APRIL 2022 SCREENING COMPLIANCE UPDATE
Federal Government’s “Ban the Box” Policy in Effect
The federal government is the latest employer to adopt fair chance hiring requirements for certain parts of its workforce and contractors. The goal being to assist qualified workers with a criminal history to compete for employment within federal agencies as well as with federal contractors by not having to discuss or report such information until after a conditional offer of employment is made.
Application to the Federal Government
The Fair Chance Act (also known as the Fair Chance to Compete for Jobs Act) was included in the National Defense Authorization Act for FY 2020 (NDAA). It became Public Law No. 116-92 on December 20, 2019, and took effect two years after the NDAA was signed into law by the President. Meaning, it applies to federal contracts and solicitations as of December 20, 2021.
Generally, it applies to all federal agencies (e.g., executive, legislative, and judicial branches) as well as federal civil contractors and defense contractors.
It prohibits a federal agency from requiring—either orally or in writing—that an applicant for appointment to a position in the civil service disclose criminal history record information about themselves before the extension of a conditional offer of employment.
Prohibited criminal history record information includes arrests, indictments, information, or other criminal charges and any dispositions arising from those. It also includes a prohibition on the use of sealed and expunged information as well as juvenile delinquency information. The latter is generally not reportable regardless of the Fair Chance Act. Exceptions to this prohibition exist, including if the position requires consideration of criminal history record information by law as well as for law enforcement positions. Additional exceptions may apply for positions that involve interaction with minors, access to sensitive information, or managing financial transactions (regulations are pending on these exceptions).
Application to Private Federal Civil Agency and Defense Contractors
The same prohibition applies to federal contractors and prohibits a civil agency or defense contractor from requesting the disclosure of criminal history record information regarding an applicant for a position to work under a federal contract prior to the contractor extending a conditional offer to the applicant. Exceptions exist for positions that require access to classified information or that have sensitive law enforcement or national security duties.
Penalties for federal contractors for failure to comply with this requirement include (i) a written warning for first-time violations and (ii) potential suspension of payment under the contract for subsequent violations until the contractor demonstrates compliance with federal law.
The Fair Chance Act requires the Administrator of General Services, the Secretary of Defense, and the Federal Acquisition Regulatory Council to issue regulations to implement the Fair Chance Act. They have not yet done so.
Private employers nationwide have to comply with a range of fair chance hiring laws in effect at the state, county, and even city level, each with varying requirements. The Fair Chance Act adds an additional layer for federal civil agencies and defense contractors to consider when hiring candidates to work on federal contracts starting in 2022. Federal contractors may see new or amended solicitations and contract clauses specifically prohibiting them from inquiring into a job applicant’s criminal past until a conditional offer of employment has been made.
In addition, affected private employers should review their hiring policies and procedures to ensure that questions are not being asked about criminal history prior to a conditional offer of employment, either during the hiring process or on job applications.
The Fair Chance Act mirrors traditional “ban the box” laws in that it simply restricts when the employer may inquire whether a candidate has a criminal history. Notably, the Fair Chance Act does not include additional requirements—such as notice, a waiting period, or an individualized assessment—that go beyond the traditional “ban the box” mandate. Such additional requirements are generally found in broader state and local fair chance hiring laws.
Finally, and to be clear, private employers may still conduct a criminal history background check as part of their hiring and onboarding process and may consider criminal history as part of the hiring process. What is different about the Fair Chance Act is the timing of any such inquiries, and consideration of such information, as it cannot occur until after a conditional offer of employment is made.
Form I-9 Requirements Flexibility Extended Until October 31, 2022
The U.S. Department of Homeland Security (DHS) and U.S. Immigration and Customs Enforcement (ICE) have announced another extension to flexibility relating to in-person Form I-9 compliance. The policy, which was originally announced on March 19, 2020, was previously set to expire on April 30, 2022. Through this new extension, the policy will remain in effect until October 31, 2022.
As discussed in a previous post, this flexibility allows employers whose workforce is working remotely to defer the physical presence requirements associated with the Employment Eligibility Verification (Form I-9) and section 274A of the Immigration and Nationality Act. The policy initially applied only to employers and workplaces that were working entirely remotely. However, the policy was expanded to cover all employers who hire employees on or after April 1, 2021 to exclusively work remotely due to the employer’s COVID-19 policy. In these cases, the in-person inspection requirement relating to Form I-9 identity and employment eligibility documentation applies only to employees who physically report to work at a company location on any “regular, consistent, or predictable basis.”
The temporary guidance continues to provide the following:
Employers that have gathering bans or restrictions due to COVID-19 are not required to perform an in-person review of the employee’s identity and employment authorization documents. Instead, employers may inspect the employee’s “Section 2” I-9 documents remotely, using “video link, fax or email, etc.” Employers must obtain, inspect and retain copies of the documents within 3 business days, and provide written documentation of their remote onboarding and remote work policy on the employee’s Form I-9. Once normal operations resume, employers must conduct an in-person verification of any documents presented by employees who were onboarded remotely, within 3 days of a return to the work location.
Although DHS has signaled a willingness to permanently adopt remote document examination for I-9 eligibility verification, to date, no permanent changes have been made. Accordingly, employers are encouraged to begin, at their discretion, the in-person verification of identity and employment eligibility documentation for employees who were hired on or after March 20, 2020, and who presented such documents for remote inspection in reliance on the flexibilities first announced in March 2020.
CFPB Charges TransUnion and Senior Executive John Danaher with Violating Law Enforcement Order
TransUnion deployed digital dark patterns to dupe Americans into subscription plans
Today, the Consumer Financial Protection Bureau (CFPB) is filing a lawsuit against TransUnion, two of its subsidiaries, and longtime executive John Danaher for violating a 2017 law enforcement order. The order was issued to stop the company from engaging in deceptive marketing, regarding its credit scores and other credit-related products. After the order went into effect, TransUnion continued its unlawful behavior, disregarded the order’s requirements, and continued employing deceitful digital dark patterns to profit from customers. The Bureau’s complaint also alleges that TransUnion violated additional consumer financial protection laws.
“TransUnion is an out-of-control repeat offender that believes it is above the law,” said CFPB Director Rohit Chopra. “I am concerned that TransUnion’s leadership is either unwilling or incapable of operating its businesses lawfully.”
Chicago-based TransUnion (NYSE: TRU) is the parent company of one of the nation’s three largest credit reporting agencies. It is led by President and CEO Christopher A. Cartwright. TransUnion collects consumer credit information, including borrowers’ payment histories, debt loads, maximum credit limits, names and addresses of current creditors, and other elements of their credit relationships.
TransUnion collects information on 200 million individuals, and the company claims to profile “nearly every credit-active consumer in the United States.” TransUnion reported $3 billion in revenue for 2021.
Through its subsidiary, TransUnion Interactive, the company also markets, sells, and provides credit-related products directly to the public, such as credit scores, credit reports, and credit monitoring.
Credit reporting agencies are entrusted with generating accurate credit reports to help banks and other lenders determine an applicant’s creditworthiness. However, based on the nearly 150,000 consumer complaints about TransUnion that the Bureau received in 2021 alone, TransUnion has struggled to maintain that trust.
2017 Law Enforcement Order
On January 3, 2017, the CFPB settled charges with TransUnion and its subsidiaries for deceptively marketing credit scores and credit-related products, including credit monitoring services. As part of the settlement, TransUnion agreed to pay $13.9 million in restitution to victims and $3 million in civil penalties. TransUnion and its subsidiaries also agreed to a formal law enforcement order that, among other things, required the credit reporting giant to warn consumers that lenders are not likely to use the scores they are supplying, obtain the express informed consent of customers for recurring payments for subscription products or services, and provide an easy way for people to cancel subscriptions. The order was binding on the company, its board of directors, and its executive officers.
In October 2018, the CFPB commenced an examination of TransUnion. In May 2019, CFPB examiners informed TransUnion that it was violating multiple requirements of the order. In these instances, companies typically work constructively with the CFPB to make quick fixes and come into compliance. However, in June 2020, CFPB informed TransUnion that it was still violating the order and engaged in additional violations of law.
Digital Dark Patterns
Dark patterns are hidden tricks or trapdoors companies build into their websites to get consumers to inadvertently click links, sign up for subscriptions, or purchase products or services. Dark patterns can complicate or hide information, such as making it difficult for consumers to cancel a subscription service.
As alleged in the complaint, TransUnion used an array of dark patterns to trick people into recurring payments and to make it difficult to cancel them. For example, under federal law, Americans are entitled to a free credit report from TransUnion through annualcreditreport.com. TransUnion asked consumers to provide credit card information that appeared to be part of an identity verification process. TransUnion then integrated deceptive buttons into the online interface that gave the impression that the consumer could also access a free credit score in addition to viewing their free credit report. In reality, clicking this button signed consumers up for recurring monthly charges using the credit card information they had provided.
The only indication in the enrollment process that consumers were making some sort of purchase was through a fine print, low contrast disclosure, located off to the side of the enrollment form. The disclosure is inside an image that can take up to 30 seconds longer to load than the rest of the material in the form. This dark pattern triggered thousands of complaints.
For consumers looking for a way out of their subscriptions, TransUnion not only failed to offer a simple mechanism for cancellation, it actively made it arduous for consumers to cancel through clever uses of font and color on its website.
Since 2004, John T. Danaher served as a top executive of TransUnion Interactive, TransUnion’s unit that sold products and services directly to consumers and contributes roughly 18% of TransUnion’s overall revenue. According to filings with the Securities and Exchange Commission, since 2016, Danaher received over $10 million from the sale of TransUnion stock shares that were acquired by him as part of his compensation package.
Danaher was bound by the 2017 order, but he repeatedly failed to ensure that TransUnion took certain required steps and refrained from prohibited conduct. In fact, Danaher determined that complying with the order would reduce the company’s revenue, so he created a plan to delay or avoid having to implement the order.
Among other things, Danaher determined that using an affirmative selection checkbox, required by the order to limit unintended subscription enrollments, would result in fewer enrollments into TransUnion’s Credit Monitoring service. Danaher instructed TransUnion Interactive to cease using the checkbox, which led to millions of enrollments.
Danaher recently separated from TransUnion.
Today’s Enforcement Action
Repeat offender law enforcement is a top priority for the CFPB. The CFPB is filing a lawsuit in federal court charging TransUnion and John Danaher with multiple violations of law. Specifically, the Bureau’s lawsuit alleges that:
- TransUnion and John Danaher flouted a formal law enforcement order: TransUnion and Danaher flouted the terms of the CFPB’s 2017 order. Rather than comply with the terms, the company continued to engage in deceptive conduct in its marketing and sale of credit-related products, it failed to provide required disclosures to make its marketing not misleading, and it failed to assemble and review consumer information and implement appropriate improvements to advertisements. Danaher’s actions also make him liable under the law.
- TransUnion deceived customers through digital dark patterns: For its subscription products, TransUnion relied on digital dark patterns from beginning to end of the TransUnion customer experience.
- TransUnion cheated customers through the marketing and sale of its credit-related products: TransUnion misrepresented numerous aspects of its products, services, and subscription plans, including that its credit monitoring service was a standalone credit score or credit report.
Under the Dodd-Frank Wall Street Reform and Consumer Protection Act, the CFPB has the authority to take action against institutions violating consumer financial laws, including engaging in deceptive acts or practices or violating the Electronic Fund Transfer Act, which establishes a basic framework of the rights, liabilities, and responsibilities as to electronic fund transfers.
Today’s lawsuit alleges that TransUnion violated the Consumer Financial Protection Act of 2010 by failing to implement requirements of the Bureau’s 2017 order and by engaging in deceptive acts and practices. The CFPB also alleges that TransUnion violated Regulation V, which implements the Fair Credit Reporting Act, and the Electronic Fund Transfer Act.
