Privacy Law Blog : Privacy Lawyers & Attorneys : Proskauer Rose Law Firm : CAN-SPAM, FCRA, FACTA

Background

In Hernandez, the employer, a residential facility for abused and neglected children, installed a hidden video camera in an office from which it believed someone was accessing pornographic websites after hours.  The two clerical employees who worked in the office during the day were never told about the camera nor did they consent to its use, but the camera was only activated three times over a three-week period, and the employees themselves were never actually recorded.  When they discovered the camera, "small, blinking, and hot to the touch," the employees brought claims under the California Constitution and the common law tort of intrusion for invasion of privacy.  This tort has two elements: first, the plaintiff must prove an intentional intrusion into a place, conversation, or matter as to which the plaintiff has a reasonable expectation of privacy, and second, the intrusion must occur in a manner highly offensive to a reasonable person.

The trial court sided with the employer, granting summary judgment on the grounds that the employees had not been harmed because there was no evidence the camera had ever actually recorded them. The trial court also agreed with the employer that whatever expectation of privacy the employees had was outweighed by the employer's duty to protect the children living in the residence. The Court of Appeal reversed, however, holding that the employees' claim for invasion of privacy did not require them to prove they had actually been viewed or recorded.  It held that "the mere placement of the surveillance equipment on the shelf in plaintiffs' office itself invaded their privacy" because it could have been activated at any time, including while the employees were present.  The court also found a triable issue of fact as to whether the employer's intrusion in this case was justified.  Hernandez v. Hillsides, Inc., 142 Cal. App. 4th 1377 (2006).

The California Supreme Court's Decision

Reversing the Court of Appeal, the California Supreme Court held that the employees had a reasonable expectation of privacy in their semi-private office, and that an intrusion into their privacy had occurred, but the employer's conduct did not violate their privacy rights in this instance.  The Court found that the employees had a reasonable expectation they would not be secretly videotaped in their office because employees generally have this expectation in nonpublic work areas unless the employer puts them on notice to the contrary, and there was no evidence the employees had notice in this case.  The Court also held that it did not matter that the plaintiffs were never actually recorded on video, or that the employer took steps to avoid recording them during business hours.  The Court held that such factors could mitigate the offensiveness of the challenged conduct, but did not preclude a finding of the requisite intrusion in the first place. 

Although it found the hidden camera constituted an intrusion, the Court held that actual use of the camera was not so serious, egregious or offensive as to warrant liability.  The evidence showed that the employer never activated the camera during regular business hours, and only recorded video on three occasions, at night, over a three week period.  Thus, the Court found that the plaintiffs' privacy concerns were alleviated because "the intrusion was 'limited' and no information about plaintiffs was accessed, gathered, or disclosed," and such timing and limited use of the camera was "inconsistent with an egregious breach of social norms."   The Court also gave significance to the employer's motives, which were not to record the plaintiffs for any "socially repugnant" reasons, but rather "to confirm a strong suspicion...that an unknown staff person was engaged in unauthorized and inappropriate computer use at night," which undermined the employer's goal of providing "a wholesome environment for the abused children in its care."  Accordingly, the Court found that "considering all the relevant circumstances," the plaintiffs had not and reasonably could not establish that the employer's conduct was "highly offensive and constituted an egregious violation of prevailing social norms."

Implications for Employers

Employers should consider this a "near miss" ruling that was largely driven by the unique facts of the case, including the employer's very limited use of the camera and its particularly compelling justification given its role as a caretaker for sexually abused children.  In many other circumstances, however, video surveillance of employees in a non-public work area without notice to those potentially recorded is likely to product an actionable claim for invasion of privacy.   Employers contemplating the use of such covert video surveillance should seek advice of counsel. 

National Privacy Law: Major players in the online marketing sphere, such as Microsoft and Google, already have expressed support for a generally-applicable privacy law to preempt a growing number of state laws that impose varying requirements on the collection, use, storage and disclosure of personal information. Whether a federal law emerges governing the collection and use of personal data, including for marketing purposes, is the looming question in the new administration.

Behavioral Advertising: Behavioral advertising -- the practice of tracking of an Internet user’s activities online in order to deliver advertising targeted to an individual consumer’s interests -- which Congress examined extensively over the summer -- should continue to generate interest under an Obama administration. Indeed, the Federal Trade Commission (“FTC”) is expected to announce its final guidance concerning the self-regulation of behavioral advertising even before President-elect Obama takes office in January. We are also likely to see behavioral advertising legislative proposals at the state level, with efforts gaining traction in states like New York, where both Houses are now controlled by the Democrats.

