimes people are thinking, well, the applicant should go in the regular notice. And some people are thinking no applicants get their own special notice. I’m just curious what you’re seeing which direction companies are leaning?

Jennifer Mitchell  7:50  

I think there’s this a great question. I think there’s a few different ways to design it. And it really depends on the company’s goals and preferences. But I think it’s important to remember that the applicant privacy notice has to be provided at the time of collection, and many employers have careers pages posted on publicly facing websites, in which case, the applicant notice has to be posted on that website and available to applicants at the time they provide their information when they’re seeking a job opportunity. Whereas of course, the employee notice is provided at the time that the employment commences, which is later in the you know, the employment timeline, and different types of information and more expensive information is collected for employees versus applicants. So most of the time, we do develop separate notices — the applicant facing notice that’s often published on a careers page or made otherwise available at the outset of the application. And then a separate employee, notice that some companies usually prefer to keep that internal. So that can be posted on the Internet that could be provided, again at the time of onboarding, but just different types of information. And therefore different disclosures are usually required for those populations.

Jodi Daniels  9:09  

I appreciate you sharing. I hear companies always trying to figure that out. So it’s nice to have another perspective for them to listen to.

Justin Daniels  9:17  

I just went through that process with one of my clients, and we had to do it by employee applicants internal and then of course, how we deal with privacy and security and our customer contracts. So those were four different areas where it came up that required an approach that we had to talk about with the client about the overall design and then how we were going to tactically implement.

Jennifer Mitchell  9:41  

Yeah, and I agree, I think every every client has different nuances and preferences and sometimes we combine the applicant disclosures within the general California privacy notice that includes consumer disclosures as well as long as you differentiate which disclosures apply to which population I think that’s fine, too.

Justin Daniels  10:02  

So who do you find that owns the employee privacy requirements? The Privacy team, legal, HR, maybe some combination? People are always inquiring who should do this? Yeah, I think

Jennifer Mitchell  10:14  

I think that’s another one where it just depends on how companies are structured and what resources they have. I have worked with most of my contacts fall within the privacy team. But you know, as you know, sometimes privacy professionals in-house never even asked to be the privacy lead, it was just handed to them, because nobody else would do it.

Jodi Daniels  10:35  

Voluntold.

Jennifer Mitchell  10:38  

Exactly! So in this case, I think, you know, there have been conversations around who owns it. And we see that quite a bit working with clients. And that’s understandable, I think it needs to be a combination, because it’s, it’s so important to collaborate, especially as it relates to creating accurate disclosures for the privacy notice and handling the employee rights requests. Because privacy lawyers, of course, you know, know, the privacy requirements the best, but you really need to work with your HR team to understand how the data is processed. They are probably the experts on both, you know, processing activities for applicants and the employee population. And then your employment lawyers are experts, of course, on existing labor code requirements and differences between those existing requirements under employment law, versus the privacy requirements that you know, can be overlapping, but but very different. So definitely work with HR teams to map out where data is stored the data sources and systems and, and really important to collaborate on these employee data requests. And maybe we’ll talk about that more in a bit. But I do view those as higher risk in some cases than consumer data requests. So definitely important to work together.

Jodi Daniels  11:55  

Knowing that data is a very big part of being able to honor individual rights requests and individual rights requests is a really big piece of employee rights are, you know, the employee privacy components rather, of CCPA? Which then companies say, alright, what do I actually have to tell people or the leads and companies are confused how to get started and what they should really be doing? Can you elaborate a little bit more on those requirements?

Jennifer Mitchell  12:26  

Yes, absolutely, Jody, and I think I agree with you, I think the right to know and the right to delete are some of the trickiest types of requests that really require advanced planning. So the Right to Know provides that a worker shall have the right to request that a business or an employer in this case collects personal information, disclose information back to them about what is collected, and how it’s used, and how it’s disclosed. And the most challenging right is specifically the right to access specific pieces of personal information collected about that worker. So they’re actually, you know, two separate rights. And I think it’s important to think about, there are existing rights for an employee to access some of their information under California Labor Code, like their personal records and payroll records. But the CCPA privacy right is far more expansive than those rights. So absolutely, you know, challenging in the sense that it covers all personal information collected about that employee, regardless of where it sits within the company. And to your point, the data mapping is critical, because how can you respond to this request, accurately and comprehensively if you don’t know, what data is collected about the employee? So there’s a few strategies, I think in responding to the right to know but the right to delete, just to reflect on that one for a moment is the right for a worker to request that personal information obtained about the employee is deleted and vary significantly. That right is limited to personal information that the employee has collected from that employee directly or indirectly. So in other words, the right doesn’t extend to personal information collected through other sources like background checks or benefits information. But in terms of strategy, I think that step one is the data map, as we’ve discussed, and then step two is to think about, you know, what exemptions, and also specific exceptions apply to those rights. So for example, the CCPA doesn’t apply to data covered by HIPAA or other state or federal laws. And then broadly, the CCPA explicitly states that provisions won’t restrict businesses for being able to comply with law investigations, from exercising or defending legal claims or for maintaining evidentiary privileges. So, I think, you know, again, to think about those exceptions and how they apply to the rights in advance is is really an important step in sort of calling down what their response strategy will be. In the case of a Responding to specific pieces. I mean, this is, again, a really tricky one because it could expand to chat messages, to emails. And so we work with our clients to, you know, figure out the best approach. But I think, you know, thinking about the exceptions in advance thinking about how you interpret specific pieces, thinking about how you protect the privacy of other individuals who may have been party to those communications, whether it’s email, communications, or otherwise are really sort of not important first steps.