The CFPB is seeking monetary relief for consumers, such as restitution or return of funds, disgorgement or compensation for unjust gains, injunctive relief, and civil money penalties. The complaint is not a final finding or ruling that the defendants have violated the law.
Utah Becomes Fourth State to Enact a Comprehensive Data Privacy Law
On March 24, 2022, Utah followed California, Virginia, and Colorado in adopting a comprehensive consumer data privacy law.
On March 24, 2022, Utah Governor Spencer Cox signed the Consumer Privacy Act (“Act”), making Utah the most recent state to enact a comprehensive data privacy law. The Act takes effect on December 31, 2023.
The Act will apply to entities that: (i) conduct business or target consumers in Utah; (ii) generate $25 million or more in annual revenue; and (iii) either process or control: (a) the personal data of at least 100,000 Utah consumers; or (b) the personal data of at least 25,000 Utah consumers and derive at least half their gross revenue from selling personal data. Under the Act, consumers include individuals who are Utah residents and are acting in an individual or household context. The Act applies to residents acting in an individual or household context, not an employment or commercial context.
The Act borrows many core elements from peer legislation in California, Virginia, and Colorado. For example, the Act creates obligations for “controllers” (those determining the purposes and means of processing the personal data) and “processors” (those processing the personal data on a controller’s behalf).
Under the Act, controllers have obligations to, among other things:
- Disclose in a privacy notice various processing activities;
- Provide consumers with clear notice and an opportunity to opt out of the processing of “sensitive data,” including biometric and geolocation data;
- Provide consumers with a right to opt out of targeted advertising or the sale of personal data;
- Comply with requests from consumers to exercise their other rights to access, obtain a copy of, or delete personal data, and confirm whether a controller processes personal data; and
- Maintain reasonable administrative, technical, and physical data security practices.
The Act does not create a private right of action, and grants exclusive enforcement authority to the Attorney General. If businesses do not cure violations within 30 days of the Attorney General’s notice, the Attorney General may collect statutory damages up to $7,500 per violation, and actual damages to the consumer. Funds received by the Attorney General will be deposited into a Consumer Privacy Account for investigation and administrative costs, attorneys’ fees, and providing consumer and business education.
Mississippi Poised to Enact Pay Equity Law
Mississippi is the only state in the country without an equal pay law. That may change soon.
On March 30, 2022, the Mississippi House and Senate both passed HB 770. The bill (1) requires employers to pay employees without regard to sex and (2) encourages equal pay for equal work. The bill sits with the state’s governor for signature or veto by April 23. If the governor does not act, HB 770 will become Mississippi law.
Mississippi’s HB 770 largely mirrors the federal Equal Pay Act. It prohibits employers from paying employees in the same establishment, but of opposite sexes, different wage rates if they are performing “equal work on a job, the performance of which requires equal skill, education, effort and responsibility, and which is performed under similar working conditions,” unless the pay difference is “based on” (a) a seniority system, (b) a merit system, (c) a system that measures earnings by quantity or quality of production, (d) or any factor other than sex—just like under the federal Equal Pay Act.
Unlike the trend in many states that limit the reasons for permissible pay differences (like California, Colorado, Illinois, Massachusetts, New Jersey, and Washington), HB 770 makes clear that its “any factor other than sex” defense includes factors such as:
- The salary history demonstrated by the employee as compared to employees of the opposite sex in the same establishment;
- The continuity of employment history demonstrated by the employee as compared to employees of the opposite sex in the same establishment;
- The extent to which there was competition with other employers for the employee’s services as compared to employees of the opposite sex in the same establishment; and
- The extent to which the employee attempted to negotiate for higher wages as compared to employees of the opposite sex in the same establishment.
This bill runs counter to recent trends for other reasons, too:
- Courts have looked skeptically at the “any factor other than sex” defense into issues such as the use of salary history (or other business-related defenses that disproportionately tend impact pay for women). This law would endorse them.
- Most recent state and local laws have prohibited requesting or relying on salary history. This law would codify the practice.
- Most recent state (and city) pay equity requirements and proposals include pay transparency requirements, such as wage range disclosures to applicants or employees. This law would be silent on the issue.
Unless the governor vetoes HB 770, the law will take effect July 1, 2022.
New York Mandates That Employees Be Informed of Electronic Monitoring
New York recently amended the state’s Civil Rights Law to require employers to provide their employees with prior notice of any telephone, email or internet monitoring. According to the amendment’s sponsor, “notifying employees of computer monitoring protects employee privacy by making sure that they understand the consequences of inappropriate internet activity.” Employers still have the right to monitor any such usage, so long as employees are informed beforehand of any the surveillance. The amendment is effective May 7, 2022.
Who must give notice?
Any employer in New York must provide the required written notice if the employer monitors or otherwise intercepts telephone conversations or transmissions; electronic mail or transmissions; or internet access or usage of or by any employee by any electronic device or system. This includes monitoring using computers, telephones, wires, radios, or electromagnetic, photoelectronic and photo-optical systems.
What notice must employers provide?
An employee must be advised that “any and all telephone conversations or transmissions, electronic mail or transmissions, or internet access or usage by an employee by any electronic device or system, including but not limited to the use of a computer, telephone, wire, radio or electromagnetic, photoelectronic or photo-optical systems, may be subject to monitoring at any and all times and by any lawful means.”
How is notice provided?
Employers must give prior written notice upon hiring to all employees who are subject to electronic monitoring. The notice must be in hard copy or in an electronic form and must be acknowledged by the employer in writing or electronically. Additionally, employers must post the notice of electronic monitoring in a conspicuous place where it may be readily viewed by employees who are subject to monitoring.
Is there any exception to the notification requirement?
The notification requirement does not apply to processes that are designed to manage the type or volume of incoming or outgoing electronic mail, telephone voice mail or internet usage. These processes are excluded so long as they are not monitoring or intercepting electronic mail, voice mail, or internet usage of a particular individual and are solely performed for computer system maintenance or protection.
What is the penalty for non-compliance?
The New York Attorney General is authorized to enforce the notification requirement. Employers who violate it may be subject to a civil penalty of up to $500 for the first offense, $1,000 for the second offense, and $3,000 for the third and each subsequent offense.
Employers in New York should review their policies and procedures and prepare appropriate written notices for their employees and postings for their workplaces.
Virginia Amends New Privacy Law
Governor Glenn Youngkin of Virginia recently approved legislation to amend the Virginia Consumer Data Protection Act (VCDPA). In a time when data privacy bills creep through state legislatures only to die in committee, Virginia has not only passed a privacy law, but has also now amended that law. Three bills were recently signed by the Governor to amend the VCDPA. The first, H 381, adds an exemption to the right to delete. Specifically, the new language states that data controllers that have obtained personal data about a consumer from a source other than the consumer shall be deemed in compliance with a consumer’s request to delete such data by either: (1) retaining a record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer’s personal data remain deleted from the business’s records and not using such retained data for any other purpose; or (2) opting the consumer out of the processing of such personal data for any purpose except for those exempted pursuant to the VCDPA.
The second amendment to the VCDPA, S 534, abolishes the Consumer Privacy Fund previously established by the VCDPA, and provides that “[a]ll civil penalties, expenses, and attorney fees collected pursuant to this chapter shall be paid into the state treasury and credited to the Regulatory, Consumer Advocacy, Litigation, and Enforcement Revolving Trust Fund.”
The third amendment to the VCDPA, also in S 534, redefines the phrase “nonprofit organization” to now include any political organization that is exempt from taxation under section 501(c)(3) of the Internal Revenue Code. The bill states that “[p]olitical organization means a party, committee, association, fund, or other organization, whether or not incorporated, organized and operated primarily for the purpose of influencing or attempting to influence the selection, nomination, election, or appointment of any individual to any federal, state, or local public office or office in a political organization or the election of a presidential/vice-presidential elector, whether or not such individual or elector is selected, nominated, elected, or appointed.” Nonprofits that meet this new definition will not have to comply with the VCDPA. All of these changes are effective January 1, 2023.
Another Privacy Headache for California: Court of Appeal Ruling Will Slow Down Criminal Background Checks Throughout California
Companies that hire employees and engage independent contractors in California should brace for a significant slowdown in background checks that include criminal record searches in California state courts.1 This will result from the court of appeal’s opinion in All of Us or None v. Hamrick, which prohibited the Riverside Superior Court from allowing its electronic criminal case index to be searched using an individual’s known date of birth or driver’s license number. Background check companies rely on searching such indexes for most criminal background checks in California state courts. And, while the lawsuit was brought against the Riverside Superior Court only, the court of appeal’s ruling impacts most California state courts, because the court’s ruling was based on a statewide law: California Rules of Court, rule 2.507 (Rule 2.507).2
The Court of Appeal’s Opinion
In All of Us or None v. Hamrick, the plaintiffs, including a civil and human rights organization supporting ex-offenders, alleged that Riverside County and its executive officer and clerk allowed users of the Riverside Superior Court’s public website to search the court’s electronic criminal case index by inputting a defendant’s known date of birth and driver’s license number, in violation Rule 2.507. Rule 2.507 specifies the information to be included in and excluded from court calendars, indexes, and registers of actions.
In the trial court, the defendants successfully argued that allowing the public to search the index using an individual’s known date of birth or driver’s license did not run afoul of Rule 2.507, because the index was not making those identifiers available to the general public in the first instance. But the court of appeal rejected that argument, reasoning the text of the rule was not limited to publicly disclosing only information not otherwise known to the person accessing the index. The court also emphasized the purpose of the rule: protecting the privacy interests of those involved in criminal proceedings.
On September 1, 2021, the California Supreme Court declined to review the court of appeal’s opinion.
Takeaways for Employers
Last year, pandemic-related court closures slowed down criminal background checks nationwide. The delay affected hundreds of businesses seeking to hire employees and engage independent contractors. It also interfered with the ability of thousands of job applicants and prospective contractors seeking to start performing work and providing services. The court of appeal’s opinion threatens to be yet another serious setback in California, because most employers rely on background check companies for criminal background checks, and most background check companies rely on index-based searches to source criminal records, including serious felonies (e.g., rape, murder, arson, etc.).
The problem is not going to be easy to overcome. The fair credit reporting laws, such as the federal Fair Credit Reporting Act (FCRA), outright prohibit background check companies from attributing criminal records to an individual based only on a “match” between the individual’s name and the name of the defendant in the criminal case.3 These companies use other “identifiers,” such as the full date of birth, to make reliable matches. As a practical matter, without access to date of birth information, background check companies may not be able to complete some criminal record searches at all.4
Background check industry groups, such as Professional Background Screening Association (PBSA), are mounting a full court press to try to remedy the situation. However, even if a “fix” is possible, it is not likely to be any time soon. Meanwhile, businesses that conduct criminal background checks should consider doing the following:
- Notifying executives and operations of this development for sake of planning and business continuity, especially if the company is required to conduct criminal background checks by law or contractual agreement;
- Coordinating with the background check company to receive real-time updates about problematic counties;
- Evaluating existing background check “packages” (i.e., the types of searches included in background checks) to determine whether to fortify them;
- Assessing options for and legal limitations on gathering criminal record information directly from candidates themselves; and
- Assessing pre-hire/engagement paperwork, such as conditional offer letters, to ensure the paperwork includes appropriate contingencies.5
Companies should also identify potential indirect issues of concern, for example, how this development in California will impact the ability of their vendors, such as temporary staffing agencies, to meet contractual obligations to do their own vetting. Such vendors will be grappling with these same issues for the foreseeable future.
