+1.877.796.2559 | Investors|

July 2017 Privacy Summary

By Nicolas Dufour | Aug 1, 2017 | Screening Compliance Update

Federal Developments

New Form I-9
A new Employment Eligibility Verification form (aka the Form I-9) will be issued this month. Homeland Security says the date is July 17, 2017, with an effective date of September 17, 2017. In a nutshell the new form will (i) update List C to reflect the most current version of the certification or report of birth issued by the Department of State; (ii) make a change to the form’s instructions to remove “the end of” when describing the day on which Form I-9 completion is required; and (iii) make a revision to the name of the Department of Justice’s Office of Special Counsel for Immigration-Related Unfair Employment Practices to call it by its new name, the Immigrant and Employee Rights Section (IER). For Form I-9 geeks like me that track this stuff, the International Entrepreneur Final Rule which was supposed to be part of the changes to the Form I-9 is being delayed until March 14, 2018. Otherwise, that would have been reflected in the revised Form I-9.
http://www.jdsupra.com/legalnews/compliance-news-flash-74223
https://www.federalregister.gov/documents/2017/07/11/2017-14619/international-entrepreneur-rule-delay-of-effective-date
Also from same author, see blog entitled “How Compliant is Your Company with the Form I-9 Requirements?” http://www.workforcecomplianceinsights.com/2017/07/11/how-compliant-is-your-company-with-the-form-i-9-requirements/

Court Cases

Disneyland Job Applicant Granted Class Certification in FCRA Lawsuit
Disneyland must now face two certified Classes of job applicants who claim their background checks did not comply with the Fair Credit Reporting Act. California Superior Court Judge Ann I. Jones granted the plaintiffs’ motion for class certification on Thursday. The two plaintiffs claim Disneyland has made hundreds of adverse employment decisions based on job applicants’ background check reports without giving those applicants the proper notifications required under the federal Fair Credit Reporting Act, or FCRA. Culberson says he was denied employment at Disneyland after a background check erroneously showed he was convicted of battery in 2010. The actual conviction date was in 1998, he says, and 2010 was the date the conviction was expunged from his record. Without proper notice, he was unable to correct the error before Disneyland denied him employment, he claims. The FCRA provisions at issue here require prospective employers to make certain disclosures to job applicants so that they will have a reasonable chance to contest any erroneous information contained in their background check report. Under the act, when a potential employer uses a “consumer report” to evaluate a job applicant, the employer must give the applicant a copy of the report and a notice of their rights under the FCRA before taking any adverse action based on the report’s contents. Culberson and Joseph claim Disneyland has been violating this FCRA provision by sending the required notice to applicants after making a “No Hire” determination, instead of before. The FCRA also prohibits a prospective employer from procuring a consumer report on an applicant without first disclosing to the applicant that such a report may be obtained for employment purposes. This disclosure must be “clear and conspicuous” and provided in a stand-alone written document that consists solely of the disclosure itself. According to Culberson and Joseph, the disclosure form that Disneyland offered to its applicants contained extraneous information that by law should not have been there. That extra information supposedly included a purported waiver of liability, requiring the applicant to accept that “all employment decisions are based on legitimate non-discriminatory reasons.” Judge Jones’s order certifies two different Classes, each of which covers Disneyland job applicants who were affected under one of the two FCRA provisions at issue. Class Members from both Classes will be U.S. residents who were the subject of a report that Disneyland solicited for employment purposes from Sterling Infosystems Inc. between Nov. 1, 2011 and the present. The “Pre-Adverse Action Notice Class” will include all such persons who were subject to a “No Hire” recommendation made on the basis of the contents of that report. The “Defective Disclosure Class” will cover persons who were the subject of these reports and who executed a consent form identical to the one at issue. The Disneyland Background Check FCRA Class Action Lawsuit is Roger L. Culberson II and Edward Joseph III v. The Walt Disney Co., Case No. BC526351, in the Superior Court of the State of California, County of Los Angeles.
https://topclassactions.com/lawsuit-settlements/lawsuit-news/814236-disneyland-job-applicants-granted-class-cert-fcra-lawsuit/

Texas FCRA Class Action
The Northern District of Texas recently weighed in on the proper application of Article III standing requirements in light of the Supreme Court’s 2016 decision in Spokeo, Inc. v. Robins, 136 S.Ct. 1540 (2016), and delivered a win to employers in Fair Credit Reporting Act (FCRA) cases. In Dyson v. Sky Chefs, Inc., 2017 WL 2618946 (N.D. Tex. June 16, 2017), the court held that the plaintiff in a putative class action who alleged the improper inclusion of “extraneous” information in a FCRA disclosure, lacked Article III standing. The employer’s document did not “consist solely of the disclosure” because it contained: (a) an “ongoing authorization” clause; (2) state and municipal law notices; (3) a summary of rights; and (4) a legal disclaimer. While the employer’s disclosure was not a standalone document (as required by the statute) it provided the plaintiff with all of the statutorily-required information. The employer moved to dismiss the action, contending that the inclusion of extraneous information was a procedural rather than a substantive violation and thus did not constitute injury in fact. The court agreed, concluding that the plaintiff did not allege a concrete informational or privacy-based injury. In reaching this conclusion, the court distinguished the substantive right to information from the procedural right to receive it in a specified format, and made clear that the allegations in Dyson fell squarely in the latter box: “Plaintiff does not allege that he did not receive a disclosure or that he failed to understand it, he just attacks the fact that it wasn’t on its own sheet of paper. Where…plaintiffs do not allege that they did not see the disclosure, or were distracted from it, the allegations amount to no more than a bare procedural violation of the stand-alone requirement…Plaintiff’s allegations therefore do not confer standing on an informational injury theory.” The court also rejected the contention that the employer obtained the background check with “no legal right to do so” and thus caused a privacy-based injury. Embracing the principle that violating the standalone disclosure requirement necessarily renders the background check unauthorized would “negate the entire procedural/substantive distinction” articulated in Spokeo. According to the court, the existence of a privacy and informational injury in a FCRA case turns on the same central question: whether the plaintiff received the requisite information (even if provided in an improper format) prior to knowingly authorizing the background check. Because the plaintiff signed the authorization and did not claim ignorance regarding its content or import, he did not allege an invasion of privacy. Courts throughout the country continue to wrestle with the impact of the Supreme Court’s decision in Spokeo and are reaching divergent conclusions. Indeed, the Dyson court explicitly declined to follow a recent contrary decision from a Virginia federal court.

