Perhaps providing the public with an opportunity to identify unanticipated consequences of long-awaited, federal privacy legislation, Reps. Rick Boucher (D-Va.), Chairman of the House Energy and Commerce Subcommittee on Communications, Technology, and the Internet, and Cliff Stearns (R-Fla.), the panel's ranking member, have requested public comment on a privacy bill before formally introducing it. The bill, which has not yet received a title--though apparently is intended to regulate on-line marketers--would impose substantial burdens on virtually every U.S. employer.

At its highest level, the draft bill would require only that on-line retailers who collect annually personal information of more than 5,000 customers provide a privacy notice and obtain opt-out consent from consumers. Upon closer examination, however, the bill would require almost every employer, regardless of size, to provide every employee and apparently every job applicant with a privacy notice and obtain their affirmative opt-in consent to the employer’s collection, use and disclosure of certain categories of personal information.

As currently written, the draft bill broadly defines a “covered entity” to include any business that engages in interstate commerce and collects basic contact information, such as name, postal address, telephone or fax number, and e-mail address, and excludes from that definition businesses that do not collect such information from fewer than 5,000 individuals annually. The problem is that the exclusion does not apply to any covered business which collects “sensitive information.” The draft bill defines “sensitive information” to include medical records, race or ethnicity, religious beliefs, sexual orientation, precise geolocation information, and financial records and other financial information associated with a financial account, including balance and other financial information.

Virtually every employer collects at least one category of sensitive information as defined by the bill. Employers routinely obtain employee medial information at a minimum in connection with workers’ compensation claims and leave requests. Employers subject to regulation by the Equal Employment Opportunity Commission are required by law to collect information about race and ethnicity. Many employers obtain employees’ financial account information for direct deposit purposes. Finally, an increasing number of employers rely upon location-tracking technology to monitor employees who work primarily off-site.

The drafters also appear to have attempted to limit the burden of the bill on employers by providing that that the consent requirement does not apply to the collection, use or disclosure of covered information for “operational purposes.” The draft bill defines “operational purposes” to include “carrying out an employment relationship with individuals.”

The apparent removal of employers from the consent requirements, however, appears to be illusory. The draft bill expressly prohibits the collection or disclosure of sensitive information “for any purpose” — including an operational/employment purpose — without providing the individual with the required privacy notice before collection and obtaining the individual’s “express affirmative consent” before collecting or disclosing the sensitive information. As noted above, virtually all employers routinely collect one or more categories of sensitive information as defined by the draft bill.

The notice and consent requirement could be substantially burdensome for employers. The notice requires that employers provide fifteen different categories of information regarding the employer's collection and use of the covered information. Employers might be able to satisfy the bill’s requirements with a single, omnibus privacy notice when an individual applies for a job or is first hired. Preparing the notice, however, could be a highly complex task. The bill, for example, mandates that the notice include “the specific purposes” for which the employer collects and uses covered information as well as how long the information will be retained. Employers use sensitive information, such as medical information, for a large number of “specific purposes.” In addition, retention periods for different categories of medical information — pre-employment physical vs. OSHA-mandated medical surveillance — and for other types of sensitive information can vary substantially.

The draft bill also potentially would permit disgruntled employees to wreak havoc with human resources administration. Under the draft bill, an employee’s withdrawal of consent bars the employer from “us[ing] covered information previously collected.” Taken literally, this provision would, for example, empower an employee to bar his employer from reporting his race or ethnicity to the EEOC.

The draft bill contains yet another dose of bitter medicine for employers. The bill arguably could be read to limit the notice and opt-in consent requirements for employers to the six categories of sensitive information described above. However, the draft bill provides that an employer can not disclose any form of covered information — sensitive or non-sensitive — to a third-party service provider unless the employer has provided the notice described above and obtained, at a minimum, the employee’s opt-out consent. Given employers’ heavy and growing reliance on third-party service providers to perform human resources administration, compliance with this provision effectively would require most, if not virtually all, employers to provide notice with respect to their collection and use of non-sensitive information as well as sensitive information.

Finally, the draft bill’s requirements apply to the collection, use and disclosure of covered information about an “individual” without defining that term. “Individual,” on its face, encompasses not only job applicants and employees who reside in the U.S. and/or are U.S. citizens but any applicant or employee located anywhere in the world. In other words, the draft bill arguably would require a multinational employer that uses third-party service providers for human resources administration to provide notice and obtain consent from tens of thousands of job applicants and employees.

Given the potentially substantial burdens that the draft bill as currently written imposes on employers, they should carefully track this legislation and consider taking advantage of the thirty-day public comment period opened by the drafters.

This entry was written by Philip Gordon.