The good news is that in the U.S, diversity and inclusion initiatives are squarely within the bounds of applicable privacy and employment laws. That said, there are legal risks that should be carefully considered when collecting certain types of diversity information when that information is associated with an individual.

From a privacy law perspective, there are no U.S. privacy laws that strictly prevent organisations from collecting or using diversity information from employees or job applicants. However, there are certain legal risks under consumer protection laws and California privacy law that should be taken into account.

• Federal Trade Commission ('FTC') and state consumer protection authority. Section 5 of the FTC Act of 1914 prohibits unfair or deceptive acts or practices in or affecting commerce, and all states have enacted similar consumer protection laws. In its 2012 report on 'Protecting Consumer Privacy in an Era of Rapid Change', the FTC set forth the general principle that companies should obtain consumers' affirmative express consent before collecting 'sensitive' data, a category that might be construed to include diversity information. The FTC also has signaled through recent guidance that it considers a business' use of personal information in a way that results in biased outcomes to be an 'unfair' practice that causes harm to consumers, creating risks if diversity information is used to make certain employment decisions about individual employees.
• California privacy law. The California Consumer Privacy Act of 2018 ('CCPA') applies to the personal information of 'consumers', but that term is defined very broadly to mean any natural person who is a California resident, including employees. Until 2023, the CCPA contains a partial exemption for 'employment-related information', which: (i) removes most of the CCPA's compliance obligations except for the requirement to provide a notice to consumers at or before the point of collection of their personal information; and (ii) preserves a private right of action for data breaches. This partial exemption specifically applies to personal information collected by a business about job applicants, employees, officers, and contractors to the extent the information is collected and used solely within the context of the individual's role as an applicant, employee, officer, or contractor. Notably, personal information collected outside the scope of a California resident's role as an employee/applicant does not fall within this exemption, so data collected from pre-candidates (i.e., those who have not yet applied for a position) may not be subject to this exemption.

A picture then starts to emerge that while U.S. privacy laws are not an impediment to the collection of diversity and inclusion information, there are risks in collecting this information about individuals without their notice and consent.

This set of risks is similar under U.S. employment laws. Federal regulations encourage the collection of certain diversity information, requiring companies with 100 or more workers to file reports containing certain information about the demographic composition of their workforce. However, it is a best practice for employers to request this information on an anonymous basis, separately from other employment or application information.

Even when collected anonymously, there are risks that organisations should consider under U.S. employment laws before collecting diversity information.

In general, there is always a risk that an organisation's solicitation of diversity or other demographic-based information in employment situations will be presumed to be used by the organisation as a basis for making a selection decision. Consequently, if members of minority groups are excluded from employment opportunities or are adversely impacted by a hiring, retention, or promotion decision, those individuals may take the position that any preceding request for diversity information was used to discriminate against them, placing a burden on the organisation to contest the allegations.

That said, if an employer legitimately wishes to use information about its employees or applicants for diversity and inclusion purposes, there are several methods the employer may use to enable them to acquire the necessary information and simultaneously defend themselves against charges of discriminatory or biased selection. For instance, when an applicant's diversity characteristic is noted separately from the actual job application, courts generally have found that anti-discrimination laws are not violated because the person screening the application (and therefore making the employment decision) is unaware of the particular diversity characteristic. Organisations, therefore, can help avoid this risk by preventing those making hiring or promotion decisions from being able to review diversity characteristics. Similarly, requests related to disability status may require that such information is kept separate from employee personnel files to prevent the information from being used in a discriminatory manner.

One other way to avoid these risks is to collect diversity information anonymously, separately from other employment or application information, and to de-identify it whenever possible. The U.S. Equal Employment Opportunity Commission recommends anonymous self-reporting, as well as that:

• employers should re-survey employees periodically or request that employees update their information on an intranet page to keep it accurate and up-to-date; and
• employers should allow employees to self-identify, and not question the self-identification even if they believe the employee to be of a different race or ethnicity.

Overall, it can be difficult to navigate privacy, employment, and anti-discrimination law risks, given that the information needed for diversity and inclusion initiatives can create liability in and of itself. To help mitigate these legal risks, organisations should consider the following additional best practices when collecting diversity information for these initiatives:

• Conduct a privacy impact assessment for different initiatives, making sure that any new use of data is not going to create risk of harm or bias to applicants or employees.
• Provide clear notice to your applicants and workforce about what diversity information you are collecting, how the organisation uses diversity information, and for how long it is retained.
• Avoid surprises about your uses of diversity information that could impair your workforce's trust and raise the likelihood of complaints.
• If consent is the basis for collection, allow employees to withdraw that consent and inform them of that right.
• Restrict access to sensitive diversity data to only individuals necessary within the organisation, and away from those making hiring decisions.
• For diversity metrics requiring only de-identified data, aggregate data and discard records of individual diversity classifications as soon as possible.
• Implement a written policy for the treatment of diversity information to have a clear record of your practices, and train relevant employees on how to follow the policy.

Bret Cohen Partner
[email protected]
Hogan Lovells, Washington, D.C.