Courts Approve $950,000 FCRA Class Action Settlement Against McDonald’s
On March 15, 2017, the United States District Court for the Central District of California granted final approval of a Fair Credit Reporting Act class action against fast food restaurant McDonald’s. The named plaintiff, James Wesley Carter, originally brought the action against McDonald’s in July 2015 alleging that McDonald’s violates the rights of consumers by failing to provide job applicants with a clear and conspicuous disclosure, in a document consisting solely of the disclosure, that a consumer report may be obtained for employment purposes, in violation of section 1681b(b)(2) of the FCRA. The settlement class includes all employees or applications for employment at a McDonald’s restaurant to whom McDonald’s did not provide the clear and conspicuous stand-alone disclosure required, from July 29, 2013 and continuing through the final resolution of this case. The settlement agreement provides for both monetary and injunctive relief. McDonald’s has agreed to pay $950,000 to class members and has also ceased obtaining background reports on employment applicants as of November 12, 2015. This settlement is the latest in a string of class actions alleging that an employer failed to provide the required disclosure to job applicants. For instance, Food Lion agreed to a $3 million settlement in March 2015 for the company’s failure to include a stand-alone disclosure. Publix Super Markets likewise settled a class action for $6.8 million in October 2014, for the grocer’s alleged failure to include the proper disclosure. This technical FCRA requirement continues to be a specific target for class action plaintiffs.
http://www.consumerfinancialserviceslawmonitor.com/2017/03/courts-approve-950000-fcra-class-action-settlement-against-mcdonalds/?utm_source=Mondaq&utm_medium=syndication&utm_campaign=View-Original

Are Employers Going to be Required to Accommodate Medical Marijuana Use?
State-registered medical cannabis patients may now sue a private employer for discrimination under Massachusetts’ law if they are fired for their off-the-job marijuana use, according to landmark ruling issued July 17, 2017, by the Massachusetts Supreme Judicial Court. Citing the Massachusetts Medical Marijuana Act, the court states that patients shall not be denied “any right or privilege” due to marijuana use. The Massachusetts Medical Marijuana Act, passed in 2012, states that “qualifying patients” should not be punished under state law for medical use of marijuana. In Barbuto v. Advantage Sales and Marketing LLC, the plaintiff, Cristina Barbuto, accused the company of discrimination. She had accepted a position with Advantage Sales and Marketing in 2014. Barbuto suffers from Crohn’s disease, a gastrointestinal condition that can cause weight loss. As a result of her condition, Barbuto has “little or no appetite,” and struggles to maintain her weight, something made easier with marijuana use, according to court documents. After one day of promoting products in a supermarket, Barbuto was fired after she was informed by human resources that she did not pass the drug test and that the company follows federal, not state law. Advantage Sales and Marketing argued that Barbuto did not make her handicapped status clear and—even if it had been clear—she still would have been terminated as all employees are required to pass a drug test, but the court didn’t agree. “One generally would expect an employer not to interfere with the employee taking such medication, or to terminate her because she took it,” the Massachusetts Supreme Judicial Court opined. “By the defendants’ logic, a company that barred the use of insulin by its employees in accordance with a company policy would not be discriminating against diabetics because of their handicap, but would simply be implementing a company policy prohibiting the use of a medication.” The court stated it is “not facially unreasonable” for employers to make exceptions to their substance abuse policies in instances where employees are using cannabis at home to treat a debilitating condition. “The fact that the employee’s possession of medical marijuana is in violation of federal law does not make it per se unreasonable as an accommodation.” The unanimous verdict reverses a lower court decision and is contrary to rulings in California, Colorado, Oregon and Washington. In each of those states, the supreme courts ruled that employees had no legal protections if they were fired without cause for their state-sanctioned use of medical cannabis. However, the medical marijuana laws of the following states do contain anti-discrimination or reasonable accommodation provisions: Arizona, Connecticut, Delaware, Illinois, Maine, Minnesota, Nevada, New York, Pennsylvania and Rhode Island. In other states, the statute explicitly provides no protection or is silent. None of these laws require employers to allow workers to use marijuana during work. Workers can still be drug tested and fired for failing a drug test if it is not part of an approved treatment plan for a medical condition. Employers should be cautious when making any adverse decisions related to an employee’s use of medical marijuana. Seek legal counsel from Squire Patton Boggs for the latest updates effecting your state.
http://www.lexology.com/library/detail.aspx?g=c37b47e5-f2dd-43ea-a2ff-1f08e339fdf5&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2017-07-20&utm_term