Indiana Revised Data Breach Notification Statute
Effective July 1, 2022, owners of personally identifiable information on residents of Indiana must provide notice of a data breach no later than 45 days after discovering of the breach. Currently, Indiana’s data breach law requires notice of a breach “without unreasonable delay.” When the amendment goes into effect in July, the 45-day period will be the latest that notice can be given.
The current law’s list of circumstances under which a delay is “reasonable” will continue to apply. Those circumstances include if the delay is “(1) necessary to restore the integrity of the computer system; (2) necessary to discover the scope of the breach; or (3) in response to a request from the attorney general or a law enforcement agency to delay disclosure because disclosure will: (A) impede a criminal or civil investigation; or (B) jeopardize national security.”
If one of these circumstances apply, notice of the breach is required as soon as possible after “(1) delay is no longer necessary to restore the integrity of the computer system or to discover the scope of the breach; or (2) the attorney general or a law enforcement agency notifies the person that delay will no longer impede a criminal or civil investigation or jeopardize national security.” Presumably the 45-day maximum effective July 1, 2022 will not apply in the event of a law enforcement delay.
Companies experiencing a data breach, however, must keep this 45-day period in mind and work expeditiously to identify the scope of the breach and restore their systems. “Personal information” under the Indiana statute covers (1) a Social Security Number that is not encrypted or redacted; or (2) an individual’s first name (or first initial) and last name plus one or more of the following data elements that are not encrypted or redacted: driver’s license number; state identification card number; credit card number; and a financial account number or debit card number in combination with a security code, access code or password.
Washington Employers Will Be Obligated to Disclose Salary, Wage, and Benefits Information for All Job Postings
Washington’s Equal Pay and Opportunities Act has been amended again, placing another disclosure and compliance obligation on Washington employers during the hiring process. This amendment will require employers with 15 or more employees to disclose the wage scale or salary range in job postings, along with a general description of “all of the benefits or other compensation to be offered to the hired applicant.”
Importantly, this law will apply to all positions, including exempt positions. Private-sector employers have often closely guarded salary information for a variety of reasons, including to remain competitive in the market. This new law designed to promote transparency and close gender pay gaps will likely create some challenges, so employers should take steps now so they are prepared to comply when this law becomes effective on January 1, 2023.
The Washington EPOA, chapter 49.58 RCW, defines “compensation” to mean “discretionary and nondiscretionary wages and benefits provided by an employer to an employee.” The new law broadly defines “posting” as “any solicitation intended to recruit job applicants for a specific available position.” It includes recruitment “done directly” or “indirectly through a third party,” and postings done electronically or by hard copy.
In contrast, as originally passed, the EPOA requires employers to provide the minimum wage or salary only when an applicant requests, and only after the applicant has initially been offered, a position. The amendment did not alter the EPOA’s requirement to disclose the hourly rate or salary to an existing employee who is offered an internal transfer or promotion only upon request. Lane Powell’s previous legal updates found here and here discussed these requirements of the EPOA.
What the New Law Does Not Tell Us:
Unfortunately, the new law leaves employers guessing about some things:
- Does the requirement pertain to job postings for positions outside the state, including remote positions?
- Does the posting requirement apply to employers with more than 15 employees, but less than 15 located in Washington?
- How much detail must be disclosed regarding benefits (e.g., parking subsidy, vacation accruals, equity grants)?
- What are the consequences if the compensation level or benefits change during the hiring process?
Penalties and Consequences of Noncompliance
Employers who violate the new law can be sued. Courts are authorized to award damages of no less than $5,000 (or actual damages, whichever is greater), and reasonable attorneys’ fees and costs. Applicants or employees can also file a complaint with the Department of Labor and Industries, which is authorized to issue civil penalties of at least $500, and award actual damages and attorneys’ fees and costs to the complaining party.
What Should Employers Do Now?
In anticipation of the January 1, 2023 effective date, employers should conduct privileged internal audits and consider doing so with the assistance of counsel to protect privilege. Recommended steps include:
- Auditing employee compensation to ensure employees (exempt and non-exempt) are paid consistently with established market rates and without regard to gender.
- Conducting a pay-equity analysis to ensure parity in compensation before disclosure obligations take effect, and continuing to monitor for compliance with the new law.
- Establishing objective standards or criteria to determine where an applicant will fall within the range established for a position.
Connecticut Privacy Bill Passes Senate
On April 20, 2022, Connecticut’s Senate passed S.B. 6, an Act concerning Personal Data Privacy and Online Monitoring. The comprehensive privacy bill will now move to the Connecticut House, where it has the potential to become the nation’s fifth state privacy bill. If the bill becomes law, its major provisions would go into effect on July 1, 2023. The Connecticut House has until May 5 to consider the bill before the current legislative session ends.
The Connecticut proposal shares many similarities with the laws already set to go into effect in 2023 but seems to have the most in common with Virginia’s Consumer Data Protection Act. Like the Virginia law, the Connecticut proposal does not allow for any rulemaking for the attorney general’s office (which has exclusive enforcement authority). It does, however, allow for the creation of a working group that would make recommendations to the legislature as to potential amendments to the law (which also happened with Virginia). One notable difference between the Connecticut proposal and the Virginia law is that the relevant exemptions for data regulated under certain federal laws seem to be narrower in Connecticut (e.g., there are not any broad-based exemptions for covered entities or business associates regulated under HIPAA; the relevant HIPAA exemption instead applies to protected health information regulated under HIPAA).
While businesses would have to account for some of the technical differences in the Connecticut proposal if it were to go into effect, most of the compliance efforts that businesses have taken to comply with California, Virginia, Colorado, and Utah would also apply to Connecticut. It does not create many new data processing obligations for businesses. Companies should also keep an eye out for federal privacy proposals, as a fifth law may increase the appetite for comprehensive privacy legislation in Congress.
Below are key provisions of the Connecticut Act:
- Applies to persons that conduct business in Connecticut or that produce products or services that are targeted to Connecticut residents and that during the preceding calendar year: (1) controlled or processed the personal data of at least 100,000 consumers (excluding personal data controlled or processed to complete payment transactions); or (2) controlled or processed the personal data at least 25,000 consumers and derived more than 25% gross revenue from the sale of personal data.
- Exempts various entities and information types, including certain government entities; covered entities and business associates under HIPAA; information governed by HIPAA; financial institutions or data subject to certain GLBA provisions; nonprofit organizations; institutions of higher education; and personal data regulated by FERPA.
- Creates individual rights for consumers, including 1) the right to confirm whether a controller is processing their personal data, and the right to access their personal data; 2) the right to correct inaccuracies in their personal data; 3) the right to delete the personal data provided to the controller; 4) the right to obtain a copy of their personal data in a format that is portable, readily usable, and allows the consumer to transmit the data to another controller without hindrance; and 5) the right to opt out of the processing of their personal data for the purposes of a) targeting advertising, b) the sale of personal data, or c) profiling in furtherance of solely automated decisions that produce legal or similarly significant effects concerning the consumer.
- Mandates that controllers provide consumers with a privacy notice with the following information: 1) the categories of personal data processed; 2) the purposes for which the categories of personal data are processed; 3) how consumers may exercise a right; 4) the categories of personal data that the controller shares with third parties; 5) the categories of third parties with whom the controller shares personal data; and 6) an active electronic mail address or other online mechanism that the consumer may use to contact the controller.
- Incorporates privacy by design principles, including requiring controllers to (1) limit the collection of data to what is adequate, relevant and reasonably necessary in relation to the purpose for which data is processed (as disclosed to customers), (2) not process personal data for purposes that are neither reasonably necessary to, nor compatible with, the disclosed purposes for which the data is being processed (unless the controller obtains consent), and (3) establish, implement, and maintain data security practices, among other requirements.
- Creates requirements for the processing of “sensitive data,” including requiring that controllers obtain the consumer’s consent.
- Requires that controllers comply with opt-out requests received from consumer’s authorized agent, which can include a global device setting or browser setting.
- Does not create a private right of action. Violations are only enforceable by the Connecticut AG’s office.
- Creates a sixty-day cure period once AG provides written notice of alleged violation, between the period of July 1, 2023 to December 31, 2024. Starting January 1, 2025, the bill provides the AG discretion to provide an opportunity to correct an alleged violation.
- Violations of the law would be treated as unfair trade practices under Connecticut law.
- Does not create any rulemaking authority for the Connecticut Attorney General; creates a working group to make recommendations to amend the law to the Connecticut legislature.
- Major provisions of the bill go into effect on July 1, 2023.
Eighth Circuit Holds Article III Standing Was Lacking for an Alleged Violation of the FCRA’s “Pre-Adverse Action” Notice Provision
On April 4, 2022, the U.S. Court of Appeals for the Eighth Circuit joined the Ninth Circuit in holding that a plaintiff lacked Article III standing to prosecute her statutory claims under the Fair Credit Reporting Act (FCRA) in federal court. The Eighth Circuit’s opinion in Schumacher v. SC Data Center, Inc. deepens the split between the circuit courts on standing and increases the chances that the U.S. Supreme Court eventually will have to weigh in on the issue again.
Background: Spokeo and Ramirez
Over the past several years, the U.S. Supreme Court has reinvigorated the constitutional concept of “Article III standing” in two decisions involving the FCRA. In this context, Article III standing requires that a plaintiff prove a concrete “injury-in-fact” from alleged unlawful conduct to establish a federal court’s jurisdiction to hear the claim.
In May 2016, in Spokeo v Robins, the U.S. Supreme Court declared that a plaintiff does not “automatically” have the requisite injury-in-fact “whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right.” The plaintiff had alleged that the defendant was a “consumer reporting agency” (CRA) (which it disputed) and had violated the FCRA by reporting inaccurate information about him. The Supreme Court held that the Ninth Circuit’s analysis, which had found standing, was incomplete because it did not address the “concreteness” element of standing—i.e., whether the statutory violation cause some “real” harm that “actually exists in the world.”
Then, in June 2021, the Supreme Court doubled down on the Spokeo standing principles. It held, in Ramirez v Trans Union, that each class member in a FCRA class action, not just the named plaintiff, had to prove Article III standing before a judgment could be awarded. Ramirez involved allegations the defendant, a CRA, inaccurately matched the named plaintiff and class members to the Office of Foreign Assets (OFAC) database. The CRA had provided the allegedly inaccurate matches in consumer reports to third parties for plaintiff and some class members, but had never disseminated the allegedly inaccurate information to any third parties for other class members. The Supreme Court held that where the information had not been published to any third party and the class members could not show any actual harm stemming from the allegedly inaccurate OFAC match, the class members had no standing to pursue their claims. The Supreme Court summarized: “No concrete harm, no standing.”
The Eighth Circuit’s Decision
The Eighth Circuit applied the Supreme Court precedent to FCRA claims against an employer in Schumacher v. SC Data Center, Inc. On behalf of a putative class, the plaintiff alleged the all-too-familiar claims that (1) the defendant allegedly provided a background check disclosure form that was not “clear and conspicuous” and contained “extraneous” information, and (2) the defendant allegedly failed to provide a proper “pre-adverse action notice” before rescinding her contingent job offer based on a background check. The plaintiff also added a third, less-common, theory that the employer allegedly unlawfully procured her background check because the authorization she signed referred only to “an independent investigation of [her] criminal records maintained by public and private organizations,” without using the phrase “consumer report.” The Eighth Circuit held that the plaintiff lacked Article III standing as to each of her theories and remanded the case back to the district court with instructions to dismiss the case for lack of jurisdiction.
As to the disclosure claim, the Eighth Circuit held that the mere fact the disclosure was in a small font and allegedly contained statements unrelated to the fact a consumer report would be obtained was not itself a concrete “injury-in-fact.” The plaintiff failed to plead any specific facts of any “real-world harm” flowing from the alleged statutory violation of the FCRA’s disclosure provision. Thus, even though the plaintiff alleged the form contained an unlawful release of liability, a statement that the company could terminate employment if she provided false information, and additional statements about potential rights that could apply if there was an adverse action, the plaintiff lacked standing.
