Subscribe
Share
Share
Embed
HR entrepreneur Mike Coffey, SPHR, SHRM-SCP engages business thought leaders about the strategic, psychological, legal, and practical implications of bringing people together to create value for shareholders, customers, and the community. As an HR consultant, mentor to first-stage businesses through EO’s Accelerator program, and owner of Imperative—Bulletproof Background Screening, Mike is passionate about helping other professionals improve how they recruit, select, and manage their people. Most thirty-minute episodes of Good Morning, HR will be eligible for half a recertification credit for both HRCI and SHRM-certified professionals. Mike is a member of Entrepreneurs Organization (EO) Fort Worth and active with the Texas Association of Business, the Fort Worth Chamber, and Texas SHRM.
I think that's really where these laws have originated from, and it's the primary focus as consumers who are turning over their information for the purpose of receiving services, receiving goods, whatever it might be, credit card companies, etcetera. Consumers are really have have primarily been the focus of these US laws and the European laws historically. But that's shifting a little bit even to the, to the non consumer and to individuals who are, you know, mainly they're providing their information perhaps just for the purpose of getting a job or applying for a job.
Mike Coffey:Good morning, HR. I'm Mike Coffey, president of Imperative, bulletproof background checks with fast and friendly service. And this is the podcast where I talk to business leaders about bringing people together to create value for shareholders, customers, and the community. Please follow, rate, and review Good Morning HR wherever you get your podcast. You can also find us on Facebook, Instagram, YouTube, or at goodmorninghr.com.
Mike Coffey:Many business leaders are familiar with privacy laws like the the Health Insurance Portability and Accountability Act, the Gramm Leach Bliley Act, and the Fair Credit Reporting Act. Each of those, when they were passed, were groundbreaking and required significant changes to how businesses stored and shared individuals' data. But information about consumers' interactions with businesses what you buy from Amazon, what you search in Google, or the information you provide in an employment application have largely been considered the property of the businesses who collect that data. But that's changing. At both the state and federal level, legislators and regulators are taking action to give individuals more control over information concerning themselves.
Mike Coffey:Joining me today to discuss the growing labyrinth of data privacy laws across the United States is Jason Barrett. Jason is an attorney based in Houston, Texas, and he's the principal and founder at JAME Consulting, where he helps clients with issues concerning employment law, intellectual property, and data privacy compliance. Welcome to Good Morning HR, Jason.
Jason Barrett:Thank you so much, Mike. It's great to be here. Thanks for having me.
Mike Coffey:So let's start by painting that big picture. What's driving all this concern about personal data privacy?
Jason Barrett:Well, that's a good question. I think, largely, it's based on a cultural shift, especially here in the United States. I would say that, really, foundationally, Europe has had a quite a significant focus on PII or personally identifiable information going back many years. But it's really only within the last 10 years or so that the US has adopted what I would describe as a more overarching model, like the GDPR, which we'll talk about here probably in in the next few minutes. Over the last few years, the US has really adopted that, and there's really been the result of a cultural shift from corporate owned information to personally owned information and the regulations surrounding that.
Mike Coffey:What do you think is driving that? Why why, why are the politics and the and just kind of the zeitgeist around that changing?
Jason Barrett:I think the stakes are just so much higher. There's so much information out there that's available. There's so many different forms of information. We see on the news so often, Mike, the the data breaches that that are are coming fast and furious. And I think individuals are just, fed up, quite honestly, with it.
Jason Barrett:And and there's a need for and the and the US and other countries have seen the need for more regulation around security and the expectations that companies really need to have imposed upon them to protect that information.
Mike Coffey:So you talked about PII. So is is that, you know, that person identifiable information, is that primarily the kind of information we talk about, or is there other are there other kinds of information? Well, I know there are. So what are the other kinds of, you know, why don't you tell tell us what PII is and then in the the you know, what that sensitive personal information kind of ranges?
Jason Barrett:Sure. I really do think it kinda falls into 2 primary buckets as it relates to these kinds of data privacy laws. There's PII or personally identifiable information. How I describe that typically is anything that you might see on a business card, quite honestly, or on a LinkedIn profile. Someone's name, someone's perhaps their address, even their job title, perhaps any kind of other kinds of location related data that, again, you might just see on a a normal business card.