Cannabis at Work: An Update for Employers
The legalization of cannabis in California raises significant questions as to whether employers can enforce policies prohibiting cannabis use by employees. Recent California legislation provides employers with the right to do so, even if the employees’ use occurs outside of work and does not impair performance. Generally, an employer’s anti-cannabis policy should explain why the restriction promotes the legitimate business interests of the company. However, cannabis businesses must be careful when drafting such policies to comply with applicable regulations without self-imposing liability on the employer. California legalized the use of marijuana for medical purposes under the Compassionate Use Act of 1996. Health & Safety Code §11362.5. In November 2016, Californians passed Proposition 64, also known as the Adult Use of Marijuana Act (AUMA), a ballot measure allowing the possession and use of moderate amounts of marijuana for recreational purposes. In June 2017, California enacted the Medical and Adult-Use Cannabis Regulation and Safety Act (MAUCRSA), which effectively repealed the Medical Marijuana Regulation and Safety Act. AUMA and MAUCRSA both favor employers to impose anti-marijuana policies. One of the enumerated purposes of Proposition 64 is to “allow public and private employers to enact and enforce workplace policies pertaining to marijuana.” AUMA §3(r). MAUCRSA expressly states that the legalization of cannabis use does not (i) restrict the rights of employers to maintain a drug free workspace, (ii) require an employer to permit or accommodate cannabis use in the workplace, or (iii) affect the ability of employers to have policies prohibiting the use of cannabis by employees and prospective employees. See MAUCRSA §133, amending Health & Safety Code §11362.45. These statutes align with the position taken by the California Supreme Court. In Loder v. City of Glendale (1997) 14 Cal. 4th 846, the court determined that employers have the right to undertake pre-employment drug testing “in light of the well-documented problems that are associated with the abuse of drugs and alcohol by employees—increased absenteeism, diminished productivity, greater health costs, increased safety problems and potential liability to third parties, and more frequent turnover.” The ruling held that the California Fair Employment and Housing Act does not require employers to accommodate the use of illegal drugs. In 2008, the California Supreme Court considered whether an employer could fire an employee who failed a pre-employment drug test after he disclosed that, at his physician’s recommendation, he was using medicinal marijuana for back spasms as a result of injuries suffered while serving in the Air Force. Ross v. RagingWire Telecommunications, Inc., 42 Cal.4th 920 (2008). Four State Supreme Court justices sustained the dismissal of the complaint, finding that neither the Compassionate Use Act nor the accommodation requirements of the Fair Employment & Housing Act applied. But two dissenting justices noted that the majority opinion permits an employer to fire the employee for marijuana use, even when it occurs off-hours, does not affect the employee’s performance, does not impair the employer’s legitimate business interests, and provides effective relief for the employee’s medical condition. In their view, an employer must demonstrate that doctor-approved use of medicinal marijuana off-duty and off-premises is likely to impair business operations in some way or offer an alternative reasonable accommodation. Otherwise, they found discharge to be disability discrimination prohibited by the Fair Employment and Housing Act. The dissenting position suggests that the court may eventually require employers to accommodate the use of medical marijuana unless such use affects the employee’s performance or impairs the employer’s legitimate business interests. This view may now be particularly sympathetic to the courts in light of the increased support for medical marijuana among the medical community and the general public in the past decade. Thus, despite the enactment of laws permitting the prohibition of marijuana use among employees, employers will generally be well suited to incorporate language into their policies expressing the rationale behind their prohibition. Employers in cannabis-related industries should carefully craft language in handbooks and drug-testing policies. To protect their own liability from the products they grow or sell, these practices should ensure that limitations on use and being under the influence at work do not, without more, suggest that marijuana-related consumption impairs productivity, affects safety, or promotes absenteeism. Additionally, policies and practices may not, under any circumstances, allow smoking marijuana anywhere where smoking of tobacco is otherwise prohibited. Most municipalities expressly prohibit the consumption of cannabis on the premises of cannabis businesses. For example, Los Angeles’ proposed commercial cannabis regulations (summarized in a previous Tracking Cannabis post), which are currently subject to a public comment period ending on August 8, 2017, require businesses to monitor employee conduct to assure that employees do not consume cannabis on the premises and within the parking areas and require employers to post “No…Smoking of Cannabis” signs in and outside the business. In the meantime, California employers in all industries may conduct pre-employment drug testing and refuse to employ individuals who test positive for marijuana use.
http://www.lexology.com/library/detail.aspx?g=139213d6-3332-44ce-ba7c-7fdb80beb691&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2017-07-20&utm_term

Chemtrusion to Pay $145,000 to Settle EEOC Class Disability Discrimination Case
NDIANAPOLIS – Chemtrusion, Inc., a Houston-based manufacturing services company, will pay $145,000 and provide other significant relief to settle a disability discrimination lawsuit filed by the U.S. Equal Employment Opportunity Commission (EEOC), the federal agency announced last week. The EEOC filed suit against Chemtrusion in October 2016, claiming that since 2012, the company refused to hire or provide reasonable accommodations to a class of job applicants at the company’s Jeffersonville, Ind., facility because of medical information it obtained during pre-employment medical examinations. The company failed to conduct any individualized assessment of whether they could perform essential job functions, the EEOC charged. Such alleged conduct violates the Americans with Disabilities Act (ADA). The EEOC filed its lawsuit in U.S. District Court for the Southern District of Indiana, New Albany Division (EEOC v. Chemtrusion, Inc., Case No. 4:16-cv-00180) after first attempting to reach a pre-litigation settlement through its conciliation process. The EEOC and Chemtrusion voluntarily negotiated the terms of the consent decree settling the suit, without any admission of wrongdoing or liability by Chemtrusion. In addition to monetary relief, the decree requires that Chemtrusion: (1) instruct its hiring personnel and medical providers not to conduct medical inquiries until after a conditional offer is made; (2) conduct individualized analysis before withdrawing job offers; (3) train its hiring personnel on what the ADA requires with respect to medical examinations and hiring; (4) submit decisions to rescind job offers to legal counsel for review; and (5) track rescinded offers. The EEOC will monitor compliance with the two-year decree. “All the corrective measures required by the consent decree will ensure that Chemtrusion will comply with federal disability discrimination law in filling vacancies in the future,” said Kenneth L. Bird, regional attorney for EEOC’s Indianapolis District. “It will also provide a strong reminder to other employers that applicants are entitled to an individualized assessment of whether they can do a job, with or without reasonable accommodation, before a company may rescind a job offer after a medical examination.” Eliminating barriers to recruitment and hiring, especially class-based recruitment and hiring practices that discriminate against people with disabilities or racial, ethnic, and religious groups, older workers, and women, is one of the six national priorities identified by the Commission’s Strategic Enforcement Plan (SEP).
https://www.encompinc.com/news-article.php?id=427

NJ Fed. Court Dismisses Technical FACTA Violation Putative Class Action Citing Spokeo
The U.S. District Court for the District of New Jersey recently concluded that a putative class representative did not have standing under Spokeo to sue for a technical violation of the federal Fair and Accurate Credit Transactions Act (FACTA).

