News and Commentary Impacting Data Privacy and Cybersecurity Programs
CFPB Cracking Down on AI-Driven Employee Monitoring and Reports
Increasingly, employers are monitoring and evaluating their employees with third-party applications, including with AI-driven surveillance tools. The federal Consumer Financial Protection Bureau (CFPB) and other agencies, however, are taking notice and taking action to stop unchecked worker surveillance.
Recent guidance released by the CFPB warns against deploying employee monitoring technology without first considering whether it violates the protections outlined by the Fair Credit Reporting Act (FCRA). Among other things, the FCRA protects employees from adverse actions taken on the basis of unknown or unauthorized background reports, checks, and scoring. The law also restricts how employers can collect and use employee data.
Contractors and third-party employees are similarly entitled to personal data protections. Any person who is “controlled” or monitored by workplace surveillance is technically considered an employee for purposes of the FCRA, granting them labor law protections and privacy rights, according to Department of Labor Acting Secretary of Labor, Julie Su.
The CFPB notes that some employers “use third parties to monitor workers’ sales interactions, to track workers’ driving habits, to measure the time that workers take to complete tasks…to calculate workers’ time spent off-task through documenting their web browsing, taking screenshots of computers, and measuring keystroke frequency” or purchase “dossiers” about their employees from third-party sellers.
Below are a few critical areas to consider when applying employee surveillance or purchased reports.
Key Takeaways for Employers
Consent: Companies must gain explicit employee consent before collecting or assessing employee data through third-party AI solutions.
Transparency: Employers must provide written notice when they are using such monitoring and evaluation solutions, including exactly what data they are collecting and how they will use it. They must also provide notice of adverse actions informed by such automated decision making tools, including the specific factors that the solution used.
One of the main criticisms of employee surveillance tools or purchased reports is that workers often do not know what information the solution provider is collecting or how the system works. Many third-party applications use “black box” AI or similar systems to offer scores for employees (such as a score for overall “effectiveness”), but these solutions do not explain how they reached their conclusions. To align with the FCRA, any employee evaluation or score must be verifiable. If the employer cannot clearly detail the basis for an adverse action based on a third-party tool, that action is vulnerable to legal challenge.
Data Disputes: Employees have the right not only to know what third-party data informs an adverse action, but also to correct inaccuracies. This issue comes up frequently with third-party applications and reports, as many employees complain that the data about them is wrong. The CFPB emphasizes that when an employee disputes what is in a report, companies are required to correct or delete inaccurate, incomplete, or unverifiable information. Accordingly, organizations must create a process for allowing employees to submit requests for corrections, for evaluating their requests and criticisms, for updating information when required, and for explaining why the personal data is correct.
Only Collect Essential Data: It is best practice to collect and utilize only essential data about employees. It is tempting to collect everything possible when data is readily available, but this opens organizations up to unnecessary legal liability. Collect only what is reasonably necessary for legitimate decision making.
Limit Internal Access to Data: Permit access to employee data to only those staff with a need to know. This limits the likelihood of misuse and data privacy violations. These limitations may apply to C-suite executives, as even CEOs can get in trouble for abusing employee surveillance data.
Training/Audits: Train HR professionals, department supervisors, and IT procurement personnel to identify how prospective surveillance and scoring tools work and how they may be used. Monitor the solutions and conduct periodic bias audits to screen for unintended and/or discriminatory impacts.
Deletion Policies: It is best practice to have retention and destruction policies for deleting surveillance data or reports as soon as the purpose(s) for collecting such data no longer exists, subject to longer periods required by law.
Restrictions: Do not sell or share employee surveillance data.
Data Security: Just like personally identifiable consumer data, companies are obligated to protect employee data by deploying reasonable technical, administrative, and physical safeguards, proportionate to the level of the data’s sensitivity.
Concluding Considerations
Employers and technology providers alike should view the CFPB guidance as part of a broader push by state and federal regulators generally to focus on the transparency and fairness around algorithmic and automated decision making. While employee surveillance applications may seem like a convenient way to streamline worker evaluation, these systems need to be implemented thoughtfully. Companies that deploy third-party employee surveillance without appropriate guard rails are likely to face legal challenges when using it to take adverse actions against employees. If an employee can demonstrate that any of the FCRA requirements were not met, then a simple termination case can become much more complicated.
There is some legal ambiguity surrounding employee monitoring data, particularly health-related data like that collected by “wearables” that may signal an employee has a life-threatening ailment. Employers should understand the benefits and risks associated with employee surveillance and reporting and develop a plan for assessment and implementation before deploying these new technologies.
For further information or guidance on these issues, please contact:
Sherwin M. Yoder, CIPP/US, CIPP/E and CIPM
Partner
203.575.2649
syoder@carmodylaw.com
If you have topics you would like to see discussed, please email us with your ideas. We’d love to hear from you.
This information is for educational purposes only to provide general information and a general understanding of the law. It does not constitute legal advice and does not establish any attorney-client relationship.