As to the pre-adverse action claim, the Eighth Circuit acknowledged that it was undisputed for purposes of its ruling that the plaintiff did not receive a copy of her background report before she was informed her offer was rescinded. But the plaintiff failed to allege she suffered any harm material to the purposes of the FCRA’s pre-adverse action provision. The plaintiff attempted to manufacture harm by asserting that she was deprived of the opportunity to discuss or explain the report before the employer decided to rescind the offer. But the Eighth Circuit found this alleged “harm” was immaterial; the only right the FCRA’s text contemplated was to dispute inaccurate information with the CRA, not to discuss or explain the report with the employer. Since the plaintiff could not allege the report was inaccurate, the ability to dispute the accuracy of the report with the CRA would have made no difference to the plaintiff. Therefore, the plaintiff also lacked standing on her pre-adverse action claim.
As to the authorization claim, the Eighth Circuit held that the authorization did not have to specifically use the term “consumer report” to be valid. The authorization was broad enough to encompass all types of record searches that the employer had ordered in the background report on the plaintiff, as the authorization permitted the search of “criminal records maintained by public and private organizations.” The court noted that the report consisted of criminal record searches, and even the sex offender registry search consisted of public record information from a national sex offender registry website that itself ultimately derived from criminal records. Even assuming, for the sake of argument, the sex offender search went beyond the language of the authorization—as the plaintiff claimed—the Eighth Circuit still found Article III standing would fail. The plaintiff had not pled any specific facts to show an actual invasion of privacy from the search; just referring to an “invasion of privacy” in a conclusory manner was insufficient to save the claim from dismissal.
Standing to proceed with FCRA claims in federal court is an evolving area of the law. While the Eighth Circuit found for the employer in this case, the Third Circuit reached the opposite conclusion with regard to the pre-adverse action claim. Moreover, the FCRA allows lawsuits in federal or state court (known as “concurrent jurisdiction”). Thus, although Article III standing may be a potent defense in some federal and state courts, it is not necessarily a complete defense in jurisdictions with lax standing rules, such as California. The key to minimizing legal risk is thus to be hyper-vigilant about compliance with the employment-related requirements of the FCRA.
Pennsylvania federal district court rules public records vendor is consumer reporting agency subject to Fair Credit Reporting Act
A Pennsylvania district court has ruled that a company that provides reports based on a search of public records is a “consumer reporting agency” (CRA) as defined by the Fair Credit Reporting Act.
In McGrath v. Credit Lenders Service Agency, Inc., the plaintiffs applied to a bank for a loan to refinance their home mortgage. The bank engaged Credit Lenders Service Agency (CLSA) to conduct a public records search on the plaintiffs and provide a report. To prepare a report, CLSA subcontracted with people who go to various record repositories (e.g. directories of open judgments and municipal liens maintained by courts) to conduct a physical search and send the results to CLSA. CLSA’s report to the bank about the plaintiffs erroneously listed outstanding civil judgments against them. The plaintiffs claimed that they contacted CLSA which refused to investigate the alleged inaccuracies.
The plaintiffs sued CLSA, alleging that it violated the FCRA by failing to follow reasonable procedures to assure maximum possible accuracy when preparing a consumer report (15 U.S.C. Sec. 1681e(b)) and by failing to conduct a reasonable reinvestigation of the plaintiffs’ dispute (15 U.S.C. Sec. 1681i(a)). CLSA moved for summary judgment, asserting that it was not subject to the FCRA as a matter of law because it was not a CRA and did not supply “consumer reports” within the meaning of the FCRA. It also asserted that even if it was subject to the FCRA, no reasonable juror could find that it violated either FCRA provision.
As an initial matter, the district court found that CLSA was a CRA. In doing so, it rejected CLSA’s argument that an entity can only be a CRA if it issues “consumer reports.” Based on the FCRA definitions of the terms CRA and “consumer report,” the district court concluded that to be a CRA, an entity does not actually have to furnish “consumer reports” but instead must act for the purpose of furnishing “consumer reports.” Thus, an entity could be a CRA if it acted for the purpose of furnishing “consumer reports” even if it never produced a report or the intended report is determined not to be a “consumer report.” Stated differently, “the Court does not need to determine that an entity actually produced a ‘consumer report’ to find that it is a [CRA].” However, the court indicated that the opposite was not true, meaning the FCRA’s definition of “consumer report” does require the report to come from a CRA.
Turning to the issue of whether CLSA was a CRA, the court found that CLSA’s operations satisfied the elements of the FCRA definition. In addition to receiving monetary fees and using interstate commerce, the other elements of the CRA definition require an entity to regularly engage in the practice of assembling or evaluating consumer credit information or other information on consumers for the purpose of furnishing consumer reports to third parties. CLSA argued that it was not “assembling” information but had only accessed records of open judgments on the court’s database that were assembled by the court. The court rejected this argument, finding that the judgments were only a portion of the report, which included other information such as outstanding mortgages, home value, and other outstanding liens. According to the court, “assembling” does not require the changing of contents but only requires the gathering and grouping of information. The court also found that CLSA’s reports were “consumer reports” for purposes of the FCRA.
With regard to CLSA’s alleged FCRA violations, the court was unwilling to grant summary judgment in favor of CLSA on the plaintiffs’ claim that CLSA had negligently violated Section 1681e(b) by failing to follow reasonable procedures to assure maximum possible accuracy when preparing consumer reports. Among the elements that must be established to prove a Section 1681e(b) violation is that inaccurate information was included in a consumer report due to a CRA’s failure to follow reasonable procedures. The district court refused to follow the Seventh Circuit’s 1994 decision in Henson v. CSC Credit Services, which held that as a matter of law, a CRA does not violate the FCRA by reporting inaccurate information obtained from a court’s judgment docket absent prior notice from the consumer that the information may be inaccurate. According to the court, Third Circuit decisions had made clear that the reasonableness of a CRA’s procedures is a jury question and because there was evidence that CLSA took no steps to check the accuracy of the information it provides to customers and CLSA had not introduced evidence to show that its procedures were reasonable, a reasonable jury could find its procedures were unreasonable.
The court did, however, grant summary judgment in favor of CLSA on the plaintiffs’ claims that CLSA had willfully violated Section 1681e(b) and that it had negligently and willfully violated Section 1681i(a) by failing to conduct a reasonable reinvestigation of the plaintiffs’ dispute. According to the court, based on Henson and the absence of direct Third Circuit precedent, CLSA’s reading of Section 1681e(b) could have reasonably found support in the courts. As a result, its Section 1681e(b) violation was not willful. As to the plaintiffs’ Section 1681i(a) claims, the court found that because there was no evidence in the record that the plaintiffs had notified CLSA of an error and requested a reinvestigation, there was no genuine dispute of material fact whether CLSA had negligently or willfully failed to conduct a reasonable reinvestigation.
Wisconsin Supreme Court Strengthens Employers Defenses in Some Arrest and Conviction Record Discrimination Cases
The Wisconsin Supreme Court recently released its decision in Cree, Inc. v. Labor and Industry Review Commission, overturning long-established precedent regarding when an applicant with a domestic violence conviction record may be disqualified from the position because the conviction is “substantially related” to it. Wisconsin Stat. § 111.335(3) prohibits discrimination based on an applicant’s or employee’s arrest or conviction record unless the record is “substantially related” to the underlying position.
The state Labor and Industrial Review Commission’s (LIRC) longstanding application of the “substantially related” test to domestic violence crimes hinged on the intimate, household-related nature of such crimes, which LIRC concluded is inherently missing from a workplace setting. Essentially, LIRC’s application of the exception assumed that domestic abusers would not engage in the same conduct with co-workers or customers, meaning that crimes of domestic violence almost never related to the underlying job.
In 2013, Derrick Palmer was convicted of eight domestic violence crimes against his girlfriend — two counts of felony strangulation and suffocation, four counts of misdemeanor battery, one count of fourth degree sexual assault, and one count of criminal damage to property. Two years after he was released from prison, he applied for an open Applications Specialist position at Cree, Inc., a 600,000 square-foot facility employing more than 1,000 people. The position required the employee to have access to almost the entire Cree facility, required the employee to sometimes be on location at customers’ facilities and to even travel overnight independently to trade shows. The employee was expected to operate largely without supervision.
Cree offered Palmer the Applications Specialist job subject to a standard background check. The background check revealed Palmer’s 2013 convictions. Cree referred the matter to its general counsel who reviewed Palmer’s conviction record using a matrix that categorized each of Palmer’s convictions as a “fail.” Cree then rescinded its offer of employment to Palmer.
Palmer filed a discrimination claim with the Wisconsin Department of Workforce Development that after years of litigation ultimately reached LIRC. LIRC applied its longstanding rule that crimes occurring in an exclusively “domestic setting” were not substantially related to the position at Cree and that the employer’s decision to rescind its offer was unlawful.
The Court’s New Rule
In reviewing the company’s appeal of the matter, the Wisconsin Supreme Court immediately clarified that the plain meaning of “substantially related” requires that the employer show that the facts, events, and conditions surrounding the convicted offense materially relate to the facts, events, and conditions surrounding the job. Essentially, it held, the purpose of the substantial relationship test is to “[a]ssess whether the tendencies and inclinations to behave a certain way in a particular context are likely to reappear later in a related context, based on the traits revealed.”
The conflicting appellate history of the case coupled with LIRC’s unworkable, de facto exception for domestic violence crimes, highlighted the need to clarify how employers, LIRC, and reviewing courts should apply the substantial relationship test to domestic violence convictions. The Court examined two essential factors in determining whether a crime is “substantially related” to employment:
1. The specific circumstances are in the workplace that could lead to recidivism. Here, the crimes of domestic violence necessitated that the abuser have the opportunity to isolate his victim(s).
When examining the circumstances of the job at Cree that might allow a perpetrator to isolate a victim, Cree’s “large, loud, and unsupervised facility provides cover for criminal activity.” Moreover, Palmer would be “largely independent as an Applications Specialist, with no day-to-day supervision” and the independent and interpersonal circumstances of the position and the opportunities created by unsupervised travel created significant opportunities to isolate a victim.
2. The existence of character traits that would indicate willingness to repeat the offense. The court emphasized that certain crimes exhibited the existence of certain undesirable character traits. It reasoned that “crimes of domestic violence, like other violent crimes, indicate a character trait of willingness to use violence against others” and that circumstances threatening a “perpetrator’s power and authority” could “trigger a violent response.”
Applying this factor, the Court held that the character traits exhibited by convictions of domestic violence indicate a “willingness to use violence to exert power and control over others,” which substantially relates to the independent and interpersonal nature of a pre- and post-sales job like the Applications Specialist position.
The Court also considered the seriousness of Palmer’s convictions (“the more serious the offense, the less we can expect an employer to carry the risk of recidivism”), the recentness of the conviction (about two years) and the existence of an emerging pattern of criminal behavior (Palmer was previously convicted of domestic violence crimes against a different partner).
While the Wisconsin Supreme Court’s decision in Cree is limited to crimes of domestic violence, it nonetheless should come as welcome relief for employers. First, the decision finally allows Wisconsin employers to consider an applicant’s conviction for crimes of domestic violence as potentially disqualifying, which previously carried great risk for successful discrimination claims under the Wisconsin Fair Employment Act. Second, employers can easily apply the practical framework to most workplaces to assess the likelihood of recidivism, given the nature of the position, the physical layout of their facilities, and the violent nature of the underlying offense. In the midst of other hiring woes, Wisconsin employers can now more comprehensively assess the actual risk of an applicant repeating his conduct and threatening the safety of employees, customers, and the public.