Jason Barrett:And then, as you move into sensitive personal information that's as it as it would suggest to be, it's information that's a little bit more sensitive, but that individuals, might need to provide their employer or other third parties things like race and religion, genetic data, health or medical information. That's really where you get into that sensitive data. And it's really both of those buckets that are being regulated by these data privacy laws.
Mike Coffey:And so people put so much of that information online already. And with all the data breaches that have happened I mean, I'm a licensed private investigator in addition to being an HR guy. And the databases I mean, you know, in our due diligence projects or even when we're working in employment related background investigation, It's all out there. I can get, you know, just from, you know, you know, relatively low price databases that, you know, I have to have a GLB or a DPPA, a permissible purpose, but it's all there, and it's all been breached at some point.
Mike Coffey:I mean, you know, you can go find my stuff
Mike Coffey:on the dark web. I get alerts from from my credit card companies and all these other sources all the time. So if the horse is out of the barn, just how much do you think the average consumer needs to worry about about their data being breached or, you know, released and used against them?
Jason Barrett:Well, there are to your point, there are so many different notices that we're getting, you know, almost on a daily basis about certain kinds of data breaches. It's available in so many different areas as you said. I do think though, especially relating to kind of the cultural shift that I had mentioned earlier as it relates to employers and their need to be aware of these different laws. I do think that there there is a need, for there to be a real awareness and an education exercise within the employment context. And for individuals, as I said earlier, I think that Europeans in general have been much more sensitive to this and much more aware of this and and focused on their their personal information and being more protective of releasing that information.
Jason Barrett:And I think in the US, in particular, there really needs to be a little bit more protection and a little bit more forethought into the kinds of information that we're generally and have historically just made available, really without asking why. Why do you need this information?
Mike Coffey:Yeah. I mean, every time I go into my doctor's office, they still hand me a, a sheaf of forms to fill out yet again.
Mike Coffey:Right.
Mike Coffey:And they always want my Social Security number. There is no reason for them to know my Social Security number. They got my insurance card. They've got all that, and they're collecting that. And then you can see, you know, just a whole wall of Manila folders back there behind them that aren't locked up.
Mike Coffey:And, you know, you know, every one of those has that Social Security number. So that you know, that's a data breach waiting to happen. And you're right. Europe is you know, we we do work in Europe for for some of our clients, and and the data transfer laws in Europe are really pretty strict. And and the kind of access you have in for to, you know, is pretty pretty challenging.
Mike Coffey:Right? And so a lot of these laws, though, then are really a lot about making the consumers feel better even if maybe their their data's out there. I don't wanna give it have yet another breach. I don't want, you know, I don't want, or or, you know, I don't want people just willy nilly sharing my information all over. There's a well, I think we do have the sense that we've lost a certain amount of privacy.
Mike Coffey:I mean, you know, the the the saying in the early odds was, you know, privacy is dead. And, you know, I think to a certain extent, that's probably true for most people, but we killed it ourselves. We put all our stuff out there and, and made it available. But when we're talking about these privacy laws, these regulations, they're they kind of categorize people in 3 different buckets. Right?
Mike Coffey:Data controllers, data processors, and then these consumers. Talk about what each of those roles are, who those people are, and and can you know, what does it mean to be a controller versus a processor? Those kind of issues.
Jason Barrett:Sure. And it's a good way to think about it in terms of kind of the the the purpose for which these laws are are set up. So when you think about it and I'm gonna I'm gonna describe it sort of from the context of a of an employment situation. So let's say you're a a company and and you have, those diff 3 different roles that we talked about. So from a processing side, it might be anyone, for instance, in an HR HR role, or a third party even that's supporting an organization in terms of employee counts, employee reports, the kinds of information that an organization might have with respect to applicants, with respect to their employees, performance related reviews.
Jason Barrett:So that's kind of the the data we're talking about, really, for the purpose of managing the business. So the processing is really those individuals that are that are tasked with helping to manage the information, share the information potentially, make, reports of that information in that context. The controller, would really be the organization itself, and those that are in a decision making, authority or or position, I should say, to decide how we're gonna use that information as an organization. How are we going to, make use of that information with respect to managing benefits, with respect to payroll, with respect to whatever fill in the blank purpose there might be. It's those controllers that are making that decision.