Jodi Daniels  15:30  

One of the areas that I find companies forget that could relate to employees are the things like swag stores, rewards and recognition training. I talked to a client the other day who was collecting COVID Vaccine Information. And I said, Well, do you still have that that’s still relevant, where where is that? I just encourage everyone listening to think, really broad when you have employee information, think webinars and contests that you might have had, all of that kind of information could have been provided by the employee in a not as common traditional HR sense that people sometimes are thinking about, you got to think beyond the payroll and compensation and benefits and, and performance management. And think a little bit to that people parts where you might have some extra information.

Jennifer Mitchell  16:21  

Yeah, so true.

Justin Daniels  16:25  

Talking about all this employees stuff, the employment lawyers, the HR, the privacy professionals, kind of gives you context for the webinar we did yesterday about when you want to use AI to vet resumes, and you’re taking personal data from resumés by anonymizing it. And using AI.

Jodi Daniels  16:43  

Another place you have to think about

Justin Daniels  16:45  

Pretty much anyway. What are the biggest areas of opportunity you see for companies on employee data privacy?

Jennifer Mitchell  16:57  

I think there’s a lot of opportunity here. And I think, you know, as we know, employers and employees have a different type of relationship than businesses do with consumers, which is more at arm’s length. So I think there’s, there’s certainly an opportunity to build, you know, and or maintain trust with your worker population, which is certainly critical for you know, business success, and employees spend a lot of time of their lives at work and have good reason to trust that their employers will be transparent and honest with them. So I think that’s the biggest opportunity, and especially in the COVID or post-COVID era — whatever we’re in, where employee surveillance has become more prevalent. And there’s, you know, potentially some, some resentment or conflict about returning to work. So I think it’s a great opportunity to really, you know, refresh, and, you know, continue to build on that relationship. And so employee privacy is a big part of an employer’s trust and loyalty to their companies. I also think at a more practical side, it comes down to risk reduction from a cybersecurity perspective, because there’s just, of course, so much sensitive data that is collected by employers on their employee population. So it’s a good opportunity to also frame employee privacy compliance as the data minimization, data hygiene and risk reduction exercise.

Jodi Daniels  18:25  

Jennifer, I’d love to, excuse me, dig a little bit deeper to what you just talked about with the remote population and return to work, because many employers are trying to utilize different monitoring tools determine, you know, am I actually working? Or am I just looking on YouTube videos all day? So can you share what are the privacy challenges? And related to that? Do I need to include anything specific in a policy? Can I be doing these things? What should I be thinking about?

Jennifer Mitchell  18:54  

Yeah, absolutely. Yeah, this is certainly a hot area, in terms of monitoring, you know, employees use of their devices, monitoring, even their attendance in offices and through what mechanisms so employers do need to be really careful and rolling out these new technologies, and then be sure to check with their legal teams first. I think, you know, while employers generally have a broad broad authority to monitor communications, and needs to usually be for legitimate business purposes, and in thinking about what laws apply, so the federal workplace privacy and employee monitoring regulations stem from the Electronic Communications Privacy Act, and on the state side, several states including Connecticut, Delaware, and New York require employers that monitor their employees use of telephones, emails and internet to provide notice of such monitoring and in some states to obtain acknowledgement or receipt of the notice. So, again, really important to think about all laws that may apply what notice may be required to that population, whether acknowledgement is required and how I’m gonna do it isn’t an employee privacy. Notice, you know, the right mechanism. In addition to that do there need to be further, you know, pop-ups on devices that remind employees that their communications may be monitored. And then, of course, in California, we know that the CPPA, the agency is focused on drafting final regulations, governing automated decision making. So, you know, would any types of employee monitoring get caught up in any new requirements relating to automated decision making rules? Currently, we know that the CCPA defines profiling as any form of automated processing to evaluate certain aspects relating to an employee and in particular to, you know, to analyze or predict aspects concerning that person’s performance at work, in addition to other behavioral factors. So businesses that use automated decision making, monitoring, profiling, and the employment or employment context will have obligations that they need to meet. And, you know, we know that those regulations are forthcoming, but a lot to keep an eye on in this area.