For employers throughout the nation, the Cree case serves as a useful reminder of the many nuanced issues (which can often vary significantly based on state and crime) in evaluating employees’ and applicants’ criminal background checks.
Click Here for the Original Article
Ninth Circuit Finds Standing in FCRA File Disclosure Case but Rejects Expansive View of Definition of “File”
The Ninth Circuit recently affirmed a Central District of California decision, denying a motion to remand and granting a motion to dismiss in Tailford, No. 20-56344, 2022 U.S. App. LEXIS 5357, at *11-12 (9th Cir. Mar. 1, 2022). Plaintiffs Theresa Tailford, Sanford Buckles, and Jeffrey Ruderman sued a national credit bureau for FCRA violations, alleging failure to disclose certain information in the file disclosures the credit bureau provided upon request.
After the national credit bureau removed the case to federal court, the plaintiffs moved to remand to state court, arguing that allegations regarding their ability to protect privacy interests in connection with the Section 1681g violations was insufficient to satisfy Article III’s concrete harm requirement. The Ninth Circuit disagreed, finding the Section 1681g claim at issue was distinguishable from the disclosure claims, which the Supreme Court in Ramirez found lacked standing. The court reasoned “because the plaintiffs here have alleged a sufficiently concrete injury — they alleged that without complete information in their § 1681g disclosures, they are unable to adequately opt out of certain disclosures to other parties and ensure fair and accurate reporting of their credit information.”
Finding the plaintiffs had standing, the Ninth Circuit then turned to the merits of the claim. The plaintiffs specifically claimed the national credit bureau’s disclosures violated 15 U.S.C. §1681g in several respects, including that the disclosures did not include several pieces of information required by the FCRA, such as behavioral data from the credit bureau’s ConsumerView database, inquiries from third parties and affiliates, the identity of parties who procured consumer reports, and the date on which employment data was reported.
The District Court rejected this argument finding the following:
- The national credit bureau was not obligated to include “behavioral data” in its Section 1681g disclosure because it was not part of the consumer’s “file” under the FCRA and “was not information that was or might be furnished in a consumer report … .”
- The national credit bureau was not obligated to include soft inquiries because “such inquiries were never included in consumer reports.”
- The national credit bureau was not obligated to include the dates on which employment was reported to the credit bureau because that information “has nothing to do with a consumer’s eligibility for credit, insurance, or employment information and is not the kind of information that might be furnished in a consumer report.”
The District Court also held that while the FCRA required the national credit bureau to disclose entities that procured a consumer report, the plaintiffs failed to plausibly allege Alteryx (a data analytics company) was a procuring party. Finally, the District Court held that the credit bureau was not required to identify the particular end users omitted from the Section 1681g disclosure.
On appeal, the Ninth Circuit affirmed. It reviewed the FCRA’s definition of “file” and relied on its prior decision in Shaw, which held “[a] consumer’s file includes all information on the consumer that is recorded and retained by a [CRA] that might be furnished, or has been furnished, in a consumer report on that consumer.”
The court noted that while it agreed with the plaintiffs “that a consumer’s ‘file’ is not limited to information previously contained on a consumer report, the word ‘file’ cannot be given the expansive definition suggested at first glance by the phrase “might be furnished.” With that context, the court reasoned information that “might be furnished” is “instead more reasonably interpreted to mean information similar to that shown to have been included by the CRA in a consumer report in the past or planned to be included in the future. On this record, none of the information the plaintiffs contend [the national credit bureau] failed to disclose is of the type that has been included in a consumer report in the past or is planned to be included in such a report in the future.”
On the soft inquiry issue, the court held that Section 1681g(a)(1) was “inapposite because there is no dispute that the listed inquiries were ‘soft inquiries’ that by definition ‘cannot be viewed by third parties who request a consumer’s credit report’ and ‘”cannot be taken into consideration in the lending process.’” In short, soft inquiries are simply not part of a consumer file under Section 1681g.
On the third-party and affiliate-inquiry issue, the court also rejected the plaintiffs’ position that inquiries must be disclosed. Instead, the court instructed that CRAs must disclose “each person (including each end-user identified under section 1681e(e)(1) of this title) that procured a consumer report.” A prerequisite of a disclosure under that section is “the actual procurement of a consumer report by an identified party.” The court noted that the plaintiffs did not allege the national credit bureau actually sent the inquiring parties anything, or that whatever was sent was a consumer report.
This court’s opinion provides a detailed analysis of the components of a consumer’s file disclosures and provides guidance as to what CRAs should be disclosing and what information need not be disclosed as part of this process.
Ninth Circuit draws line on FCRA required disclosures
In Theresa Tailford, et al. v. Experian Information Solutions, the U.S. Court of Appeals for the Ninth Circuit recently affirmed a district court decision which held that Experian Information Solutions, Inc. did not violate the Fair Credit Reporting Act because none of the information the plaintiffs alleged Experian should have disclosed was subject to disclosure by a consumer reporting agency (CRA) under the FCRA.
In their underlying putative class action, plaintiffs argued that under 15 U.S.C. § 1681g(a)(1), (3), and (5), Experian was required to disclose, in addition to its traditional credit information (credit accounts, creditors, debts, and credit inquiries), other types of information stored by Experian for various purposes, including (i) behavioral data from its “ConsumerView” marketing database; (ii) “soft” credit inquiries from third parties and affiliates; (iii) the identity of all parties who procured consumer reports from Experian; and (iv) the date on which employment data was reported to Experian.
Section 1681g(1) provides that, upon a consumer’s request, a CRA must provide “[a]ll information in the consumer’s file at the time of the request [subject to exceptions not relevant to the appeal].” The plaintiffs argued that under § 1681g(1), “[a]ll information in the consumer’s file” should be interpreted to mean that CRAs must furnish even information for internal and marketing use. Experian filed a motion to dismiss for failure to state a claim, and the district court held that Experian had no obligation to include the information alleged to be missing by plaintiffs in its § 1681g disclosures. The district court dismissed the plaintiffs’ lawsuit with prejudice.
On appeal, the Ninth Circuit agreed with Experian and the district court, holding that none of the information alleged to be missing from Experian’s disclosures was required to be disclosed under § 1681g. The panel, first looking to § 1681g(a)(1), focused on what constitutes “all information in the consumer’s file,” and determined that such information did not constitute all information that “might be furnished” as argued by the plaintiffs. While agreeing with the plaintiffs that a consumer’s “file” was not limited to information that was previously contained in a consumer report, the Ninth Circuit determined that it only included “information similar to that shown to have been included by the CRA in a consumer report in the past or planned to be included in the future.” The Ninth Circuit found that none of the information that the plaintiffs alleged Experian should have disclosed was of this type.
Additionally, the Ninth Circuit rejected the plaintiffs’ argument that Experian should have disclosed certain of the “soft inquiries” under § 1681g(a)(3), which requires disclosure of each person who has procured a consumer report. The Ninth Circuit indicated that actual procurement of a consumer report by an identified party is necessary to trigger disclosure under § 1681g(a)(3) and the plaintiffs had failed to allege that the parties making “soft inquiries” were actually sent anything by Experian or that what was sent was a consumer report.
The Ninth Circuit also rejected the plaintiffs’ argument that because two of the “soft inquiries” were promotional inquiries, they should have disclosed under § 1681g (a)(5). § 1681g(a)(5) requires the disclosure of inquiries received by a CRA during the 1-year period preceding the consumer’s request “that identified the consumer in connection with a credit or insurance transaction that was not initiated by the consumer. The Ninth Circuit indicated that the provision’s reference to a “transaction” meant that it only applies to inquiries leading to a firm offer of credit and the plaintiffs had failed to allege that the two inquiries led to an offer.
Accordingly, the Ninth Circuit affirmed the district court’s dismissal of the plaintiffs’ claims with prejudice. While the Ninth Circuit was unwilling to accept the plaintiffs’ broad reading of what must be disclosed under § 1681g, the decision should serve as a reminder to CRAs to review their policies and procedures for responding to consumer requests under § 1681g to confirm they are disclosing all required information.
Illinois Federal Court Holds That BIPA Applies To Photographs
Seyfarth Synopsis: In Sosa v. Onfido, Inc., No. 20-CV-4247, 2022 U.S. Dist. LEXIS 74672 (N.D. Ill. Apr. 25, 2022), the Court issued the latest plaintiff-friendly decision under the Illinois Biometric Information Privacy Act (“BIPA”), putting businesses and employers on notice that the statute can apply to photographs in addition to the typically-alleged facial and hand scans. The Court denied the Defendant’s motion to dismiss on the basis that: (1) photographs and information derived from photographs are protected by BIPA; (2) Plaintiff sufficiently plead a claim for liquidated damages; and (3) the BIPA does not violate the First Amendment.
Plaintiff filed suit alleging that the Defendant markets and sells proprietary facial recognition software that is used by online businesses to verify consumers’ identities. Id. at *2. To verify a consumer’s identity, the consumer first uploads a copy of his or her identification and a facial photograph. Id. The software then scans the identification and photograph to locate the facial images on each document; extracts a unique numerical representation of the shape or geometry of each facial image, which is often called a ‘faceprint,” compares the faceprints from the consumer’s identification and photograph; and generates a score based on the similarity of the faceprints. Id. The software also can compare the faceprints obtained from a consumer’s identification or photograph with other biometric data in Defendant’s database, such as the biometric data of known masks or other consumers’ photographs. Id. at *2-3. Online businesses can integrate the software into their products and mobile apps in such a way that consumers seeking to verify their identities likely do not know that they are interacting with and providing their sensitive information to Defendant, a third party. Id. at *3.
Plaintiff was a member of an online marketplace that partnered with Defendant to verify its users’ identities using Defendant’s software. Id. Plaintiff claimed that, in April 2020, Plaintiff verified his identity in the online marketplace and that Defendant allegedly used its software to scan Plaintiff’s face, extract his faceprints, compare the two photographs, and then Defendant kept his unique faceprint in a database and accessed it every time another person used Defendant’s verification process. Defendant purportedly did not inform Plaintiff that it would collect, store, or use his biometric identifiers derived from his face,” and Plaintiff never signed a written release allowing Defendant to do so. Id. at *3-4.
Plaintiff filed suit against Defendant in the Circuit Court of Cook County, Illinois, alleging that it violated the BIPA, 740 Ill. Comp. Stat. 14/1 et seq., seeking to represent himself and a putative class of Illinois residents “who had their biometric identifiers or biometric information, including faceprints, collected, captured, received, otherwise obtained, or disclosed by Defendant while residing in Illinois.” Id. at *4. Defendant removed the lawsuit based on diversity jurisdiction and the Class Action Fairness Act (“CAFA”). Id. at *5. After the Court denied Defendant’s motion to compel arbitration (and the Seventh Circuit affirmed), Defendant moved to dismiss on the grounds that: (1) Plaintiff did not state a viable claim under the BIPA because the information Defendant allegedly collected — photographs and information derived from photographs — is not protected by the BIPA; (2) Plaintiff failed to adequately state a claim for liquidated damages; and (3) the BIPA violates the First Amendment.
The Court’s Decision
The Court denied Defendant’s motion to dismiss on all three grounds.