Jason Barrett:And typically, an organization or the company in this particular context will be thought of as the controller. And you mentioned 1 third term, Mike. Remind me and I Consumers. Yeah. Just the absolutely.
Jason Barrett:Yeah. Consumers. 1st and foremost, I think that's really where these laws have originated from, and it's the primary focus is consumers who are turning over their information for the purpose of receiving services, receiving goods, whatever it might be, credit card companies, etcetera. Consumers are really have have primarily been the focus of these US laws and the European laws historically. But that's shifting a little bit even to the, to the non consumer and to individuals who are, you know, mainly they're providing their information perhaps just for the purpose of getting a job or applying for a job.
Mike Coffey:And so, like, so a data controller would be like an employer who wants to aggregate all their applicant data into a database for statistical purposes, and they decide we're gonna do this. We're gonna pull all the applicants in and come up with some, you know, things about, you know, general maybe we're gonna feed our AI feed into our AI to train train our employee selection process. And so here's all our employee information. Here's what the applicant pool looks like, and we're gonna use it to train the AI. That's the company making that decision.
Mike Coffey:But then that processor, if they if they had an HRS system that made that available, the processor would be the HRS system. Is that or or where
Jason Barrett:the yes. I think the individuals maybe that are
Mike Coffey:Putting that data.
Jason Barrett:Within that data data data entry or or exporting reports or whatever it might be, would generally be considered your process.
Mike Coffey:Okay. But I
Jason Barrett:think the AHRIS system or and or those that manage that system would be the best, example of a processor from the the employer perspective.
Mike Coffey:So when we talk about GDPR then in the EU, the general data protection regulation, what does it say? How does it control, how that information gets used?
Jason Barrett:Well, I think one thing to think about in terms of the GDPR because it's really followed through with some of these US laws. GDPR is really based on 7 foundational principles. It's sort of the purpose for which the this law that law was put in place and and the US laws have followed. There's a principle of limiting the purposes for which a particular organization might be using information or use it for the the limited purpose for which you need it. In a similar vein, there's data minimization, which is only use that data that you absolutely positively need, not throwing everything in the kitchen sink into that data repository.
Jason Barrett:There are the principles of accountability, you know, who ultimately is accountable for managing this data, securing the data. And then on a similar vein, confidentiality and security, that's one of the principles as well as limitation, figuring out how an organization is gonna dispose of that data once it's it's brought into the fold. How an or how an individual can be sure that that data is accurate. So accuracy is another foundational principle. And then finally, it's the lawfulness piece is, are you using this data for the purpose, that's for a purpose that is lawful and for which I've provided it to you to use?
Mike Coffey:And in the employment context, that would be in order to be evaluated as employee, to be hired, to be managed as an employee. What would some uses that an employer might not think of that might fall outside that they may, you know, have thought they could use the information for that might fall outside of that narrow, you know, scope?
Jason Barrett:Sure. So I think, you know, probably that consumer example is is a good example. A lot of individuals, when they're applying for a job, when they're knowing that their organization is gonna need to have their information for purposes of managing payroll benefits, etcetera, those those those obvious purposes. But let's say an employer decides that they're gonna they're gonna have a collaborative partnership with some kind of a third party insurance provider, that wants to make available, a certain tool or resource to that employee population that's really not within the the primary business practice or relationship of the employer in that in that third party. It's an add on, if you will.
Jason Barrett:That can kinda get into that category, really, of of something that was turned over by an individual for the purpose of HR management only that then moved over into a little bit more of a consumer practice if their employer makes that decision to, make their the employee roster available to third parties outside of the context that that primary relationship is based upon.
Mike Coffey:And so what are the so that's Europe and except to the extent that a a US well, let me ask. Let's say we got a US or an EU citizen who's here on a visa and is working in the US. Does GDPR have any impact on employers who are US based for an employee who's currently US based?
