New laws in New York City and California regulating the use of AI and personal data are set to go into effect Jan. 1, 2023 — and and while enforcement has been delayed, they’ll have far-reaching effects outside of those jurisdictions, experts say.
In New York, Local Law 144 will regulate how companies can use automated employment decision tools, namely by requiring a bias audit before any tool can be used and a notification to job applicants and employees before its use.
“If they don't have California employees, a lot of companies think they're off the hook. They're not."
Partner, Perkins Coie
And, on the other coast, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act, expands the data privacy law to cover employees, job applicants, independent contractors and the operations between businesses. A previous exemption that excluded employee data from the CCPA sunsets at the end of the year.
Despite being local and state laws, both new pieces of legislation extend to employers with job applicants or workers who are residents of New York City or California. And, in the age of remote work, that number is growing.
“If they don't have California employees, a lot of companies think they're off the hook. They're not,” said April Goff, a partner in the Dallas office of law firm Perkins Coie.
The enforcement of both laws has been delayed, until April 15, 2023, in New York City and July 1, 2023, for the CCPA in California, and regulations have yet to be issued. But that doesn’t mean employers have time to waste, lawyers say.
“If they don't come until April or May, that's not going to give [companies] enough time to start the process. Companies have to start now,” Goff told HR Dive.
Depending on the law in question, that process looks different.
To comply with the CCPA, Goff recommends companies consider whether they are battleships — complex organizations that will take time to change course — or speedboats — nimble businesses that can quickly alter direction.
“Compliance is something that's going to take time to gear up,” Goff said, and a company’s “compliance strategy is going to have to be one that’s subject to change pending the regulations.”
While a handful of other states also have consumer data privacy laws, California stands out by including employees, job applicants and independent contractors in its legislation. Under the CCPA, employees can request personal information, must be notified of what information is being collected and can ask for certain information to be deleted, if a business doesn’t need to keep it, such as for legal reasons.
Companies, naturally, have a lot more information on employees than on consumers, which makes it complicated to figure out which data is covered by the law, said Goff, who practices in privacy and security law and works closely with the labor and employment practice at Perkins Coie.
“It could be as expansive as every Slack or every email message or just personnel records you’re already entitled to under law,” she said.
Because regulations haven’t been issued, lawyers and companies are using industry best practices to figure out the next steps, Goff said. She advises companies to use data maps to figure out what information the company has and how it is being used and shared. Then, the company needs to figure out who will handle data requests: someone in-house or a third party? Fulfilling those requests, however, should involve human resources and the legal departments, she said.
Under Local Law 144 in New York City, companies are required to complete bias audits on automated employment decision tools, including those using artificial intelligence, implemented in their hiring process to ensure the algorithms aren’t illegally biased and discriminatory.
“Nobody really knows what a bias audit is. It’s kind of making it up on the fly,” said Dave Walton, a partner in the Philadelphia office of law firm Fisher Phillips.
And proposed regulations raised more questions than answers, Walton said. That’s why the New York City Department of Consumer and Worker Protection delayed enforcement by four months over the “high volume of public comments” it received on the new law.
“If the regulations went into effect as of Jan. 1, it would’ve been an absolutely insane chaotic mess,” said Walton, who earned a certification in data analytics from the Wharton School of the University of Pennsylvania.
While individuals can’t sue employers under Local Law 144, the information that must be made publicly available through bias audits could lead to class action lawsuits under state and federal discrimination law.
“For smart employment lawyers, this will be the new class action,” Walton said.
To prepare, Walton advises companies to hire a law firm with expertise in the area and work together to identify what types of tools are being used and if they’re from an outside vendor. If they are, he said to check to see if the agreement with the vendor has an indemnification clause in it and determine who has to complete the bias audit. After the bias audit is completed, the company needs to make any necessary changes and then publish its results.
“These AI tools have grown so fast, they’re being adopted, and they're kind of like a black box. Nobody really knows how they work because they’re very complicated,” Goff said. “These HR departments are just adopting these tools, but they don't really know what they're analyzing or how they’re working.”
Walton said he sees these new laws on data use and privacy as the beginning of a trend as legislators look to catch up to data collection and automated employment decision tools.
“Usually something starts on the coast and moves inward toward the rest of the country,” he said.