The BIPA’s Application To Data Derived from Photographs
The Court first addressed the argument that Plaintiff failed to state a claim under the BIPA because Defendant’s software captured information from user-submitted photographs, and neither photographs nor information derived from photographs are covered by the BIPA. The Court’s analysis turned on Section 10 of the BIPA, which defines “biometric information” and “biometric identifier” and also lists items that do not fall under those definitions — specifically, “biometric identifiers do not include photographs, and biometric information ‘does not include information derived from items or procedures excluded under the definition of biometric identifiers.’” Mem. Op. & Order at 11 (quoting 740 ILCS 14/10). The Court acknowledged that data derived from photographs is not “biometric information,” but it held that data derived from photographs in the form of “scans of face geometry” can constitute biometric identifiers. Id. at 11-12 (“As alleged . . ., [defendant’s] software scans identification cards and photographs to locate facial images and extracts a unique numerical representation of the shape or geometry of each facial image, which [plaintiff] refers to as a ‘faceprint.’ The faceprints extracted by [defendant] plausibly constitute scans of face geometry and, therefore, ‘biometric identifiers’ under BIPA.”) (internal citations omitted).
The Court rejected the argument that the data cannot be a “scan of face geometry” because it did not involve the scan of plaintiff’s “actual face, but rather, a scan of a photograph of his face,” holding that “[n]othing in the BIPA’s text . . . supports [defendant’s] contention that a scan of face geometry must be an ‘in person’ scan.” Id. at 14 (citation omitted).
Request For Liquidated Damages
The Court next turned to Defendant’s argument that Plaintiff’s request for liquidated damages should be dismissed because he failed to allege facts from which it reasonably could be inferred that Defendant negligently, recklessly, or intentionally violated BIPA. The court held that Plaintiff need not plead Defendant’s state of mind to allege a BIPA claim and that dismissing Plaintiff’s request for liquidated damages was unwarranted because the request sought a particular remedy (which is “distinct from [plaintiff’s] underlying claim for relief based on BIPA”). Id. at 18.
BIPA authorizes a prevailing party to recover, inter alia, the greater of actual damages or $1,000 in liquidated damages for each negligent BIPA violation and the greater of actual damages or $5,000 in liquidated damages for each intentional or reckless BIPA violation. 740 ILCS 14/20(1), (2). Importantly, Plaintiff sought not only liquidated damages but also injunctive relief and relief in the form of reasonable attorneys’ fees, costs, and expenses — the latter forms of relief having no associated mental state requirement. See Mem. Op. & Order at 19-20 (“Nor does [plaintiff] need to allege facts suggesting any level of culpability to plausibly state a BIPA claim in the first place,” as “[Plaintiff] may obtain injunctive relief or attorneys’ fees — as he has requested — regardless of whether [Defendant’s] actions are proven to be negligent, reckless, or intentional.”).
Finally, the Court addressed the argument that BIPA Section 15(b) — which requires a private entity to obtain informed consent before collecting an individual’s biometric data — violates the First Amendment as applied by restricting Defendant’s speech and its collection of “ information voluntarily provided by consumers to identify themselves as marketplace users.” Id. at 24. The court held that (1) Section 15(b) does not restrict defendant’s speech (meaning the First Amendment does not apply), and (2) even if Section 15(b) restricted defendant’s speech, it is a content-neutral restriction that survives the applicable level of First Amendment scrutiny (i.e., intermediate scrutiny).
In holding that Section 15(b) does not regulate Defendant’s speech, the Court reasoned that Section 15(b) “does not prohibit or otherwise restrict what a private entity may do with an individual’s biometric data once the data is obtained”; instead, Section 15(b) “regulates [D]efendant’s ability to obtain an individual’s biometric data by requiring [Defendant] to acquire the individual’s informed consent before doing so.” Mem. Op. & Order at 24. The Court relied on Dahlstrom v. Sun-Times Media, LLC, 777 F.3d 937 (7th Cir. 2015), where the Seventh Circuit held that the Driver’s Privacy Protection Act’s (the “DPPA”) “prohibition on obtaining information from driving records” did not restrict speech because it limited only “access to information.” Mem. Op. & Order at 24 (citation omitted). Sosa reasoned that “[l]ike the DPPA provision at issue in Dahlstrom, Section 15(b) burdens a party’s ability to access certain information.” Id. at 25.
The Court further held that, even if Section 15(b) restricted Defendant’s speech, it would nonetheless survive intermediate scrutiny under the First Amendment. The Court applied the four-prong intermediate scrutiny test set forth in Central Hudson Gas & Electric Corp. v. Public Service Commission of New York, 447 U.S. 557 (1980):  First, courts ask whether the commercial speech concerns unlawful activity or is misleading (if so, the speech is not protected by the First Amendment);  if the speech concerns lawful activity and is not misleading, courts next ask whether the asserted governmental interest is substantial;  if it is, then courts determine whether the regulation directly advances the governmental interest asserted; and  finally, courts ask whether the regulation is more extensive than necessary to serve that interest.
Regarding the first step, the Court held that the at-issue commercial speech does not concern unlawful activity and is not misleading because Section 15(b) “regulates both the misleading and non-misleading collection of biometric data.” Mem. Op. & Order at 31. But the Court held that Section 15(b) passes muster under steps (2) through (4). At the second step, the Court determined that Section 15(b) is supported by a substantial governmental interest — namely, the interest in protecting consumers’ rights to privacy in and control over their biometric data. At the third step, the Court held that Section 15(b) directly advances the government’s interest because the harms identified by the Illinois legislature are real and Section 15(b) alleviates those harms “to a material degree.” Id. at 33. Finally, the court held that Section 15(b) is not more extensive than necessary to serve the government’s interest, as: (1) Section 15(b) “does not outright prohibit companies . . . from obtaining biometric data; it merely requires them to obtain informed consent before doing so”; and (2) “it is not too onerous to require a company that wants to collect a consumer’s sensitive and immutable biometric data to obtain the consumer’s consent before doing so.” Id. at 35.
Sosa is one of several recent plaintiff-friendly BIPA decisions, and it reinforces the unanimous interpretation among courts to date that the BIPA can apply to data derived from photographs. The Sosa decision also seemingly tends to undermine the defense argument that a BIPA plaintiff must allege facts demonstrating negligence, recklessness, or intent to state a claim and request liquidated damages under the statute.
Significant questions remain, however, regarding the BIPA’s application to companies that collect biometric information. For one, the Court’s First Amendment analysis regarding Section 15(b) suggested that the same analysis might lead to the conclusion that claims brought under Sections 15(c) and/or 15(d) (which prohibit (i) profiting from biometric data and (ii) disclosing biometric data without consent, respectively) do violate the First Amendment. See Mem. Op. & Order at 27 (noting that statutory provisions restricting the sale, disclosure, and use of information “undoubtedly restrict speech”). Other important questions will be decided in appeals pending before the Illinois Supreme Court, including the question whether claims asserted under Sections 15(b) and 15(d) accrue only once upon the initial collection or disclosure of biometric information, or each time a private entity collects or discloses biometric information (see here), and the limitations period applicable to BIPA claims.
Trends for Data Protection Enforcement in Mexico
According to their press release, throughout 2021, the Mexican Data Protection Authority (INAI) imposed fines of approximately $4.5 million on individuals and/or legal entities that had infringed the Data Privacy Law.
In 2021, a total of 1,930 complaints were filed before the INAI for the unlawful processing of personal data, where the most relevant sectors are financial services and insurance, mass media information, and health and social assistance.
- Among the most frequent actions that result in penalties are:
collecting or transferring personal data without the corresponding consent of the data subject; and
- non-compliance with requirements for privacy notices, as set out in the law.
Fines range from 100 days of minimum wage in Mexico (approximately $475) to 320,000 days of minimum wage (approximately $1.5 million). They are calculated per infringement (the law sets out 18 infringement types or breaches), and are calculated considering the nature of the data, the financial capacity of the collector and the negligence of the infringer. Fines can be doubled when processing sensitive data or in case of a relapse.
The fines associated with privacy law non-compliance have broad implications – the amount of those fines could also impact the company’s reputation and operations, its brand equity and its financial position.
Compliance with Data Privacy Law
Compliance is possible through several mechanisms, including:
- making the privacy notice available to data subjects and making the corresponding updates;
- appointing a data privacy officer;
- implementing administrative, technical and physical security measures to protect personal data against damage, loss, alteration, destruction or unauthorised use, access or processing;
- developing a mandatory and enforceable privacy framework within the organisation;
- adopting clauses for personal data transfers or data processing;
- implementing privacy awareness and training programs; and
- monitoring compliance through regular audits.
Privacy compliance does not only revolve around contracts, policies and legal paperwork. In most cases, a holistic approach to compliance requires a company to hire new service providers, adopt and implement security policies, or appoint a local chief information security officer to mitigate future risks.
Third Time’s a Charm? Privacy Shield Agreement Reached In Principle
The U.S. President and European Commission President announced in a joint press statement on March 25th, 2022 that an agreement “in principle” has been reached on a new Trans-Atlantic Data Privacy Framework (Privacy Shield Agreement 2.0). Once approved and implemented, the agreement would facilitate the transatlantic flow of personal data and provide an alternative data transfer mechanism (in addition to EU Standard Contractual Clauses and Binding Corporate Rules) for companies transferring personal data from the EU to the U.S. This is a welcome announcement for companies that have been dealing with the legal uncertainty of such data flows following the Schrems II decision in July 2020, which invalidated the EU-U.S. Privacy Shield 1.0 for international transfers of personal data.
Under the proposed Trans-Atlantic Data Privacy Framework, the United States has made commitments to:
- Strengthen the safeguards governing U.S. signals intelligence activities, by for example, ensuring such activities are undertaken only where necessary to advance legitimate national security objectives;
- Establish a new multi-layered redress mechanism that includes an independent Data Protection Review Court composed of individuals from outside the U.S. Government; and
- Enhance existing oversight with U.S. intelligence agencies adopting procedures to ensure effective oversight of new privacy and civil liberties standards.
Participating companies and organizations that take advantage of the Framework to legally protect data flows will continue to be required to adhere to the Privacy Shield Principles, including the requirement to self-certify their adherence to the Principles through the U.S. Department of Commerce. EU individuals will also continue to have access to avenues of recourse to resolve complaints about participating organizations, including through alternative dispute resolutions and binding arbitration.
The European Commission and U.S. Government teams will now continue in their cooperation to finalize the necessary legal documents that will then need to be adopted on both sides to put in place the new Trans-Atlantic Data Privacy Framework. On the U.S. side, it is expected that this will include an Executive Order that will form the basis for the European Commission’s assessment of the adequacy of the eventual agreement in detail.
Canada-U.S. Agree to Agree on Data Share Deal: Prosecution of Cross-border Criminal Cases to Become Easier
Canada and the United States have agreed to formally negotiate a bilateral agreement that promises to make it easier for law enforcement agencies to obtain electronic data in cross-border criminal investigations. In the age of Facebook, Instagram, TikTok and the cloud, it is rare for a technology-driven criminal investigation to remain within the confines of one nation’s borders.
The agreement to agree was borne out of a revival of the Cross-Border Crime Forum. It signals future increases in cooperation between Canadian and U.S. law enforcement agencies and follows similar cooperation agreements among a number of countries focused on tax evasion prevention.
The intent of the data sharing bilateral agreement will be to remove legal barriers preventing U.S. companies (such as telecoms) from providing data to Canadian law enforcement agencies and vice versa. The aim is to more efficiently investigate and prosecute serious crime in an increasingly technologically advanced age.
Other countries, including the United Kingdom and Australia, already have similar agreements in place with the United States. These agreements have been made pursuant to the U.S. Clarifying Lawful Overseas Use of Data Act (CLOUD Act) enacted in 2018, which enables U.S. law enforcement agencies with a valid court order to require U.S. companies disclose data stored outside the United States.
Currently, in order to obtain evidence located in the United States, Canadian law enforcement agencies must rely on a Mutual Legal Assistance Treaty (MLAT) to engage a cumbersome process whereby Canadian Department of Justice officials request the assistance of the U.S. Department of Justice and local law enforcement to obtain court orders in the United States for the evidence needed. This is a time consuming process – sometimes taking months or even years.