The Court identified the issue as whether the consumer alleges a sufficiently “concrete” harm to confer standing, based on a technical violation of FACTA, 15 U.S.C. § 1681, et seq., when a retail store printed the first six numbers and last four numbers of his credit card on his transaction receipts. Relying on the Supreme Court’s ruling in Spokeo Inc. v. Robins, 136 S. Ct. 1540, 1548 (2016), the Court identified two factors that determine whether an intangible harm is sufficiently concrete to confer standing under Article III. The first factor, according to the Court, was “whether an alleged intangible harm has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts.” The second factor was “whether Congress has expressed an intent to make an injury redressable.” Even if a statute creates a statutory right and gives a person authority to have that right vindicated, the Court continued, Article III still requires concrete injury even if the statute has been violated. Because the plaintiff did not adequately allege a concrete injury for the technical violation, the Court dismissed his second amended complaint. A copy of the opinion is available at: Link to Opinion. The defendants here were a conglomerate of clothing stores and manufacturers. On three occasions, the plaintiff purchased clothes from the defendants and the defendants printed the first six and last four digits of the plaintiff’s credit card. As you may recall, under FACTA, “no person that accepts credit cards or debit cards for the transaction of business shall print more than the last 5 digits of the card number…upon any receipt provided to the cardholder at the point of the sale or transaction.” See 15 U.S.C. § 1681c. The statute creates a private cause of action for “any actual damages…or damages of not less than $100 and not more than $1,000” for each violation. See 15 U.S.C. § 1681n(a). The plaintiff filed his original, single-count FACTA complaint in January 2015 and his first amended complaint (“FAC”) in March 2015, seeking statutory damages of $100 to $1000 per violation, as well as attorney’s fees and punitive damages. In August 2015, the Court denied the defendants’ motion to dismiss under Fed. R. Civ. P. 12(b)(6). In December of that year, the Court granted the defendants’ motion to stay the proceedings pending the outcome of Spokeo. In May 2016, the Supreme Court of the United States in Spokeo held that a plaintiff does not automatically “satisf[y] the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right.” Applying Spokeo, the Court determined that it lacked subject matter jurisdiction and dismissed the plaintiff’s FAC without prejudice. The plaintiff then filed a second amended complaint (“SAC”). The defendants again moved to dismiss for lack of standing. While the defendants’ motion to dismiss was pending, the Third Circuit decided In re Horizon Healthcare Servs. Data Breach Litig., 846 F.3d 625 (3d Cir. 2017), which applied Spokeo in the context of an alleged data breach that led to the disclosure of the plaintiff’s personal information. The Court first identified the issue as “whether [plaintiff] alleges a sufficiently ‘concrete’ harm to confer standing.” Next, the Court analyzed the two recent cases, Spokeo and Horizon, addressing issues of concreteness and standing. First, the Court quoted extensively from the findings in Spokeo related to concrete injuries. “‘Concrete’ injuries may be ‘intangible’ or non-economic, but, like other cognizable injuries, they must be ‘actual or imminent, not conjectural or hypothetical.’” Spokeo, 136 S. Ct. at 1548. The Court then identified two factors from Spokeo that determine whether an intangible harm is sufficiently concrete. The first is “whether an alleged intangible harm has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts.” Id. If so, “it is likely to be sufficient to satisfy the injury-in-fact element of standing.” Horizon, 846 F.3d at 637 (3d Cir. 2017). The second consideration, according to the Court, is “whether Congress has expressed an intent to make an injury redressable;” for, “even if an injury was previously inadequate in law, Congress may elevate it to the status of [a] legally cognizable injur[y].” Id. (quoting Spokeo, 846 F.3d at 637). The Court continued, “a plaintiff does not automatically satisf[y] the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right. Article III standing requires a concrete injury even in the context of a statutory violation.’” See Spokeo, 136 S. Ct. at 1549. Next, the Court analyzed the findings from Horizon. In that case, two laptop computers containing unencrypted personal information of over 800,000 health insurance customers were stolen from defendant’s headquarters. The breach ultimately led to a fraudulent tax return being filed in the plaintiff’s name and to an attempted credit card fraud. The plaintiff was also denied credit because his social security number had been associated with identity theft. The plaintiff’s complaint alleged several violations of the federal Fair Credit Reporting Act (FCRA), including the unauthorized furnishing of personal information. Applying Spokeo, the Third Circuit denied the defendant’s facial challenge, holding that the alleged injuries were sufficiently “concrete” to confer constitutional standing. The Court acknowledged that, under Anglo-American law, the “unauthorized disclosures of information have long been seen as injurious,” and, by passing the FCRA, Congress clearly intended to establish “that the unauthorized dissemination of personal information by a credit reporting agency causes an injury in and of itself—whether or not the disclosure of that information increased the risk of identity theft or some other future harm.” The Third Circuit concluded that the alleged injury in Horizon was “concrete” because it sufficiently resembled a common law injury (invasion of privacy), such that Congress could “elevat[e] [it] to the status of legally cognizable injur[y].” Id at 640. The New Jersey District Court acknowledged that the Horizon majority declined to consider “the full reach of congressional power to elevate a procedural violation to an injury in fact,” because the case before it “[did] not strain that reach.” Id. at 638. Relying on the findings from Spokeo and Horizon, the Court turned its attention to the facts of this case, where the plaintiff attempted to identify two “concrete” injuries: (1) disclosure of information considered by law to be intrinsically private, and (2) the increased risk of identity theft or credit card fraud in the future. According to the Court, neither theory alleged an adequate “concrete” injury, so the plaintiff failed to satisfy the injury-in-fact element of constitutional standing. Applying the factors from Spokeo, the Court determined that there was no meaningful relationship between the defendants’ conduct and any privacy interest historically recognized at common law. “Unlike in Horizon, Plaintiff’s personal information was not disclosed to third parties or used to perpetrate credit-card or tax fraud.” According to the Court, the defendants did not “disclose” the plaintiff’s personal information. Instead, he gave his credit card to the defendants and they printed some of the numbers on his receipt. “[P]rinting a card’s first six and last four digits—rather than only the last five digits—does not implicate the historic ‘right to be let alone,’ particularly when the first six digits do not pertain to the customer’s individual bank account.” As to the second factor under Spokeo, “the judgment of Congress,” the Court concluded that it did not support the plaintiff’s argument. “[I]t does not follow that Congress contemplated private actions by individuals who have not sustained any actual harm.” The Court next addressed the plaintiff’s allegation of increased risk of identity theft in the future. The Court acknowledged that, based on the holdings from Spokeo, “if [plaintiff] adequately alleges that [defendants’] statutory violation creates a material risk of future harm, then [plaintiff] likely has constitutional standing.” The Court, however, quickly concluded the plaintiff had not sufficiently alleged a risk of future harm. The Court observed that credit card numbers are 16 digits long, with the first six relating to the issuing bank and the last 10 referring to the card holder. Thus, by printing the first six and last four, the defendants did not increase the risk of future harm because the personal information given—the last four digits—did not exceed the five digits permitted by Congress. Next, the Court addressed the plaintiff’s allegations that “dumpster divers” or “sophisticated criminals” could use the receipts to perpetrate fraud. According to the Court, the plaintiff had not presented sufficient information to establish these alleged harm-causing scenarios were anything other than hypothetical and too remote. Accordingly, the Court rejected those allegations. Finally, the Court summarized its findings: “Congress cannot empower individuals to manufacture a ‘case’ or ‘controversy’ where none exists. As Spokeo explained and Horizon acknowledged, the ‘congressional power to elevate intangible harms into concrete injuries is not without limits.’ Those limits are established by Article III of the Constitution, as interpreted by the Supreme Court. This Court finds that [defendants’] technical violation of FACTA lies beyond these limits.” Accordingly, the Court granted the defendants’ motion to dismiss and dismissed the plaintiff’s SAC.
http://www.lexology.com/library/detail.aspx?g=f2e8e6e9-1177-4360-a89f-f65c85018ffb&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2017-07-20&utm_term

