Monitoring employee communications, especially instant messaging communications, is important to mitigate litigation risk. California’s discovery rules are broad, and allow discovery of any matter, not privileged, that is relevant to the subject matter of the litigation or that appears reasonably calculated to lead to the discovery of other admissible evidence. Plaintiff’s counsel generally seeks a broad range of electronic data and all of it is discoverable during litigation.
When employers utilize productivity applications like Microsoft Teams, the amount of data stored – and the amount of discoverable data – increases exponentially. Rather than dealing with “he said she said” allegations, the employer could potentially be dealing with months or even years of data, consisting of “stream of consciousness” style communications between employees, and all of it is discoverable in discrimination and harassment cases. The more communications that are produced, the more likely that a plaintiff’s counsel is to find a communication that creates a triable issue of material fact that will defeat summary judgment and entitle a plaintiff to a jury trial.
What Privacy Rights Should Employers Be Aware of When Monitoring Employee Communications?
The primary source of law protecting employee’s privacy is Article 1, section 1 of the California Constitution. To establish liability under Article 1, Section 1 of the California Constitution, the employee must establish (1) a legally protected privacy interest; (2) a reasonable expectation of privacy in the circumstances; and (3) conduct by the employer constituting a serious invasion of that privacy. Courts look at “accepted community norms” when determining whether a reasonable expectation of privacy exists. Generally, when employees have been made aware that all of their communications and data will be monitored by their employer, the employee has no reasonable expectation of privacy in those communications or data. See TBG Ins. Services Corp. v. Superior Court., 96 Cal.App.4th 443 (2002).
An additional source of privacy rights comes from the California Consumer Privacy Act and the California Privacy Rights Act (also known as Proposition 24). Most protections for employee data stemming from these laws do not go into effect until January 1, 2023, but employers should still be aware of key provisions if these laws apply to them. These laws protect the personal information that identifies, relates to, describes, is capable of being associated with, or may reasonably be linked, directly or indirectly, with a particular consumer or household, but does not protect de-identified data (but remember there is a high bar to meet this standard).
The CPRA applies to entities that meet one of the following criteria:
- Annual revenue is greater than $25 million.
- Annually buys, sells, or shares the personal information of more than 100,000 consumers or households.
- Derives at least 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.
The CCPA/CPRA also applies to any entity that either (A) controls or is controlled by a covered business; or (B) shares common branding with a covered business, such as a shared name, service mark, or trademark.
The CPRA contains notable requirements that will be applicable to employee data beginning on January 1, 2023:
- Notice requirements (what information is collected or shared, the purposes of the collection, and privacy policies applicable to the data)
- Opt-out rights (right to opt-out of data collection and sharing)
- Disclosure/access rights (right to obtain details about the data collected and with whom it is shared))
- Data portability rights (right to obtain a copy of the data collected)
- Right to be forgotten (right to ask the company to delete the data collected)
- Non-discrimination (for any individual who exercises their rights under the law)
- Right to restrict use and disclosure of Sensitive Personal Information (including emails, text messages, and geolocation data)
- Right to correct data that is inaccurate
For employers who use AI or machine learning technology, employees will also have the right to opt-out of automated decision-making technology in connection with decisions related to a consumer’s (employee’s) work performance, and the right to access information about automated decision-making used in the workplace.
The CPRA also includes built-in enforcement mechanisms, monetary penalties, and a 30-day cure period for alleged violations.
Risk Mitigation Framework
Companies should employ a four-part risk mitigation framework:
- Understand data sources and data storage practices
- Establish acceptable use and monitoring policies for all communication platforms and device types
- Train employees on acceptable use policies and ensure employees understand that any communications may be monitored by the employer
- Monitor employee communications for compliance with acceptable use policies.
Regarding Employee Monitoring
Employers should engage in some type of monitoring of employee communications to ensure compliance with acceptable use policies and conduct-related policies. Employers can manually monitor communications – for example, having HR review the communications of different employees on a regular basis, or via AI and machine learning technology. There are pros and cons to each approach. In general, employers should not rely solely upon automated monitoring, as this type of monitoring often does not pick up context-specific or culture-related issues.
Document Retention and Destruction Policies
In addition to monitoring emerging workplace communication technologies such as text messaging and chat functions, employers may have an affirmative duty to preserve these communications in anticipation of litigation. While California and federal law are consistent in requiring an employer to preserve these communications once litigation has begun, federal law imparts a further duty upon the employer to preserve once potential litigation is foreseeable – even if that possibility is considered unlikely or far into the future. The failure to preserve these records can lead to the presumption that the deleted communications were harmful to the employer, or – in the most extreme cases – a default judgment being entered against an employer.
Employers may nonetheless engage in a reasonable document destruction policy – including periodic deletions of employee communications – for which the employer has no further use. Such destruction policies are reasonable if they are appropriate to the type of document being destroyed, the likelihood of litigation, and whether the policy was enacted in good faith. Employers should carefully weigh the benefits of retaining versus destroying workplace communications on a regular basis, deciding for themselves the manner, frequency, and type of communications to be destroyed, along with a mechanism to preserve any communications once potential litigation has been identified.
Restricting Employee Speech on Hot-Button Issues Like Politics
Employers have seen an uptick in employee activism and inter-personal conflicts with the exacerbation of political differences, COVID, the country’s racial reckoning following the death of George Floyd and the 2020 election and its aftermath. Because of this, some large companies that utilize internal productivity platforms have begun restricting employee speech on political topics that have caused disruptions in the workplace. Deciding to adopt this kind of a policy requires a case-by-case assessment of the current workplace culture, how much disruption these discussions are causing, and any potential blowback from employees for instituting a policy prohibiting political discussions.
Remember that the National Labor Relations Act protects the right of employees to engage in “concerted activities for the purpose of collective bargaining or other mutual aid or protection.” 29 U.S.C. § 157. For example, employers cannot prohibit employees from discussing their salary or benefits with one another.
In addition, Labor Code section 1101 prohibits employers from adopting any policy meant to prevent employees from engaging in politics or from becoming candidates for public office. Employers are also prohibited from controlling or directing the political activities of employees, so do not tell an employee what position they should take when they do discuss politics outside of work. Labor Code section 1102 also prohibits coercion or influence on the part of the employer that tries to force an employee into a particular course of political action or activity.
When considering whether to adopt this type of policy, ensure employees are still encouraged to report harassment, discrimination, and retaliation in the workplace. Also, do not attempt to control employees’ activities during meal and rest breaks or while off-the-clock, as this would pose wage and hour compliance issues.