Overview of New Rights for Workers under the California Consumer Privacy Act
Introduction
Employers across the U.S. are increasingly adopting new tools such as electronic monitoring and algorithmic management to monitor, profile, and control workers. Companies use data-driven technologies to make decisions that can have significant effects on workers’ lives – such as screening job applicants, assessing workers’ performance, making promotion or disciplinary decisions, and managing tasks and productivity.
The problem is that workers in the U.S. are virtually unprotected from employers using digital workforce management technologies. New employment and labor laws will be needed to establish worker technology rights for the 21st century workplace.
A significant first step in this direction occurred at the beginning of 2023, when workers at large companies in California gained basic rights around their workplace data under the state’s groundbreaking data privacy law, the California Consumer Privacy Act (CCPA, as amended and strengthened by the subsequent California Privacy Rights Act). The CCPA was designed for the protection of consumers and originally excluded workers, but as of January 1, 2023, that exemption has sunsetted and California workers are now included in its protections.
Under the CCPA, workers have the right to know when employers are monitoring them and for what purpose. They can access their data and request to correct or delete it. They can know if employers are profiling them or buying data about them, like social media activity. And they can opt out of employers selling their data.
This memo provides an overview of workers’ rights under the CCPA and how workers can exercise these rights. We focus on the right to access one’s data because of its potential value for workers and worker advocates. Information gained in a data access request can reveal or substantiate unfair workplace practices and can be used to initiate challenges to them. Two short case studies at the end illustrate how worker organizations are beginning to use data access requests.
If your organization is interested in testing the use of CCPA rights, contact us for more information. For broader coverage of data-based technologies and technology rights, see our report Data and Algorithms at Work: The Case for Worker Technology Rights.
Worker Rights Under the California Consumer Privacy Act (CCPA)
As of January 1, 2023, workers in California are covered by the California Consumer Privacy Act (CCPA). Below are the key aspects of the CCPA. For more information, see this explainer.
Who is covered by the CCPA?
- Workers at for-profit companies doing business in California that meet one or more of these qualifications:
- Have more than $25 million in gross annual revenue
- Buy, sell, or share the personal information of 100,000 or more consumers or households
- Derive 50% or more of their annual revenue from selling or sharing consumers’ personal information
- Workers includes employees, independent contractors, job applicants, and former employees
- Third parties (labor subcontractors and service providers) that control the collection of an employer’s worker data are bound by the same regulations as the employers.
What are workers’ rights under the CCPA?
- Workers have the right to know when their employers are collecting data on them
- Workers have the right to access their data
- Workers have the right to correct and delete their data
- Workers have the right to opt out of employers’ sale or sharing of their data
- Workers have the right to limit employers’ use of their sensitive data
- Workers are protected from retaliation for exercising these rights
- In the future, workers may have additional rights to opt out of, or receive meaningful information about, automated decision-making (pending rule-making currently underway by the agency enforcing the CCPA).
What data does the CCPA cover?
- The CCPA applies to a worker’s personal information, meaning any data that can be linked to an individual worker, like personal IDs, demographics, employment-related data, biometric data, social media data, geolocation data, audio data, and inferences made about the worker’s characteristics and abilities.
- Sensitive personal information includes Social Security numbers, union membership, genetic data, race/ethnic origin, health/medical data, biometric data, sexual orientation data, religious beliefs, and emails not meant for the employer.
How is the CCPA enforced?
- The newly created California Privacy Protection Agency (CPPA) has enforcement powers and is able to investigate possible violations and impose administrative fines. The California Attorney General’s office can also enforce the CCPA. There is no private right of action except in cases of data breaches.
- Enforcement of the CCPA, including amendments made by the CPRA, began July 1, 2023. The express statutory requirements in the law itself are currently being enforced. However, enforcement of the CCPA’s latest regulations was delayed until next March by a court ruling.
What is the role of unions and other worker organizations?
- The CCPA allows workers to designate authorized agents, such as unions and other worker organizations and advocates, to make requests for data access, correction, or deletion on their behalf.
Accessing Data Under the CCPA
Making a data access request to their employer is a primary way for workers to exercise their data rights under the CCPA. Knowing what information their employer is collecting about them is a first step for workers to understand how their employer is monitoring and controlling their work. And understanding what data is being collected and how it is used or shared is necessary for workers to meaningfully govern the use of their data, including exercising other CCPA rights and monitoring compliance with the law.
The CCPA provides specific requirements for how workers submit data access requests, how a business responds to the request, and what data a business must provide.
Content of Response to Data Request
The data that a business must provide in response to a data access request includes:
- The categories of data it has collected about the worker in the last year
- The categories of sources from which that data has been collected
- The business purpose for the data collection, selling, or sharing
- The categories of worker data it sold, shared, or disclosed to third parties
- The categories of third parties to whom the employer has sold, shared, or disclosed the worker data – including subcontractors
- The specific pieces of data it has collected about the worker in the last year (or if requested, going back to January 1, 2022), in an accessible format.