LinkedIn Case Tests Whether Firms Can Use Your Data
Startup scrapes public profiles to predict whether people are likely to leave their jobs. LinkedIn says that violates privacy. A lawsuit against LinkedIn Corp. is shaping up as a test of whether it is legal to collect publicly viewable information posted by internet users. The social network for professionals faces a lawsuit brought by hiQ Labs, a San Francisco company that scrapes and analyzes personal data on LinkedIn to predict whether individual employees are likely to leave their jobs. For years after starting in 2012, hiQ amassed data without objections from LinkedIn, which Microsoft Corp. acquired late last year. HiQ says it excludes profiles that require a LinkedIn account to view, analyzing fewer than 175,000 profiles in a 500-million-member network. In May, LinkedIn’s legal counsel wrote to hiQ and ordered it to stop accessing the site. It also told hiQ it had tried to ban it through an IP-address block, asserted the company was violating a federal anti-hacking law and threatened to take it to court. But hiQ got there first. It filed suit in June, asking a federal judge in California to declare that it was complying with the anti-hacking law and that LinkedIn was unlawfully attempting to stifle competition. On Thursday, a hearing is set on whether LinkedIn should be prevented from limiting hiQ’s access to its site. LinkedIn says it has a “right to control access to its private property” and argues that hiQ’s data-scraping threatens its members’ privacy. The dispute has deeper implications for the growing industry of data analytics and whether “legitimate business will be permitted to scrape from the public portion of websites like LinkedIn,” said David Thaw, a professor of law and information sciences at the University of Pittsburgh.
https://www.wsj.com/amp/articles/suit-against-linkedin-could-affect-data-analytics-industry-1501147801

State Developments

A Ban on Ban-the-Box Laws? Texas and Indiana Introduce Legislation That Would Prohibit Municipal and County Ban-the-Box Laws Within Their States
In recent years, numerous cities and counties have enacted ordinances restricting the ability of public and private employers to inquire into the criminal histories of applicants during various stages of the job application process—the so-called “ban-the-box” laws. Recently, however, two state legislatures have gone against the grain. State legislatures in Indiana and Texas recently introduced new state-wide legislation meant to create conformity within their borders by prohibiting municipalities and counties from micro-managing the particular steps involved in private employers’ hiring with regard to the prohibition, limitation, or regulation of background screening.

