[co-author: Aidan Morrissey]*
On Tuesday, June 15, 2021, a French court ordered IKEA to pay 1 million euros ($1.2 million) for spying on its employees in France.1 The allegations included reviewing employees' bank account records, using fake employees to write reports on the staff, and even paying for police files on some employees.
The National Commission on Informatics and Liberty, or CNIL, led the prosecution against IKEA. The CNIL, a regulatory body within the French government, governs and enforces data privacy laws. The French state prosecutor commented that "what's at stake is the protection of our private lives against the threat of mass surveillance."2
Although this may seem to be an isolated issue for France, EU countries under the jurisdiction of the General Data Protection Regulation (GDPR), or companies operating globally in both EU or France, the precedent for this type of violation and subsequent fines may also impact U.S.-based organizationsif U.S. lawmakers decide to adopt similar principles.
Why would U.S. companies and U.S. state privacy regulations be impacted? Currently, both the CCPA and CPRA have certain exemptions on employee data until 2023; however, there is still an obligation for organizations to provide notice to their employees on how they use, collect, store, and process their employees' personal information.
Companies tend to approach the CCPA and CPRA as if it only affects their customers or clients and may forget to develop the proper Privacy Notice to employees. Transparency and accountability, especially around any surveillance processes, should be clearly communicated to an organization's employees.
As part of privacy best practice, companies should incorporate privacy notices for employees in addition to their external-facing privacy notices. These policies contain information on what, how, and why personal information is being processed about the employees. Additional key components of employee privacy notices include collection and use, individual rights and choices around processing, disclosure to third parties and international data transfers.