The CCPA requires that the data be given in a “readily usable format” that allows the worker to be able to transfer the data to another entity.
Submission
Businesses must provide at least two methods for workers to submit data access requests, one of which must be a toll-free phone number. Other methods may include email, a printed form, or a web portal where workers fill out an online form.
Verification
Businesses must verify the identity of the worker making the request. If a business has a password protected account with the worker, it may use existing authentication procedures within the account to verify the worker.
Response
Once a request is received, a business must respond within 10 days to let the worker know how the request will be processed, including sharing information on the identity verification process. It must provide the data within 45 days and may extend this period for another 45 days, up to a total of 90 days.
Case Studies of Data Access Requests
Several worker organizations have begun to experiment with submitting worker data access requests. Prior to the recent inclusion of workers under the CCPA, the U.S. provided very few data rights for workers either at the federal or state level. By contrast, the EU has provided workers with data rights since 2018 through its General Data Protection Regulation (GDPR), a global standard for data privacy laws. We present two case studies of data access requests and litigation under the GDPR: the Worker Info Exchange and UNI Global Union.
Worker Info Exchange
The Worker Info Exchange (WIE) is a European organization dedicated to “research and advocacy of digital rights for workers and their trade unions.” WIE’s long-term goal is to build worker data trusts, where workers collectivize their data to wield greater collective bargaining power. The group also seeks greater algorithmic transparency for platform workers over issues such as pay, deactivation, or work allocation.
WIE’s work has three aspects:
- Data access – workers making data requests to their employers to gain transparency on how their employer allocates work, decides what to pay, and evaluates performance
- Data investigations – data analysis to “expose unfair algorithmic decision making” along with litigation support to contest unfair dismissals or other automated decisions
- Data trusts – unions and other worker organizations aggregating data to support collective bargaining and action.
The Worker Info Exchange reported in 2021 that they facilitated over 500 data access requests over several months. However, they found that widespread noncompliance with data protection laws impeded data access, algorithmic transparency, and achieving the scale of data needed for WIE’s objective of building a worker data trust. Thus, the WIE turned to strategic litigation under the GDPR to obtain company data and insight into automated decision making.[1] They hope such litigation also helps to establish standards for data protection laws – in particular, expanding the scope of data a worker can access.
In 2020, WIE worked with the ADCU (App Drivers & Couriers Union) and groups of drivers to bring three cases demanding that ride hail companies Uber and Ola comply with their data access requests. WIE’s goal was also to use these cases to set standards around transparency and data access that could apply across industries and help workers challenge algorithmic harms and inequities.
The litigation resulted in significant favorable rulings this spring. The Court of Appeals in Amsterdam ordered that Uber provide information about how worker data and profiling is used in its automated decision-making system for dynamic pay and pricing, and allocation of work. Similarly, the court decided that Ola must provide information about how workers’ earning profiles and “fraud probability scores” are used in automatic decision making about pay and work allocation. In the case of drivers who were “robo-fired” by an automated system and not allowed an appeal, the court found that Uber’s provision of human intervention in the termination decision was “symbolic” and drivers were owed information about the underlying logic of the automatic decision-making and the opportunity for meaningful human review.
Amazon warehouse workers with UNI Global Union
With affiliated unions in 150 countries representing 20 million workers, UNI Global Union is a global voice for service workers. It has been actively promoting workers’ rights regarding data protection and algorithmic management. In May 2023, UNI released a report, Algorithmic Management: Opportunities for Collective Action, which provides guidance on how unions can challenge these systems using established legal frameworks and existing bargaining mechanisms. The report also offers concrete recommendations for future collective bargaining.
UNI convenes the Global Alliance of Amazon Unions as well as Make Amazon Pay, a campaign that includes more than 80 NGOs and unions worldwide. Partnering with NOYB, a leading European data rights group, UNI organized the filing of data access requests under the GDPR by Amazon warehouse workers in Germany, the UK, Italy, Poland, and Slovakia in March 2022. Since then, Amazon workers have continued pushing for greater data transparency.
Currently, Amazon workers do not know what data is being collected on them, for what purposes, with whom it is shared, and how this data is used by automated decision-making systems that impact them. By filing data requests, UNI and NOYB hope to gain transparency that can begin to challenge Amazon’s harmful use of workplace management technologies. For example, Amazon carries out extensive productivity monitoring of its workers (see here and here); this surveillance contributes to pressure to work faster, causing work at unsafe levels. The requests may also capture a broader set of information about worker issues, such as automated decision making or potential wage and hour violations.
Amazon recently responded to the data requests after initial delays; UNI and its partners are evaluating next steps.
Endnotes
[1] The UK is no longer covered by the GDPR after Brexit, but has a very similar suite of data rights.
View the appendix, “Summary of Worker Rights Under the CCPA/CPRA.”