Birthday and work anniversary celebrations are natural and enjoyable. And as we’ve discussed in articles like “How To Make Work Anniversaries Special,” research and anecdotes show that these workplace celebrations play a significant role in shaping workplace culture.
But, when doing birthday and work anniversary celebrations at scale — or without thought — they can expose companies to compliance risks.
Why?
First, birthday, anniversary, and other similar celebrations involves “personal data,” which implicates Europe’s GDPR laws and a patchwork of state and federal rules recognizing age and disability sensitivities. And second, public celebrations can trigger discomforts, or even offend religious or cultural norms.
These issues should not stop companies from celebrating. In fact, to me, the compliance factors only underscores that celebrations should be human, seamless, and sincere. The worst thing organizations can do is be artificial — or as this great HBR article calls it, “Carewashing.” Being “compliant” with birthday and anniversary celebrations just means paying attention to actually celebrate, not automate and check a box. Even in big organizations, tools can help them scale to bigger teams while keeping things personal and authentic.
This article reviews the compliance factors and laws related to workplace celebrations. It covers lawful data use, individual control, and a tone that respects differences.
Table of Contents
The Personal Data At Issue and Why It Matters
Birthdates, hire dates, employee names, tenure, and photos are all personal data and must be handled lawfully and transparently. Even seemingly innocent recognitions — like a “Happy Birthday” message in Slack or MS Teams — count as “processing personal data.”
European GDPR Rules
Europe’s General Data Protection Regulation (GDPR) has the most explicit rules about the use of this type of data — and remember, these rules apply to United States companies who have clients in the EU or even employees with dual citizenship.
The GDPR has a big tent for what qualifies as “personal data,” including names, birth dates, photos, and more. Basically, anything the employee gives to an employer directly (i.e. birthday) or indirectly (i.e. first day of work) falls into a broad “personal data” category, creating hurdles for organizations who want to use that personal data in any way.
When it comes to birthdays, for example, the GDPR definitely applies.
In Germany, for example, the Bavarian State Office for Data Protection Supervision considers “posting birthday lists to be inadmissible under data protection law” (see: Happy…data protection breach?).
To use personal data under GDPR, companies must have a “legitimate interest,” and conduct a “legitimate interest assessment” test to determine if they can use the personal data.
When it comes to workplace celebrations, some companies presume that “promoting social cohesion in the workplace” was a legitimate interest. But this is not clear. In fact, the Belgian Data Protection Authority recently took the position that “promoting social cohesion” is just a “nice to have,” and not a “need to have,” and thus did not qualify as a legitimate interest (see: Best wishes to employees: consent required?).
Under the GDPR, therefore, at least birthdays are “personal data” that requires careful use, and it’s highly likely that the first date of work qualifies as well.
Fragmented & Opaque United States Rules That Apply
The United States privacy rules are more complicated because they are so fragmented. While the American Data Privacy and Protection Act (ADPPA) is a proposed bill promising to unify privacy considerations, the bill is just lingering in the legislature and there’s no end in sight. This leaves companies in the complicated position of managing cross-cutting and opaque laws. This section provides a breakdown of the regulations in play.
- GDPR: As mentioned in the prior section, don’t forget that the GDPR applies to many, many US companies. The GDPR applies to any company who has clients in the EU. The GDPR also applies to any company with EU employees, or employees with dual citizenship in a EU country. That’s far-reaching, and especially with respect to the dual-citizenship item, it’s difficult for employers to know whether they are implicated.
- US Overlapping Protections: The United States does not have a federal privacy law like the GDPR, but it does have a network of different rules and protections that could “catch” the improper use of personal data. The Federal Trade Commission has “Fair Information Practice Principles” that provide some core ideas about personal data collection and use. And federally protected characteristics (like age under the ADEA or disabilities under the ADA) may get implicated with workplace celebrations. For example, consider this $450,000 judgment in Kentucky for an unwanted birthday party that triggered a panic attack.
- State Rules (California +20): California’s CCPA/CPRA applies to employee data and is the most comprehensive and far-reaching state data privacy law in the United States. Just like the GDPR, it applies to companies outside California who have any ties to the state. Plus, at least 20 other states have chipped in and created “divergent consent standards.”
The good news here? While the United States rules are opaque and fragmented, following best practices (and especially GDPR best practices) should really “catch all” and enable companies to have meaningful, personal, and sincere workplace celebrations without any violations.
How Personal Data or Sensitivities Are Implicated By Workplace Celebrations
“Personal Data” is a big category and incorporates a lot of information like someone’s birth date, age, tenure, photo, likeness, etc. This section provides more context on how this data relates to privacy issues and personal sensitivities. It specifically addresses how the data may be used in workplace celebrations.