  • Indiana Senate Bill 312
    As of July 1, 2017, local governments can no longer issue ban-the-box ordinances in Indiana. Senate Bill 312 prohibits political subdivisions (including counties, municipalities, and townships) from enacting ordinances that interfere with an employer’s ability to obtain or use criminal history information during the hiring process (to the extent allowed by state or federal law). Accordingly, the Indianapolis Ban the Box Ordinance, previously applicable to both the public sector and private employers holding vendor contracts with Indianapolis and Marion County, Indiana since February 2014, has been preempted.
  • Austin’s Fair Chance Hiring Ordinance
    In March of 2016, the Austin City Council passed a Fair Chance Hiring Ordinance prohibiting the use of criminal history check boxes on job applications. (See prior post here.) The Fair Chance Hiring Ordinance recently dodged a bullet; the Legislature of the State of Texas had introduced similar legislature to Indiana’s and the original wording of House Bill 91 in committee had included a ban on such ordinances. Over time, the caption of the bill was no longer accurate, since it also included “occupational licensing requirements and an applicant’s criminal history.” The Texas Senate deleted the portion of the bill that would prohibit ban-the-box ordinances so the bill once again matched its caption and the Senate went on to pass House Bill 91 on May 23, 2017.
  • Employer Outlook
    As counties and municipalities have passed individual, and at times conflicting, ban-the-box ordinances, a patchwork of legal obligations, requirements, and prohibitions has resulted for certain regional and national employers. This patchwork can impose significant compliance issues. Indiana and Texas appear to have recognized this issue, and have made efforts to create consistency within their states. Based on the success of the recent Indiana legislation, other states seeking to create consistency and reduce burdens on employers may bring similar legislation (rather than be deterred by the Texas legislature’s defeated attempt). Additionally, similar themes can be seen: The Pennsylvania Senate passed a Bill in February that would amend the Commonwealth’s Equal Pay Act and which would allow employers to inquire into prospective employee’s wage histories. Significantly, the Bill contains a preemption clause which provides that “[t]he provisions of this act shall preempt and supersede any local ordinance or rule concerning the subject matter of this Act.” If enacted, this preemption language will sound the death knell to Philadelphia’s Salary History Ban Ordinance, originally scheduled to take effective May 23, 2017 (but currently stayed pending legal challenge). Overall, the goal of legislative and regulatory consistency is positive for employers who, at times, can be subject to various levels of regulation in the various jurisdictions in which they operate. Clarity and consistency pave the way for compliance, and create a welcoming atmosphere for current and new employers.

http://www.jdsupra.com/legalnews/a-ban-on-ban-the-box-laws-texas-and-91351

San Francisco to Bar Employers from Seeking Disclosure of Salary History
San Francisco has become the latest jurisdiction to pass a law restricting employers from inquiring about prior salary history during the hiring process. The ordinance, which will go into effect on July 1, 2018, will restrict employers from: (i) considering or relying on an applicant’s salary history as a factor in determining whether to make an offer of employment or what salary to offer; (ii) inquiring about an applicant’s salary history; (iii) refusing to hire or otherwise retaliating against an applicant based on failure to provide salary history; and (iv) releasing the salary history of a current or former employee to that person’s employer or prospective employer without written authorization from the current or former employee. Employers will, however, be able to: (i) consider voluntarily disclosed or authorized salary history in determining salary for an applicant and/or verify the salary history information the applicant has voluntarily disclosed; and (ii) without inquiring about salary history, engage in discussion about the applicant’s expectations with respect to salary, including unvested equity or deferred compensation or bonus that an applicant would lose or forfeit by virtue of leaving current employment. Employers will have a one year grace period (i.e., until July 1, 2019) during which San Francisco will issue written warnings and notices to correct but will not penalize employers for violation of the new ordinance. Thereafter, monetary penalties will be issued for violations.
http://www.lexology.com/library/detail.aspx?g=2f3b55e7-ba68-4590-928a-5fd613eb1b86&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2017-07-11&utm_term
https://sfgov.legistar.com/View.ashx?M=F&ID=5282302&GUID=9B58E3DF-EBD7-46FC-BFFB-32E073CFF9E0

Disclosure and Authorization
Recently a federal district court in Texas weighed in on the proper application of Article III standing requirements in light of the Supreme Court’s 2016 decision in Spokeo, Inc. v. Robins. The court granted the defendant’s motion to dismiss the class action due to lack of Article III standing. The case involved allegations of a deficient disclosure and authorization (D&A) form under the Fair Credit Reporting Act (FCRA) used for employment purposes because it included extraneous information such as an on-going authorization, state disclosures, the summary of rights, and a legal disclaimer. Plaintiffs argued that the D&A violated the FCRA’s stand-alone disclosure requirement. In granting the defendant’s motion the court took the position that this was form over substance and plaintiff’s allegations did not confer standing because he did not demonstrate he suffered a concrete injury. The case is Dyson v. Sky Chefs, Inc., 2017 WL 2618946, N.D. Texas (June 15, 2017).

July 1, 2017, Notice Required Regarding Domestic Violence, Stalking and Sexual Assault in California
Effective July 1, 2017, California employers with 25 or more employees are required to provide to new employees upon hire and to current employees upon request notice regarding the rights of victims of domestic violence, sexual assault and stalking. The new law is intended to provide covered California employees with information about their right to:

  • Take off time to:
    • Procure medical attention or services from a domestic violence shelter, program or rape crisis center.
    • Obtain psychological counseling for these types of issues.
    • Receive safety planning assistance.
    • Secure a restraining order or other court order to protect the employee and the employee’s children from domestic violence, sexual assault and stalking.
  • Request and receive a reasonable accommodation to assist them in keeping safe from domestic violence, sexual assault and stalking at work (such as installing locks or changing a shift).
  • Be free from retaliation for being a victim of these issues or asserting the right to time off or reasonable accommodation for these reasons.

The required notice is available in English and Spanish. Because the law requires employers to provide the information as clearly as the state’s form notice, we recommend using the form notice at the designated times rather than relying on the information being included only in an employee handbook. Affected employees who do not timely receive the notice could bring an individual or representative claim for penalties under the California Private Attorney General Act for a violation of the Labor Code.
http://www.lexology.com/library/detail.aspx?g=051a680b-0628-4efc-bee9-9dbfd1493dc4&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2017-07-20&utm_term