Jason Barrett:I would say yes. Now, admittedly, my my approach has always been pretty conservative when you think about the the global operations of an organization. And so I I would think about it more from the standpoint of where where are you operating from a global perspective, not necessarily well, we only have individuals based in the US and therefore, we probably don't need to think about GDPR. If you are operating and you have a business, that extends outside of the US, even if your employees are are sitting only in the US, I think you absolutely need to be familiar with GDPR, and you need to make sure that you're following the different protocols because of of how you're operating on a global basis, including within the EU or the UK.
Mike Coffey:And you talked about the 7 pillars of, like, the GDPR's data privacy framework. As far as the at the federal level in the US, what rules do we have in place right now? I mean, we I mentioned HIPAA and GLBA and DPPA, the Fair Credit Reporting Act, when those are all all about, you know, protecting people's personal data, are there other laws at the federal level, or are we mostly dealing with it at this more at the state level in the US?
Jason Barrett:Well, of course, as you mentioned, there's the industry or sector specific laws that we're all pretty familiar with with HIPAA, the FCRA, the Gram Gram, Leach, Wiley Act. There's the Federal Trade Commission that, by and large, has been the federal enforcement body as it relates to data privacy on on things like children's information, telemarketing rules, etcetera. As you've moved over the years, more and more states have adopted what I would describe as probably focused laws, initially, for instance, like in Illinois and Texas, as an example, you you have biometric privacy act laws. A lot of people weren't familiar with the Texas law until there was a very recent large enforcement, action, by the Texas attorney general. And that particular biometric identifier act from Texas goes back to 2,009.
Jason Barrett:So that was an early adopter. I guess Texas could be seen to be an early adopter in that capacity. So it's really kinda spanned and and made a transition from industry sector specific laws of the kinds that we were mentioning, now into more state specific laws that are drilling down into a little bit more detail on how organizations are are using information either biometric data or that PII and sensitive data that we talked about earlier.
Mike Coffey:And let's take a quick break. Good morning. HR is brought to you by Imperative, bulletproof background checks with fast and friendly service. 25 years ago, I founded Imperative to help risk averse clients make well informed decisions about the people they involve in their business. Because we don't cut corners, our research is more thorough, and our reporting more robust, our clients make better hiring decisions.
Mike Coffey:However, employers often don't know what to ask beyond price when evaluating a background screening partner. So we've compiled a short list of 6 questions that you should ask any prospective screening partner, including Imperative, to ensure that you understand what they're really trying to sell you. These questions identify the most common ways background check companies cut corners that impact the quality, accuracy, and depth of the information they provide employers. You can review the 6 questions you should ask of your background check partner atimperativeinfo.com/6. And of course, you can always reach out to Imperative to discuss your background check process through our website at imperativeinfo.com.
Mike Coffey:If you're an HRCI or SHRM certified professional, this episode of Good Morning HR has been pre approved for 1 half hour of recertification credit. To obtain the recertification information, visit good morning hr dotcom and click on research credits. Then select episode 178 and enter the keyword data. That's d a t a. And now back to my conversation with Jason Barrett.
Mike Coffey:Talk about the Texas biometric law. What is it what does it entail, and and how how does it really affect employers?
Jason Barrett:Yeah. So it really kinda goes to making sure that organizations or anybody that's collecting biometric data could be face ID type information, could be, fingerprints, etcetera, things of that nature. It goes in and it regulates how, organizations are using that and the kinds of information that needs to be provided to those individuals before you collect it. That particular case was pretty interesting that came down. It's actually had gone back quite a few years, but it was a $1,400,000,000 settlement that the Texas attorney general entered into with Meta, that goes back quite a few years.
Jason Barrett:And then there's another lawsuit that's pending under the similar law, the same law, I should say, with Google right now.
Mike Coffey:And that probably surprises people. What how is Meta how are Meta and Google collecting my biometric information?
Jason Barrett:Right. So that's that's the thing, because I think they were not they had not been transparent with how they're doing that. And and that was one of the the findings, as I understand in the law and in the penalty.
Mike Coffey:And so much
Jason Barrett:about these laws is about transparency. If you're gonna collect this particular kinds of data, you need to let people know. You need to tell them how you're collecting it, why you're collecting it, and and the and the use of that data.