- Birthday Celebrations: The birth date is the personal data item most obviously sensitive. A full birth date shows how old someone is. Some people may feel uncomfortable sharing their age. More importantly, discussing someone’s age can lead to discrimination issues.
- Work Anniversaries Celebrations: The start date of employment comes from HR records (HRIS, contracts, etc.). While it may seen less sensitive than the date of birth, it is still personal data. Further, the employee’s tenure can imply age and implicate age discrimination issues, or anxiety issues.
- Religious, Holiday, or DEI Celebrations: HRIS systems and other record keeping may collect a person’s ethnicity or religion. Did you know, for example, that some countries actually print religion on someone’s government identification (i.e. in Egypt). Tagging, mentioning, or directly involving certain people in religious, DEI, or similar celebrations can improperly implicate this personal data.
- Other Recognition, Like Shoutouts: Finally, while this one is not exactly a “celebration,” there are lots of recognition tools that give kudos, shoutouts, or other recognition. This presents a risk of over-disclosure. Comments can stray into HR-sensitive territory. For example, a medical leave kudos of “Thanks for working through your chemo treatment,” or poorly worded celebrations or kudos could veer into discriminatory language, like “our youngest hire” or “she’s the first woman on our team.”
Finally, there’s always less risk sharing internally, and more risk sharing externally (such as a LinkedIn or social media post). Here is a quick cheatsheet on personal data + workplace celebrations.
| Celebration | Data Involved | Risk | Recommendations |
|---|---|---|---|
| Birthday | Name; DOB; Age | High | Minimize risk by always excluding age, give opt-out path. |
| Work Anniversary | Name; Tenure. | Low | Opt-out path; channel targeting; milestone tiering; minimize detail. |
| Religious/DEI | Name;Ethnicity;Religion | High | Minimize detail and singling-out; opt-out path. |
| Shoutouts | Name; free-text | Medium | Moderation and filters; training. |
Ethical & Culture Dilemmas with Celebrations
The law and compliance requirements are really a minimum standard. Organizations should aim to have celebration practices that make their culture stronger for everyone. Celebrations should not harm culture.
How can celebrations harm culture?
- Trigger Anxiety or discomfort for people with social anxiety or neurodiverse employees.
- Offend Culture Norms or religious norms. For example, did you know that Jehovah’s Witnesses do not celebrate birthdays because they belief such celebrations displease God? See also this EEOC case where restaurant was discriminatory to a Jehovah Witness waitress who refused to sing ‘Happy Birthday’ to customers.
- Personal Preferences: Some people just want to keep their personal and work lives separate, and they have a right to do so.
- Feeling Excluded: Some employees may be unable to afford to contribute to a gift or reciprocate for a lunch, putting them in a bad financial position and feeling excluded.
Best Practices & How To Get Celebrations Right
There are many data privacy and ethical issues implicated by workplace celebrations. But as we’ve expressed in this article: (1) The issues are small and can easily be managed; and (2) It’s worth managing them because workplace celebrations are important part of workplace cultures. Here are some best practices to make sure big, growing organizations can make celebrations personal and get them right.
- Provide An Opt-Out: This is the best way companies can both get celebrations right and avoid privacy violations. Provide employees with a way to opt-in or opt-out of celebrations. CultureBot is built to enable this type of opt-out, providing all team members a smooth process to opt-in and opt-out of celebrations.
- Keep It Internal Without Explicit Consent: Don’t share birthdays, anniversaries, or other celebrations on social media, in newsletters, on a website, or anywhere external without the team member’s explicit consent. Many of the Slack and MS Teams tools in the marketplace are prefect for this, because they’re all captured inside the Slack and Teams environment.
- Never Share The Birth Year: This one is simple and it’s a biggie. It’s the most sensitive aspect of all of the private date in play with work celebrations. Never, never, never share the birth year or otherwise reveal someone’s age.
- Respect Decisions: Don’t put pressure on people who choose to opt-out. The reasons for opt-out may be simple personal preference or something extremely sensitive. Just respect the decision and accommodate it.
- Consider Other SHRM “Do’s”: I love some of the “Do’s” provided by SHRM on this topic in their helpful post, To Celebrate Birthdays At Work Or Not? These “Do’s” emphasize best practices, like:
- Lunch with a manager
- Allowing celebrant to take a “personal holiday”
- Monthly (group) celebrations — the old “Sheet Cake” (also note CultureBot features like group photo collages for month/week celebrants)
- Virtual birthday cards or boards of messages
- Surprise decorations at an employee’s desk