Electronic Health Records: A key component of President-elect Obama’s health care plan is the migration of health care records from paper to more universally accessible forms of electronic media. The incoming president believes strongly that the use of technology will help lower the cost of health care. But as many commentators have suggested, greater accessibility carries greater risk, and the shift toward computerized health records is one area in which President-elect Obama’s aggressive technology and innovation policies may outgrow existing consumer protection safeguards. President-elect Obama’s commitment to providing robust protections against the misuse of this kind of sensitive information likely will require the development of additional, and more broadly-applicable, regulations to shore up existing safeguards provided under the Health Insurance Portability and Accountability Act (“HIPAA”) and other existing legal regimes. 

Data Breach Notification:  Over the past few years, states have been very active passing legislation that requires businesses that retain information about state residents to notify such residents when that information is compromised. Efforts to pass a preemptive national law have stalled largely because of the greater discretion proposed for business regarding the need to notify. That issue will likely continue to impede consensus on a national law, and the state framework is likely to be with us for a while.  

Legislative activity at the state level concerning the protection of personal information, however, is likely to continue as lawmakers try to respond to several high profile information security breaches from previous years. Moreover, as we are seeing in Massachusetts and Connecticut where new data security laws have been passed, we may see a stronger push at the state level toward requiring affirmative steps to protect personal information, rather than just requiring businesses to respond to a breach incident.

More Robust Federal Trade Commission: President-elect Obama plans to enlarge the FTC budget and enforcement power to aid in the implementation of his technology and innovation policies. The FTC’s expanded powers will likely be used to enforce the Commission’s new identity theft Red Flags Rule, which requires financial institutions and creditors to implement comprehensive written identity theft prevention programs by May 1, 2009. The FTC’s decision to extend the original November 1, 2008 compliance deadline for an additional six months portends relatively immediate enforcement activity in Summer 2009 that will help define precisely what is required, and from whom, under the Rule. The push for more enforcement power may also spur the expansion of the FTC’s authority to seek civil penalties and other monetary remedies for violations of the statutes and regulations the Commission enforces.

Location Data & Government Surveillance: President-elect Obama’s desire to develop and better utilize available technologies to create real change in America will likely create some friction in the areas of government surveillance and the collection of location data where the interests of national security and personal privacy diverge. Moreover, the private sector’s collection and use of location data and other “tracking” information to more effectively market to consumers raises concerns on both sides of the aisle since these technologies arguably can be misused to compromise national security or personal privacy. While we expect the Obama administration to back away from the aggressive government surveillance policies and programs implemented by the previous administration in the wake of September 11, 2001, the success of these efforts will require a delicate balance between a strong stance on national security and a shift toward protecting the privacy of Americans at home.

In the first incident, an Aladdin human resources official informed two buffet workers that if they signed the cards and the union were formed, they would have to pay union dues and would not necessarily receive improved benefits. Op. at 1331. The official’s conversation, which involved the buffet workers and representatives of the prospective union, lasted approximately eight minutes. In the second incident, a different Aladdin official informed a housekeeper signing a union card that she “shouldn’t be signing things that she wasn’t sure about,” then departed the scene. Op. at 1332.

Section 7 of the NLRA accords employers the privilege to observe public union activities on company premises, so long as the employer does not take actions that are out of the ordinary. However, Section 8(a)(1) of the NLRA states that “[i]t shall be an unfair labor practice for an employer – (1) to interfere with, restrain, or coerce employees in the exercise of [the right to associate freely and engage in certain speech in order to form unions] guaranteed in section 157 of this title.” 29 U.S.C. § 158(a)(1) (quoted in Op. at 1333). Whether employer observation rises to the level of unlawful and coercive surveillance depends on the circumstances of each case. See Op. at 1333 (quoting The Broadway, 267 N.L.R.B. 385, 400 (1983).

When considering the Aladdin case, the NLRB established a three-part test for determining whether employer observation is coercive: “[i]ndicia of coerciveness include the duration of the observation, the employer’s distance from its employees when observing them, and whether the employer engaged in other coercive behavior during its observation.” Aladdin Gaming, LLC, 345 N.L.R.B. No. 41 at *2. The Ninth Circuit found this test “rational and consistent” with the NLRA. Op. at 1334. Further, the Court found that the NLRB’s “findings of fact [were] supported by substantial evidence” and that “the agency correctly applied the law.” Op. at 1332. The Court therefore denied the petition for review of the NLRB decision.

The January 28, 2008 decision is the second recent decision related to the privacy of union organizers and members. In The Guard Publishing Company d/b/a The Register-Guard, 351 NLRB No. 70 (December 16, 2007), the NLRB determined that an employer may prevent employees from sending union-related communications over work e-mail, so long as such a ban on non-work related communications is equally applied.  For further details on this decision, see the Proskauer Rose Client Alert, located here.