Mike Coffey:And that's so they were just what were they they were just collecting what my face looks like? And, is that is that primarily what the biometric information was? Or
Jason Barrett:Yeah. I think in that particular case, I would need to go back and look at all the the dig beneath the surface on all the the details of that one. But but it was kind of a land landmark type ruling, that relates to information that they were really collecting without notifying people.
Mike Coffey:And so now they're probably notifying us and we're click click click click. Yes. Yes. Yes. Accept accept accept and moving right past it anyway, but at least now they're telling us.
Mike Coffey:Right. Interesting. So, you know, Texas and California at our opposite ends of the political spectrum pretty much. But, I mean, certainly in the last legislative session, Texas had some privacy bills and I we know the session starts again in January And I know the State Chamber of Commerce, the Texas Association of Business has been working for the last 2 years with representative Cabric Leone's, office and other legislators around their, you know, privacy law part 2 from, you know, following up from last session. And then California obviously has had a lot of issues, on on the privacy front too.
Mike Coffey:What are typical, you know, state level privacy things that you see are kind of cutting edge between Cal you know, California, Texas, Florida, whoever else is having those? What do you think we're gonna be dealing with in the next few years?
Jason Barrett:Well, I think the Texas attorney general, for 1, has kinda signaled with that particular finding that we just talked about that they're gonna be aggressive. And there was a recent conference where they they all but said, you know, get ready. We're gonna be looking to enforce these particular laws, including the Texas data privacy and secret secrecy act. There's also the Texas data broker act that went into place more recently, and that's more focused on consumers as we were talking about earlier, and organizations that collect information really for the sole purpose of monetizing that particular that that set of information. But I think, probably, the the primary focus area is going to be what kind of notifications, what kind of communications, and transparency are organizations that collect this information providing to consumers or to the individuals or the data subjects that they're collecting.
Jason Barrett:It's gonna be really key that, those notifications are made. There's privacy policies that are communicated that individuals are given the opportunity to to opt in as it relates to the collection of that information, especially on the on the consumer side. But I think it's gonna be primarily a focus on communication, transparency, and notification as it relates to any individual, whether they're employee or a consumer, turning over that information.
Mike Coffey:And I think the Texas Data Private Security Act exempts, if and correct me if I'm wrong, I'm thinking that from the you know, remembering the conversations during session, is that it exempts information that's gathered and used by for employment by employers. Is is is that right? Or
Jason Barrett:There is an exemption if it's if it's truly just used for for processing for employment compensation, etcetera. California had a similar exemption, but that sun that, was sunset, with the with the the newer law that went into place, which was kinda took folks by surprise. There are other exemptions under Texas law, including organizations that are nonprofit, small businesses, as an example, as defined under the Small Business Act, as well as other organizations that might already be regulated under laws like HIPAA, or some of the banking and consumer laws. And so with the idea being pretty straightforward that you don't wanna duplicate or overreach in terms of organizations that are already covered by some of those other laws. But so there are exemptions in in those particular cases.
Mike Coffey:But that doesn't mean that an employer who has employee you know, applicant information or employee information can just go sell that information, that PII, or that sensitive data about their employees to a third party for marketing purposes or whatever else. Right?
Jason Barrett:That's correct. Yeah. I think that's still gonna potentially be something that might be covered under the Texas Data Broker Act if you're moving into territory that was previously really just collecting for the purposes of HR administration, and then you're
Mike Coffey:moving it into a little bit more of a,
Jason Barrett:monetize monetization exercise, that's gonna be a a pretty high risk scenario in in especially with these new laws. So
Mike Coffey:if we're dealing with let's say we're a Texas based company, we're dealing with a consumer who lives in Iowa, which state's data privacy laws apply in those circumstances? If you get 2 states with different or California and Texas for that matter, 2 states with different laws, How how does an employer know when you know, which laws apply? Is it you know, if if I'm if I'm considering it, let's start with the applicant who lives in in California is moving to Texas for the job if they get the job. Does California's privacy law apply to them, because they're, resident of California or just Texas?
Jason Barrett:I would take the approach, of both. Really need to look at out of an abundance of caution both because there are so many different things that are the same about these laws, but there's also some overlapping, implications as well. And the other thing, certainly, if you look at it from the perspective of where an applicant or an employee is based, yes, that's one differentiating factor, but you also have to look at whether your organization has operations. If you have an organization that, you know, might have employees in 6, 7, 8 different states, but operations in 47 or 48 different states, you know, you really have to look at how those particular states interact with each other in terms of data privacy laws and other other aspects that might regulate that particular data privacy matter.