Justin Daniels  21:09  

But what’s interesting about that is I actually got asked by a client the other day, I want to record this call, so that I can take notes. And I was like, you understand if you’ve forward this anywhere, you’ve just lost attorney client privilege. But the other thing is I now see more people want to record zoom calls. So I don’t have to take notes. But things could happen in the Zoom calls that could create legal liability, depending upon what happens in discovery on litigation about someone said this or that? Well, here’s the video record of the Zoom call. And so, as this technology evolves, I don’t think employers are always aware of some of these unintended consequences of this opportunity to record and have records of things, those things can come back to really bite you. When it comes to certain kinds of litigation contractually, or discrimination or things like that. Have you been counseling? Or have you seen clients think that through? Or is that something you find that they need a reminder about?

Jennifer Mitchell  22:06  

I think they do need a reminder about it. I mean, you’re right, Justin, I think the litigation risks in particular, and having, you know, just more information stored and collected that you don’t need. So I think back to the data, hygiene and data minimization, is this really, you know, it’s something that is that important to record? And then you know, and then more importantly, to store and keep in your systems? So it’s a great, great question. And I think, you know, from a privacy perspective, the answer is no, that’s not a good idea. But I know, we’re always bumping up against, you know, business, convenience, and, and, you know, business operations considerations as well.

Jodi Daniels  22:46  

One of the questions I always get from companies is, should I apply this to everyone? Do I take these employee privacy obligations and offer them to all of my employees? And I’m, again, curious, what are you finding your clients doing? Are they leaning one way or the other? I appreciate they’re all going to be across the board, but just any trends that you’re seeing?

Jennifer Mitchell  23:12  

I think the trend is is not to offer the right that California workers enjoy to all US employees, I think, you know, there’s a difference between having high level company principles when it comes to supporting employee requests, and being a good, you know, good partner to your worker population versus making a legal right available when the legal right doesn’t exist in other states. So for example, you know, companies could choose voluntarily to try to delete information upon request, if that makes sense. And, of course, if they don’t have legal obligations to the contrary, or they could try to provide information back to an employee that the employee has requested, again, just as a good corporate citizen, as a good employer, but but I think there’s a difference between that, you know, voluntary voluntary decisions to, to honor an employee’s request versus allowing it to be an employee, right and making that representation. And I don’t see many companies doing that outside of California.

Justin Daniels  24:23  

So when you’re not working hard on your privacy stuff at work, and you’re out at a cocktail party, possibly on the weekend, you got asked, Hey, what’s your best privacy tip?

Jodi Daniels  24:33  

What might you say?

Jennifer Mitchell  24:35  

I will say that, particularly given my experience working in-house and also in private practice, the biggest privacy tip is really you know, building a strong relationship with your business stakeholders. Because I think so often privacy, legal or privacy professionals are viewed as blockers or obstacles for making progress. And for me, meeting business objectives. In the end, I really don’t think that’s true. So, you know, working on those relationships and trying to have, you know, your business partners understand that you are a partner and you’re all, you know, rowing in the same direction trying to reach the same goals, but you’re doing it in a compliant way. And I think if you build that relationship early, then you’ll you know, hopefully avoid pitfalls of learning about a product launch or, or, you know, a business goal that doesn’t work given privacy laws and regulations, but being aware of it early on, and working together and having that sort of relationship of trust, I think can really help avoid those types of pitfalls and you know, ultimately, reach reach your goals better and on time, which is, which is always the goal.

Jodi Daniels  25:54  

When you are not offering privacy advice and reading privacy laws, what do you like to do for fun?

Jennifer Mitchell  26:02  

I am a huge fan of live music. I also have a record collection that’s getting a little bit out of control. So I’m a huge music fan. I love all forms of Indian music in particular, and I’m trying to do a better job of getting back out there in LA. I live on the west side. So if any of the listeners are based in LA, they know the challenges of leaving the west side and getting to Hollywood or, or Los Angeles, where there’s far more interesting cultural events and live music opportunities. I also have two dogs. So I’m a huge dog person and I love spending as much time with them as possible going on walks and hikes here in LA.

Jodi Daniels  26:41  

So what type of dogs take you on a lot?

Jennifer Mitchell  26:45  

They’re pit mixes. I have one shepherd pit lab mix, who’s about eight years old and we just got to adopt a new puppy a couple months ago. She’s also a pit mix.

Jodi Daniels  26:57  

Very sweet. I said I can’t repeat the word because then my dog might get up but we have a big great Pyrenees. Who likes the idea of going outside at the moment? Well, Jennifer, thank you so much for joining. If people would like to connect and learn more, where is the best place for them to go?

Jennifer Mitchell  27:16  

Oh, they can go to the Baker Hostetler website and find me or I can be reached at JLMitchell@bakerlaw.com.

Jodi Daniels  27:24  

Wonderful. Thank you so much for stopping by today to talk about employee data privacy, which is incredibly important, and sometimes doesn’t get as much of the attention as it deserves. So we really appreciate your time today.

Jennifer Mitchell  27:37  

Thank you, Jodi. Thanks, Justin.

Outro  27:43  

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click subscribe to get future episodes and check us out on LinkedIn. See you next time.