If the agreements with the United Kingdom and Australia are any indication, reciprocal legislation similar to the CLOUD Act will be needed in Canada to permit the extraterritorial application of Canadian production orders in the United States.
Enactment of this data sharing bilateral agreement will enable law enforcement agencies to follow a much streamlined process involving applying for court orders locally and then going directly to the source of the data they are after. For example, the RCMP would be able with a court order to go directly to Meta’s headquarters in California for disclosure of the data held by Meta.
A data sharing bilateral agreement would be a welcome development for Canadian authorities tasked with the investigation and prosecution of all manner of quasi-criminal and criminal offences in areas such as securities, fraud, anti-terrorism, tax evasion, anti-corruption and anti-money laundering. Canadian prosecutors are always under the pressure of bringing cases to trial within the stringent time limits set by the Supreme Court of Canada in R. v. Jordan (18 months for cases in the provincial courts and 30 months for cases in the superior courts). A data sharing bilateral agreement should make cross-border criminal investigations much less time-consuming thus making cross-border cases easier to investigate and ultimately prosecute.
In a time where resources are having difficulty keeping up with frauds, cases of corruption or money laundering and other similar types of cases, it can be expected that a bilateral data share agreement will increase the scope and frequency of these types of investigations.
While such agreements open up risk to Canadian companies of easier access by U.S. law enforcement agencies to their data, the majority of online data is stored in the United States in any event. Some are also concerned about potential privacy issues for Canadian social media subscribers, among others. Indeed, it is likely that privacy legislation will have to be amended to permit the sharing of data in Canada with U.S. law enforcement agencies.
Canadian corporate and individual clients should take note that one result of a bilateral data share agreement will be a more rigorous landscape of investigation and prosecution across all types of offences. Canadian organizations will likely see an increase in U.S. production orders and search warrants applied to them in Canada. In this context, rigorous detection systems, able management of director and officer exposure, careful consideration of voluntary disclosure, and sound legal advice with respect to cooperation, assessment of potential defences and protecting corporate and individual Charter rights will become even more critical.
Ontario (Canada) Employers Now Required to Disclose Electronic Monitoring
As of April 11, 2022, Bill 88, Working for Workers Act, 2022, received Royal Assent. As a result, the Digital Platform Workers’ Rights Act, 2022, has been enacted. Amendments have also been made to the Employment Standards Act, 2000 (the “ESA”), the Occupational Health and Safety Act (the “OHSA”) and the Fair Access to Regulated Professions and Compulsory Trades Act, 2006.
Notably, now Ontario is the first province to require employers to have an electronic monitoring policy.
Amendments to the ESA
Bill 88 has amended the ESA to require the following:
- A written policy regarding electronic monitoring of employees must be implemented by March 1 of each year, if as of January 1 of the same year, an employer has 25 or more employees.
- Given the new implementation of this policy requirement, there is a transitional period of 6 months, such that Ontario employers with 25 or more employees on January 1, 2022 have until October 11, 2022 to implement a written electronic monitoring policy.
- The electronic monitoring written policy must include:
- Whether employees are electronically monitored
- If employees are electronically monitored: how and in what circumstances is the employer monitoring employees; and the purposes for which the information obtained through electronic monitoring may be used by the employer;
- The date the policy was prepared and the date any changes were made to the policy; and
- Any other information as may be prescribed by the legislation
Currently, no further requirements have been prescribed.
- As of January 1, 2023, provided certain criteria are met, the ESA will not apply to business consultants and information technology consultants.
- Business Consultant is defined as an individual who provides advice or services to a business or organization in respect of its performance, including advice or services in respect of the operations, profitability, management, structure, processes, finances, accounting, procurements, human resources, environmental impacts, marketing, risk management, compliance or strategy of the business or organization.
- Information Technology Consultant is defined as an individual who provides advice or services to a business or organization in respect of its information technology systems, including advice about or services in respect of planning, designing, analyzing, documenting, configuring, developing, testing and installing the business or organization’s information technology systems.
- As of April 11, 2022, the service eligibility requirement for Reservist Leave under the ESA is 3 months (from 6 months).
Amendments to the OHSA
Bill 88 has also increased penalties under the OHSA, such that as of July 1, 2022, the following amendments will come into force:
- The fines for a contravention of the OHSA by a person are increased to a maximum of $500,000 (from $100,000).
- A new penalty is created for directors or officers of a corporation who do not take reasonable care to ensure that the corporation complies with the OHSA and related orders. On conviction, directors and officers are liable to a fine of not more than $1,500,000 or to imprisonment for a term of not more than 12 months, or both.
- Aggravating factors must now be considered when assessing the penalties under the OHSA. An employer’s motives can now be assessed, such as the possible motivation to increase revenue or decrease costs which result in an OHSA
- The limitation period for instituting prosecutions under the OHSA is increased to 2 years (from 1) from the later of the date of the occurrence and the day the inspector becomes aware of the alleged offence.
Employers are also required to provide a naloxone kit in the workplace, where employers are made aware or ought to reasonably be aware that there may be a risk of a worker having an opioid overdose in the workplace. A worker must be trained on recognizing an opioid overdose and how to administer naloxone. This requirement will come into force upon proclamation.
Digital Platform Workers’ Rights Act, 2022
Bill 88 has also enacted a new statute, the Digital Platform Workers’ Rights Act, 2022, which will come into force upon proclamation. This statute applies to any person, including independent contractors, engaged as a digital worker and is intended to encompass a more broad application than the ESA. The statute establishes a broad parameter of rights for digital workers, such the entitlement to minimum wage, right to amounts earned (including tips and gratuities), rights to a range of information regarding digital work completed, right to a notice of removal, right to resolve disputes in Ontario, right to be free from reprisal, and other miscellaneous requirements such as record keeping.
Changes to the Fair Access to Regulated Professions and Compulsory Trades Act
Lastly, Bill 88 amends the Fair Access to Regulated Professions and Compulsory Trades Act, 2006 to establish prescribed timelines that regulated professions must respond to applications for registration from domestic labour mobility applicants:
- A regulated profession must acknowledge an application for registration within 10 days of receipt; and
- A regulated profession must make and provide the registration decision within 30 days of receiving the application.
The amendments also create an internal review or appeal process. These amendments will come into force upon proclamation.
Mexico Employment Law Basics
1. Mexico Employment Law Basics
With China risks increasing and decoupling from China accelerating, Mexico is poised to take on an even greater role in the ongoing global supply chain rearrangement. Companies that are relocating some or all of their production to Mexico need to be aware of what is legally required to hire local staff here in Mexico. This, the first of a series of posts on the topic in which we will explain the basics of Mexico’s employment laws and what you need to have Mexican and foreign staff working for you in Mexico.
This post lays out the basics of Mexican employment law related to hiring employees: what constitutes an employment relationship in Mexico, the types of employees you can hire, and the importance of having an appropriate Mexican employment contract with your Mexican employee. We also describe the basic provisions your Mexico employment agreement should contain.
2. Mexico’s labor environment
The first thing it is important to know about Mexico’s employment laws are that their main goal is to balance production factors (the economic unit that produces or distributes goods and services) with social justice. Consequently, employees are deemed to be in the same position as the employer and the rights of each bear the same weight, and if they do not, the law will support employees. Always.
3. Types of Mexico Employees
Mexico’s employment laws do not differentiate between blue-collar and white-collar employees. However, they do make some distinctions as to employee type, such as the following:
- Employees in positions of trust (empleados de confianza). These are employees who perform general management, inspection, supervision and oversight tasks. The nature of an employee’s tasks is what determines their category, not the employee’s job title or position.
- Employees (of any nationality) who render services outside of Mexico for a Mexican company.
- Specific categories of employees and employees in specific industries or sectors of the economy, like women, minors, farmers, miners, air/sea/land transportation crews, artists, those working in the tourism industry, doctors, and teachers.
4. The employer-employee relationship in Mexico
What constitutes an employment relationship in Mexico? Basically, any rendering of personal services to a person who gives instructions and secures services in exchange for payment is deemed to be in an employment relationship. This means that if you have local staff that follow what you say, you are their employer and you are required to give them all the employee benefits mandated under Mexican law. This is true even if no employment contract is signed and even if you pay them in cash.
Mexican law recognizes several types of employment relationships:
(i) for a specific task (obra determinada);
(ii) on a fixed term (por tiempo determinado);
(iii) seasonal (por temporada); and
(iv) for an indefinite term (por tiempo indeterminado).
In turn, the employer-employee relationship may be subject to a qualification period (prueba) or initial training (capacitación inicial).
As a general rule, the type of work to be performed by your Mexican employee determines the type of employment relationship you will have with them.
And bear in mind, absent an express agreement to the contrary, the employment relationship is understood to be for an indefinite term.
5. Basic/required terms in a Mexico employment agreement
Your employee’s working conditions must be set forth in an employment agreement if there are no applicable collective bargaining agreements. Mexican employment agreements should be executed in at least two copies, one for you and one for your Mexican employee. This employment contract must contain the following minimum requirements:
- Name, nationality, age, sex, marital status, Unique Population Registry Code (Clave Única de Registro de Población), Federal Taxpayer Registry and address of the employee and the employer.
- Type of labor relationship and whether the employee is subject to a qualification period.
- The specific service or services to be rendered by the employee, which shall be determined as precisely as possible.
- The place or places where the work is to be performed.
- The duration of the employee’s working day.
- The form and amount of the salary.
- The day and place of payment of the salary.
- If/how the employer offers employee training.
- Other working conditions, such as rest days, holidays and others agreed upon by the employer and the Mexican employee.
- Designation of beneficiaries for payment of wages and benefits accrued and not collected upon the death of the employee.
Mexico, like most countries, has gotten very good at enforcing its labor and employment laws against foreign companies. Therefore, if you are going to be hiring individuals in Mexico to help your company there, it is essential you do so correctly, because not doing this will invariably cost you a lot more in the long term. And again, remember, that an employment relationship in Mexico is not dependent on the existence of an employment contract, which is considered the employer’s obligation.
Mexico: New defense procedure against inclusion in blocked persons list
On March 11, 2022, a reform to the Mexican Banking Law (Ley de Instituciones de Crédito) was published in the Federal Official Gazette (Diario Oficial de la Federación) in order to provide a new procedure for the defense of both individuals and legal entities against inclusion into the Blocked Persons List.
The Blocked Persons List
As per Article 115, ninth paragraph, of the Mexican Banking Law, banks operating in the country shall suspend immediately the operations, accounts, contracts or services executed with, or provided to, any person (either natural or legal) who is included on the Blocked Persons List (Lista de Personas Bloqueadas, or the “List”).
The List is issued by the Mexican Ministry of Finance and, particularly, the Ministry’s Financial Intelligence Unit, the governmental agency in charge of analyzing information to prevent and combat money laundering or terrorist financing (the “ML/FT”).
The Ministry of Finance makes the List available to banks and financial entities, which must keep it confidential from the general public.
According to the AML Banking Rules (Disposiciones de Carácter General a que se refiere el artículo 115 de la Ley de Instituciones de Crédito), the List shall include persons from whom there are enough elements to indicate they may be involved in ML/FT, such as those:
- Named on lists issued by committees of the United Nations Security Council on terrorism and financing of terrorism
- Named on lists issued by foreign authorities, other international organizations or intergovernmental groups, in accordance with instruments, treaties or agreements executed by Mexico or by the Mexican Ministry of Finance related to ML/FT
- From whom, according to Mexican authorities, there are sufficient elements to indicate they are related to ML/FT
- Who are in prison due to ML/FT
- Who the Mexican authorities have already determined committed ML/FT
- Who omit or conceal or fail to report information regarding possible ML/FT
- Who have been identified by the Mexican Revenue Service (Servicio de Administración Tributaria) as simulating operations with false tax receipts
The new defense procedure against inclusion in the List
Defense procedure in terms of amendments to the Mexican Banking Law, published on March 11, 2022
Please note that the timeframe indicated in step number five, above, may be extended by the Ministry of Finance (either unilaterally, or as per request of the person included in the List) for ten additional business days, at most.