Mike Coffey:So you're looking kind of at the, to be safe, the lowest common denominator or the most strict rules and just applying that?
Jason Barrett:Absolutely. And that that's kind of, you know, the approach that I've taken in in my my history with different organizations that I've worked for is we recognized that, okay, well, wow, we operate in these however many different countries. Where do we start? Where do we begin? How do we look at this from a from a, compliance standpoint?
Jason Barrett:And what we ended up doing was kind of to your point, we looked at what's the most, prescriptive, what's the most overarching and and broadest regulatory regime that we might be operating in. And if we can comply with those particular laws and regulations, then we feel comfortable that we're gonna be in a much better position globally.
Mike Coffey:So if I'm an HR leader or just a a the the, you know, the business who has these employees, I probably have information in a bunch of different silos. Right? I've got applicant tracking information, then I've got, you know, employee information in my HRS, maybe I've got a separate payroll provider who's got employee information. Maybe, you know, my benefits or, you know, I have you know, I've got a system, for managing our health insurance that maybe my broker provides. How keeping track of what data is where and and how we're categorizing it, are there best practices to kind of get your arms around where the data is and making sure that you've got some accountability for it?
Jason Barrett:Absolutely. And one thing that I would recommend is that whomever is going to be responsible for your data privacy, your data protection in your organization really takes a deep dive into understanding really, it's the who, what, when, where, why, and how of data within the organization. And and in terms of the where, as you were mentioning earlier, there could be many different applications, many different storage facilities, etcetera, where this data is housed. And so probably early on, if an organization hasn't started to do this, and especially if they're growing by acquisition, you've got multiple, other third party companies that are now becoming part of your organization that might have different systems, might have different individuals that have been responsible for this. I would say start there is really try to come up with the the data mapping as best you can for what data you hold, why you hold it, and who has responsibility for it.
Jason Barrett:And then certainly, to your point, you have to know where it's stored, for purposes of of putting the best data privacy regulations in place.
Mike Coffey:Because of the data providers we work with on the background investigation side of our business, the, you know, one of the things that we see a lot is that certain data we keep data in certain different states, you know, that we've got data that's active then we've got data that is for all intents and purposes will probably not ever need to access. We've never needed to access before, but we keep it for up to 7 years for litigation purposes, and that's, you know, in an archive state. And then at some point after that, depending on what the data is, we may delete it altogether and not record it. Do the laws address that, or is are those just kind of standard practices or best practices for for deciding what information to keep on hand and where to keep it?
Jason Barrett:Well, the the laws address that in, I guess, 2 ways. 1 is putting requirements out there that share and provide notice to individuals or data subjects on why the information is being collected. And then the second kinda goes back to one of those foundational principle principles that I mentioned earlier with the GDPR that's followed through with these US laws, and that's the principle of data minimization. Only maintain that amount of data. The question that some of these regulatory authorities will ask is are you only maintaining the data that you absolutely need?
Jason Barrett:Not the nice to have data, but also, you know, the have to have. You know, primarily looking at that from a data minimization perspective. So you might have information that, to your point, that's spread out all over different states, perhaps all over different applications. But there's really a need to do a deeper dive and analysis of the data minimization piece and, you know, who has access to that information.
Mike Coffey:One of the things I know GDPR gives consumers or individuals is the right to in some cases, the right to be forgotten and in other cases, just the right to have access to know what what's being stored. Do we have any of those kind of rights, in the US?
Jason Barrett:Yes. Yeah. Similar rights have transferred over into these US laws. There's the rights to some of which you mentioned, the rights to access. If I'm an individual, how do I access my information?
Jason Barrett:Where are you holding it? How do I correct it? How do I take it with me? You know, if I'm leaving the organization, I wanna make sure that it's it's coming with me and that there's there's not an unnecessary need for the information to be retained for too long of a period of time. There's also these rights of of of notification of how the information can be deleted and, who has access to the information.
Jason Barrett:So these notification rights have really transferred over into the US data privacy laws as well.