Maine Department of Labor clarifies its position on Drug Testing & Marijuana
The Portland Press Herald is reporting that Maine Department of Labor Director of Policy, Operations and Communications, Julie Rabinowitz, reported to a legislative panel yesterday that businesses with Maine-state drug testing policies should not test job applicants and workers for marijuana, because even if the tests came back positive, employers cannot fire the individual. Specifically, Section 2454(2) of the Marijuana Legalization Act provides: “This chapter may not be construed to require an employer to permit or accommodate the use, consumption, possession, trade, display, transportation, sale or growing of cannabis in the workplace. This chapter does not affect the ability of employers to enact and enforce workplace policies restricting the use of marijuana by employees or to discipline employees who are under the influence of marijuana in the workplace.” Moreover, Section 2454(3) provides: “A school, employer or landlord may not refuse to enroll or employ or lease to or otherwise penalize a person 21 years of age or older solely for that person’s consuming marijuana outside of the school’s, employer’s or landlord’s property.” These two provisions are what the DOL is relying upon to support the position that employers cannot take adverse action against an employee even if the employer has a state-sanctioned drug testing policy and that employee fails the drug test. Recently, the Massachusetts Supreme Court found language similar to that found in Section 2454(2) to implicitly require an employer to attempt to accommodate employees who had marijuana in their system while at work, but who did not use the marijuana at work. The additional hurdle that the Maine statute as a whole creates for employers is the fact that there currently are no scientifically proven ways to determine whether an employee is under the influence of marijuana. Accordingly, if an employer is relying upon a determination that an employee is “under the influence,” it is recommended that a policy or practice be created as to what standard will be relied upon to make this determination. Until there is clarity in the legislation—or a court case that clarifies employers’ responsibilities—we recommend employers contact counsel prior to taking any adverse action against an employee who tests positive for marijuana under a state-approved drug test.
http://www.lexology.com/library/detail.aspx?g=6282339e-b000-4767-a48a-059b499864fa&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2017-07-26&utm_term

N.J. – Booker Meets with Housing Advocates and Tenants Impacted by Blacklisting
U.S. Senator Cory Booker (D-NJ) met with housing advocates and New Jerseyans affected by tenant blacklisting to discuss legislation he will introduce this week to reform tenant screening practices. Landlords in New Jersey and across the nation are using tenant screening reports prepared by third-party reporting agencies as a legal means to discriminate against potential tenants for simply asserting their legal rights. Sen. Booker’s legislation would amend the Fair Credit Reporting Act to enact stricter regulations on tenant rating agencies and provide tenants additional protections.
https://www.booker.senate.gov/?p=press_release&id=631

International Developments

GDPR Implementation
On July 11th, privacy Professor Daniel Solove published a blogpost about the major force driving the implementation of the EU’s General Data Protection Regulation (GDPR). According to Professor Solove, companies will effectively implement the GDPR due to pressure from other companies. Under the GDPR, data controllers are liable if their vendors, or data processors, are not GDPR compliant. As a result, data controllers will only use vendors who are compliant with the GDPR to reduce risk. The vendors will be required to be GDPR compliant in order to maintain a competitive advantage.
https://www.linkedin.com/pulse/hidden-force-drive-gdpr-privacy-compliance-daniel-solove?trk=mp-reader-card

GDPR – A Guide for Employers
If a company has EU-based employees whose behavior it “monitors” (see below) it will need to take steps to ensure that it is compliant with the GDPR when it comes into force in May 2018. “Monitoring” in an employment context is not defined in the GDPR itself but is likely to cover the tracking of employees’ activities in order to take disciplinary, performance or other employment-related actions in respect of them. In reality, given the technologies most employers will require EU-based employees to use in the workplace, most employers with EU-based employees are likely to be tracking the behavior of their employees and therefore covered by the GDPR. This means that companies based outside the EU will need to comply with the GDPR in respect of their EU-based employees, even though they may have no corporate presence there. Such companies must appoint an EU representative established in one of the EU Member States where they have EU-based employees. Although the structure and concepts in the GDPR will in some respects be familiar to employers (because they reflect current requirements under the existing law), there are some key changes. The most important of these is the restriction on the use of consent in the context of the employment relationship. Currently, many companies rely on employees’ consent to process their personal data and short consents are often included in the employment contract. However, under the GDPR, for consents to be valid it must be freely-given, specific, informed and revocable. The GDPR states that, given the imbalance of power between employer and employee, employees can only give free consent in exceptional circumstances. In reality, it will be very difficult for employers to rely on consent to process employees’ personal data. Consent is only one of a number of potential legal bases for processing employee data. Alternative legal bases include processing being:

  • necessary for the performance of the employment contract. This would cover, e.g., employees’ bank account data which the employer requires to pay employees
  • required by law. This would cover, e.g., processing of sickness absence data to facilitate the payment of statutory sick pay in the UK
  • in the employer’s legitimate interests which outweigh the general privacy rights of employees. This is potentially much wider in scope and will assume much greater prominence under the GDPR

Companies should review their template employee documentation such as employment contracts and any free-standing employee data processing consents. For new hires we recommend that companies replace the consent language in these documents by new language referencing the alternative legal bases referred to above. For existing employees, companies should roll out employee data processing notices which refer to these alternative legal bases. Failure to comply with the GDPR can result in fines of up to €20 million or 4% of a company’s (or the entire group company’s) annual worldwide turnover. This is significantly higher than the current penalties available for non-compliance with the existing regime (e.g. fines of up to £500,000 in the UK).

Privacy Shield
On July 7th, the European Economic Area (EEA) formally decided to incorporate the EU-U.S. Privacy Shield into the EEA Agreement. This recognizes the Privacy Shield framework as a valid mechanism to transfer data from EEA member states to member states that are now included in the Privacy Shield.
http://www.efta.int/sites/default/files/documents/legal-texts/eea/other-legal-documents/adopted-joint-committee-decisions/2017%20-%20English/144-2017.pdf

