Connect with us


The American Privacy Rights Act: Looming Changes for HR?



Data privacy in America and HR’s use of AI in the workplace may be on the verge of a significant shift.

The American Privacy Rights Act of 2024, which some experts say could pass this year because of bipartisan support in Congress, would establish a federal standard for how companies handle personal information. While it excludes employee data, the law would mean more rules governing the use of AI in HR decision-making.

For example, if the bill is enacted, an employee could bar their employer from using AI in making “consequential” decisions about their employment if the employee exercises an AI opt-out.

For now, companies making $40 million or less in annual gross revenue; that collect, process, retain or transfer the “covered” data of 200,000 or fewer individuals; and don’t earn revenue from selling covered data to third parties are considered exempt.

Good News: Less Patchwork Compliance

Unlike a lot of countries, the U.S. lacks a comprehensive national data privacy law. Instead, there are various state-level data privacy laws, creating a patchwork of complex regulations for companies with multi-state locations.

Just one of them applies to HR data: the California Privacy Rights Act.

The American Privacy Rights Act would pre-empt most state data privacy laws and provide organizations with compliance clarity from a single national standard, as well as data practices consistency.

The American Privacy Rights Act’s Impact on HR

A key provision of the American Privacy Rights Act that HR needs to be aware of has to do with “covered algorithms.” Addressing concerns around AI bias, the law would require businesses to audit algorithms used for making decisions on hiring, performance evaluation, promotion, demotion and termination. HR would need to ensure these algorithms are fair and non-discriminatory.

In addition, you’d have to provide notice to applicants and employees when AI is being used in HR matters, and give them the opportunity to opt out of the use of AI.

The notice needs to be clear, conspicuous and not misleading; provided in each language in which the business provides a product or service; and reasonably accessible to, and usable by, individuals with disabilities.

The opt-out provision, however, isn’t so clear. For instance, it doesn’t spell out what the acceptable work-arounds for HR decision-making are if an employee opts out.

Another area where the AI rules could become problematic is how they apply to human capital management systems that use AI. And there’s no word on if that applies to using AI to create performance reviews, job placements during a restructuring or job descriptions.

Who’s going to be in charge of enforcement? The statute would require the Federal Trade Commission (FTC) to form a new bureau. State consumer protection officials, such as attorneys general, would also be given authority to issue violations, provided they notify the FTC in advance. Individuals are also allowed to sue entities for certain violations.

Get Ready for the American Privacy Rights Act

To prepare for the possibility that the American Privacy Rights Act passes, HR leaders should consider:

  • Reviewing and updating policies: Do your policies align with American Privacy Rights Act requirements, including provisions related to automated HR decision-making?
  • Employee training and awareness: Educate your workforce on what the American Privacy Rights Act means for them, including their expanded individual rights and your organization’s data privacy and security practices. This promotes a culture of trust.
  • Vendor management: Ensure that your HR tech providers are in compliance with American Privacy Rights Act requirements.
  • Compliance and risk management: What are your strategies for mitigating potential legal and reputational risks associated with American Privacy Rights Act violations or lawsuits?
  • Collaboration with legal and IT: The American Privacy Rights Act’s requirements could change. Talk to your organization’s legal and IT teams about any evolving requirements and developing strategies for implementation.

Read the full article here