Mike Coffey:And from an employer point of view, I mean, the answer, except with with the exception of a few states, when an employee wants a copy of their employee file, the answer's always been that's employer's property. No. You can't have a copy of your you know, especially a a departing employer. Has that changed under any of these laws?
Jason Barrett:To some extent, I would say that generally speaking that an employer can still say, look. That's our employee file. Yes. It's your information, but that's information, and that's a file that we need for purposes of processing employment, including someone who's leaving the organization. Now, where things may may have changed a little bit is there can be a a data access request under most of these laws where someone can come forward whether they're moving on or whether they're still with the company, they can make a a data access request to say to their employer, look, I wanna see what information you have on me.
Jason Barrett:And there's nothing that that says that an employer can't say, fine. Come into this office. Have a look at the information. It doesn't necessarily mean you have to, you know, make a copy of all of their files and and and provide it over to them if you're concerned in that respect. I do think the companies need to be more aware of those kinds of protections under the US data privacy laws.
Jason Barrett:Because it's a little bit of a of a new scenario. Typically, in the US, that would really only come up in the context of litigation where someone might be suing the company. It's a third party subpoena that comes in through a through an attorney. But in this case, with these laws, it can be the individual themselves, him or herself, making that request for information. And it's important to make sure that organizations know who's gonna be the point of contact and what are the different do's and don'ts as it relates to those requests.
Mike Coffey:And right now, that would be a state by state basis. Right? Figuring out what the the applicable laws wherever you are. So if you're in Texas, you have to look at Texas, data privacy act versus California's multiple acts or Virginia or wherever you are and try to figure that out, as an employer, which is, you know, the problem the problem with, you know, a federal system where we got 50 states regulating issues, it's harder for employers who are operating in multiple states to know exactly what they need to do. That's right.
Mike Coffey:But, states to know exactly what they need to do.
Jason Barrett:That's right.
Mike Coffey:But I I brought up AI earlier, and let's end with this because it's, you know, we can't talk about anything today without bringing up AI. So what do you think the impact of AI is going to be, on data privacy? Do we you know, you know, we want all this data to train these large language models and all of that, but, obviously, nobody wants their data train they wanna use the tools, but they don't want their data in there training the tools. Right. So where do you think that's going?
Mike Coffey:What are you seeing on the AI front? I I know California's had a lot of concerns, but governor Newsom vetoed their I AI bill this week. So what do you think is gonna happen with AI?
Jason Barrett:Well, I think to your point, AI is most definitely here to stay. So it's a matter of of, you know, how do we how do we manage that. Somewhat like we were talking about in terms of the GDPR making its way to the US, I think the EU and the UK right now are kind of at the forefront as it relates to putting regulations in place for AI. There are some laws that have been passed over there, and I'd say some best practices. The states have not yet made to your point, you know, California, again, kind of being the pioneer as it related to the GDPR moving over into their state law.
Jason Barrett:I would expect, you know, they'd probably be leading the way in many respects as in terms of the laws for AI over in the US. I think that there are so many states considering that right now and things being considered at the federal level as well. I think companies realistically, we know that they're going to wanna continue to leverage AI. I think it's just a matter of keeping those same foundational principles that we talked about earlier at the forefront of your mind in terms of making sure that you're, again, you're maintaining it for the right purposes, that you're allowing employees to know what is being collected, and that you're being very transparent with your your employees and then on the consumer side with consumers about the kinds of information and the purposes for which it's being collected and managed.
Mike Coffey:Well, great. Well, that's that's all the time we have. Thanks for joining me, Jason.
Jason Barrett:Thank you for having me. I really appreciate it.
Mike Coffey:And thank you for listening. You can comment on this episode or search our previous episodes at goodmorninghr.com or on Facebook, Instagram, or YouTube. And don't forget to follow us wherever you get your podcast. Rob Upchurch is our technical producer, and you can reach him at robmakespods.com. And thank you to Imperative's marketing coordinator, Mary Anne Hernandez, who keeps the trains running on time.
Mike Coffey:And I'm Mike Coffey. As always, don't hesitate to reach out if I can be of service to you personally or professionally. I'll see you next week, and until then, be well, do good, and keep your chin up.