UK House of Lords Cross-Border Data Flow Report
On July 18th, the UK House of Lords EU Home Affairs Subcommittee published a report entitled, “Brexit: The EU Data Protection Package” that examines ways that the UK can maintain uninterrupted data flows with the EU following Brexit. The report recommends that the UK “pursue full regulatory equivalence with the EU with respect to data protection in order to ensure unhindered data flows between the UK and EU.” Key takeaways from the report are: • The most effective way to achieve unhindered flows of data would be to secure adequacy decisions from the European Commission under the General Data Protection Regulation and the Police and Criminal Justice Directive; • Without a transitional arrangement, the lack of data sharing options in the area of law enforcement would raise concerns about the UK’s ability to maintain police and security cooperation with the EU and its Member States; and • Even if the UK rules align with the EU, there is a chance that the EU may amend or update its rules. As a result, maintaining unhindered data flows could “require the UK to continue to align domestic data protection rules with EU rules that it no longer participates in setting.”
https://www.parliament.uk/business/committees/committees-a-z/lords-select/eu-home-affairs-subcommittee/news-parliament-2017/data-protection-report-published/

EU/Canada Agreement Regarding Airline Passenger Data Retention
The Court of Justice of the European Union strikes down an agreement between the EU and Canada regarding airline passenger data retention and transfers
http://www.politico.eu/wp-content/uploads/2017/07/EU-Canada-PNR.pdf

Calls Grow for Canada to Modernize Privacy Laws Amid EU Changes
New privacy regulations coming into force in Europe next year are calling into question whether Canada’s approach to privacy is keeping up with its global peers. Industry observers are suggesting that if Canada does not continue to modernize its approach to privacy, it could face roadblocks in maintaining its status as an adequately protected jurisdiction – a status that allows for more fluid trade with the European market. In May, 2018, Europe’s new General Data Protection Regulation (GDPR) will come into force, and will impose sweeping changes on how privacy is protected in the European Union.
https://www.theglobeandmail.com/report-on-business/industry-news/marketing/calls-grow-for-canada-to-modernize-privacy-laws-amid-eu-changes/article35778176/

Miscellaneous

Fair Credit Reporting Act Developments: Increase in Class Action Litigation
Applicant background reports can be vital tools for employers, especially in the hiring process. However, amendments to the Fair Credit Reporting Act (“FCRA”) significantly increase the rights of applicants and employees to receive certain disclosures and to choose whether to authorize certain background reports. Given the increase in litigation over these issues, employers (as well as their attorneys and investigators) are well-advised to pay close attention to the detailed requirements of the FCRA. The FCRA requires that employers disclose to applicants that a background report may be obtained for employment purposes, and obtain signed authorization from applicants before procuring a background report. Further, the Act requires that employers provide applicants a copy of the background report and a summary of their rights under the FCRA before taking any adverse action (such as not hiring the applicant) based in whole or in part on information contained in the report. Finally, when an employer actually takes adverse action based in whole or in part on a background report, the employer must give the applicant written notice of the adverse action along with specific information about the consumer reporting agency which provided the background report. While these requirements may appear straightforward, they contain subtle nuances that create a trap for employers who assume compliance. A procedural error in one instance is often exploited to allege widespread violations, which lead to costly and time-consuming class action litigation. The penalties quickly add up, as a simple $1,000 statutory penalty for a violation with respect to one applicant is multiplied by hundreds or thousands of potential class members to create millions of dollars in potential liability. In recent years, several large companies have made headlines as they’ve paid out millions of dollars in settlement of FCRA class actions. The claims against most of these companies stem from an alleged failure to comply with the FCRA’s authorization and disclosure requirements. Specifically, the plaintiffs alleged that their respective employer failed to provide the necessary stand-alone disclosures associated with conducting and using background checks in the employment context. [1] While these large settlements have become more difficult to obtain in the wake of the United States Supreme Court’s decision in Spokeo, Inc. v. Robins, [2] the threat of FCRA litigation is not going away. According to ACA International, FCRA litigation has increased 47 percent in the last year and is expected to continue to surge. [3] Employers should therefore be mindful of their background check procedures, and audit their forms and policies for compliance on a regular basis. As the law develops, practices that once were assumed lawful may have fallen into disfavor with the courts. Employers are therefore better served to proactively revise their procedures to conform to the most recent best practices, rather than defend them with the potential for millions in exposure if they are found unlawful.
http://www.lexology.com/library/document.ashx?g=aebd109d-f7ff-4867-993e-ff234196878a

Physical Exams as a Condition of Employment: Are They Permissible?
Employers may require an applicant to submit to a pre-employment physical examination, but only after a conditional offer of employment has been made, and even then only under the following conditions:

  • All other candidates in the job category must also be required to submit to the physical;
  • The candidate’s medical history is kept separate from other employment-related records and is treated confidentially; and
  • The results are not used to discriminate against the applicant under the Americans with Disabilities Act (“ADA”) or other discrimination laws.

To ensure that there is no ADA violation, the physical examination should be limited to an assessment of whether the applicant is able to perform the duties of the position, with or without an accommodation. To avoid a claim under the Genetic Information Nondiscrimination Act (“GINA”), the physician should not request information about the applicant’s family medical history.

It would be helpful to provide the physician with a copy of the job description prior to the examination so that the physician is familiar with the responsibilities expected of the position.

Employers will want to tread carefully in making an adverse employment decision based on the results of a physical exam. The applicant’s offer may not be rescinded unless the issue is job-related and consistent with business necessity, or creates a direct threat to health and safety of the applicant or others, and the condition cannot be reasonably accommodated. Moreover, the company could violate discrimination laws if it rescinds an offer based on non-medical information learned as a result of the physical (for example, the applicant’s age, religion, etc.) Likewise, employers could land in hot water if they rescind an offer after learning about an employee’s pregnant condition as the result of the exam.
http://www.lexology.com/library/detail.aspx?g=d2cf7066-81f3-4082-9e82-8be5ffba2361&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2017-07-18&utm_term

Please Note: Some of the information contained herein is a monthly summary of the daily information provided by Arnall Golden Gregory LLP, an Atlanta firm servicing the business transactions and litigation needs of background check companies. The information described is general in nature, and may not apply to your specific situation. Legal advice should be sought before taking action based on the information contained herein. For more information about Arnall Golden Gregory LLP, please visit www.agg.com or contact Bob Belair at 202.496.3445 or robert.belair@agg.com.