In the previous defense mechanism established in the AML Banking Rules, such period could only be extended as per request of the aforementioned person.
Differences between the current defense process and previous mechanisms available to persons on the List
- The previous defense mechanism was established in the AML Banking Rules. Nonetheless, the current defense process is in the Mexican Banking Law itself.
- Previously, the Ministry of Finance had to issue the resolution of whether the person should be removed from the List within ten business days, counted from the date when the relevant person appeared before the authorities. Now, due to the latest amendment to the Mexican Banking Law, the Ministry of Finance has fifteen days to issue such resolution, counted from the date on which the file is fully integrated.
- Before, the resolution from the Ministry of Finance had to be notified to the applicable person within fifteen days after its issuance. However, such timeframe has been reduced to ten business days.
Considering that the List also applies to other types of financial entities (e.g., fund managers, broker-dealers, insurance companies, Fintech entities, etc.), in order to preserve legal certainty, we foresee these amendments will be adopted in the rest of financial legislations relating to financial services and operations in Mexico.
Data Protection in Brazil: Your Questions Answered
Brazil is one of the largest digital markets in the world. Until recently its data protection landscape comprised around 40 sector-specific laws covering areas such as medical and financial services – but no general framework protecting all personal data. That changed with the advent of the General Data Protection Law (LGPD). Here, we explore the background to the LGPD, explain what it means for business – and look at further developments on the horizon
When did the LGPD come into force?
The law itself took effect on 18 September 2020, although its administrative sanctions only became applicable on 1 August 2021. A constitutional amendment has recently promoted personal data protection to the same level of legal protection as the rights to privacy and private life.
Who enforces it?
After some political debate, Brazil’s National Data Protection Authority (ANPD) was created on 26 August 2020 to develop guidelines and apply administrative sanctions for non-compliance with the LGPD. The ANPD is formally a government body tied to the Presidency Office, and contrasts with other regulatory agencies in Brazil which are independent legal persons. Since it was established, the ANPD has focused mainly on structuring its operations, and although it has published a couple of guidelines, it hasn’t yet tackled any major data protection issue.
How does the LGPD compare to Europe’s GDPR?
The LGPD was inspired by major structural features of the GDPR, such as the data controller/processor role, data protection officers (DPOs), the principles and legal grounds for processing personal data, and a list of the rights of data subjects.
The Brazilian law, however, was drafted in line with Brazilian rather than European legislation, and is therefore shorter, less prescriptive and has no recitals as guidelines to interpret the legal text.
More than 50 details have been left for the ANPD to clarify, so there is plenty of anticipation surrounding the start of the ANPD’s regulatory activity.
Alongside the different drafting approach, the rules have been adapted in many points to the Brazilian legal and social context – as the points below demonstrate.
When and where does it apply?
The LGPD applies to: (i) personal data processed in Brazil; (ii) processing activity aimed at the offering of goods or the provision of services to individuals in Brazil or at processing personal data of individuals in Brazil; and (iii) the processing anywhere of personal data collected in Brazil, meaning of any data subject present in Brazil when the collection takes place. The third scenario could affect the business of foreign companies in Brazil, although there is legally no requirement for foreign controllers to appoint a representative in Brazil.
The law defines personal data as any information relating to an identified or identifiable natural person and excludes anonymized data from its scope. In this regard it tracks closely to the GDPR, but it also explicitly extends to anonymous data when used for profiling purposes. It seems therefore that the LGPD is concerned with how data processing may affect the lives of data subjects, rather than considering whether the anonymization is reasonably reversible.
The LGPD also lists a few interesting exceptions for its applicability, such as for personal data that is transferred to Brazil from outside the national territory, but is not further processed there, ie, that is not shared, nor transmitted inside Brazil or to other countries.
How is the lawfulness of processing evaluated?
As with the GDPR, any processing activity needs to be evaluated according to certain principles and is only justified if certain criteria are met.
Principles are considered a legal norm in Brazilian law. They not only guide the interpretation of the specific rules but can be applied directly to decide unforeseen situations. In terms of principles, the LGPD is aligned to the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data, reinforced by two further considerations: the principles of prevention (which requires the active prevention of data breaches, probably to avoid the mere adoption of formal measures), and of non-discrimination (prohibiting processing for any discriminatory ends).
In terms of specific lawfulness criteria, the LGPD contains a few more than the GDPR, including health protection (especially relevant to the work of health professionals during the pandemic), and for credit protection. The latter was included in the context of discussions on the reform of Brazil’s Positive Credit History Law, one of the instruments that regulates credit scoring.
A few details of criteria brought across from the GDPR are also different, such as that consent for the processing of sensitive data and for international data transfers must be specific and that the legitimate interests of the controller might include supporting and promoting the controller’s activities. It will be interesting to see how flexible the legitimate interests can be, especially considering the rise of the internet of things, big data and widespread use of machine learning.
The LGPD requires, furthermore, that all processing activities be registered with the ANPD and that all controllers name a data protection officer (DPO), which can be a natural or legal person. Both requirements can still be otherwise regulated by the ANPD.
What rights do data subjects have?
The LGPD gives data subjects several rights which must be exercised free of charge. These include the right to confirm the existence of the processing; the right of access, correction, erasure or anonymization; the right of portability; the right to review decisions based on automated processing; the right to object to processing not based on consent; and the right to file a complaint with the ANPD and to request full electronic copies of any personal data in case of processing based on consent or performance of a contract, with the last right regulated by the ANPD. A few additional rights seem to be designed to foster a data protection culture, including the right to withdraw consent and the right to be informed of the possibility of not providing consent and the consequences of this decision.
Under the LGPD, controllers have just 15 days to confirm the existence of the processing and provide access to the data. This tight deadline can be amended by the ANPD, but, until it is not, it will demand a high level of organisation from controllers regarding their processing of personal data.
Some of these rights were already covered by Brazil’s existing sector-specific legislation but have been extended in their scope under the LGPD. For example, a right to data portability has existed for phone numbers since 2007 but has been now extended to any personal data and is not limited to processing based on consent or performance of a contract like in the GDPR.
The right to a review by a natural person of automated decision making that impacts data subjects was already provided regarding credit scoring models by the Positive Credit History Law. This right was coupled with the right to be informed about the data used by the algorithm and criteria used for deciding, with the exception of trade or industrial secrets. The LGPD adopted a similar structure, making it applicable for personal data processing for any purpose. The LGPD presumes an impact on data subjects when automated decision making is based on profiling, even in consent-based processing.
What liabilities exist for LGPD violations?
Controllers are by law jointly and severally liable for material and immaterial damages caused to data subjects, be it individually or collectively. They are also responsible for communicating data breaches to both the ANPD and affected data subjects within a reasonable period (as defined by the ANPD). The adoption of appropriate security measures will be is considered by the ANPD in evaluating the liability of the controller(s).
Processors might also be jointly responsible if they don’t comply with data protection legislation or with the controller’s instructions.
Procedurally, the LGPD also establishes the possibility of inverting the burden of proof (an established practice introduced by Brazilian consumer legislation), and of collective actions.
The ANPD can apply many different sanctions, including fines up to 2 percent of group revenue in Brazil or a maximum of R$50m (approx. €8.5m) per infraction, which can be imposed on a one-time or daily basis.
What’s next for Brazilian data protection?
The development of the ANPD’s regulation and the activity of the courts will be the next big thing to watch in Brazilian data protection. With that in mind, here are five key issues to track closely.
- Deadlines and formalities for data breach notifications and responses to the exercise of rights by data subject.
- Exemptions to registration of processing activities and appointments of DPOs.
- The applicability of the LGPD, especially in relation to data collected in Brazil and the use of anonymous data for profiling.
- The use of legitimate interests and specific consent as a basis for processing, including processing of sensitive data and international data transfers.
- Legitimizing old databases.
Sands Shift for Background Screening for Manufacturers
Manufacturing employees have a hand in everything that our country produces. Naturally, manufacturers want to know their employees are reliable and trustworthy. Manufacturers are taking steps, including background checks, to ensure a single hire does not inadvertently cause liability.
Manufacturers have other reasons to want to know about their workers. Manufacturing employees often operate equipment or control processes that require vigilant attention and where, for example, drug impairment might have severe consequences. In addition, other manufacturing employees have access to large quantities of valuable supplies, making potential theft a costly risk.
Background checks are the traditional means to assist in ensuring quality hires. Background checks are regulated by the Fair Credit Reporting Act (FCRA). The FCRA imposes certain requirements on employers and background check companies, such as providing a stand-alone disclosure form to employees and job applicants at certain times.
In light of continuing workforce shortages and ever-changing legal requirements, manufacturers may find they need to review and change their hiring standards and criteria. In some cases, employers may have relaxed their former standards as being outdated. Regardless of how any manufacturer decides to go about performing background checks, they should keep the following recent developments in mind.
“Ban the Box” Laws Enacted in States and Cities
“Ban the box” laws (also referred to as “Fair Chance Acts”) limit employers’ access to a job applicant’s criminal history. Typically, these laws require employers to consider qualifications first when considering a person’s eligibility for employment. Different states, and even some municipalities, have enacted their own requirements. Multi-state employers, therefore, should take care to confirm the requirements of their state and local laws and requirements, if any, before conducting background screening. These laws have grown in popularity.
Employers making decisions based upon a criminal history record are urged to conduct an individualized assessment (and certain jurisdictions have mandated this step).
Further, the federal Fair Chance Act became effective on December 20, 2021, and federal contractors must comply with its requirements.
Drug Screening Guidelines Change for Marijuana
It has been nearly 10 years since Colorado and Washington became the first states to legalize recreational cannabis use. Since then, other states have followed suit, and the U.S. House of Representatives passed the Marijuana Opportunity Reinvestment and Expungement Act (MORE Act) on April 1, 2022. The MORE Act is intended to decriminalize cannabis use nationwide and remove cannabis from the federal schedules of controlled substances. It is under consideration by the U.S. Senate.
Regardless of whether the MORE Act becomes law, the legal landscape governing cannabis use has changed significantly in the last decade and will likely continue to shift. For instance, some states that have loosened cannabis restrictions also have enacted laws prohibiting discrimination against employees and job applicants based on their lawful use of cannabis. As states continue to legalize or loosen restrictions on cannabis use, manufacturers should exercise caution and ensure they understand state and local laws governing cannabis use as related to drug and background screening and the treatment of job applicants.
Equal Employment Opportunity
Manufacturers should take steps to ensure their hiring practices comply with federal, state, and municipality equal employment opportunity laws, especially for criminal history. In the past, the Equal Employment Opportunity Commission has been concerned that even if an employer has a job-related reason for a background check, such a practice may tend to have a disparate impact on protected classes. Employers are always cautioned to review existing “neutral” policies to ensure they do not have a disproportional negative impact on a particular group, to minimize risk of discrimination claims. Further, some automated screening processes using artificial intelligence may inadvertently discriminate unless they are carefully designed.
Manufacturers should closely monitor the impacts their policies may have on applicants to avoid unintentionally disparate outcomes when examining and making hiring determinations based on applicants’ backgrounds.
Criminal background checks in Spain
It is a rather common practice for companies to run background checks of employees and suppliers before entering into a contract. However, the range and depth of these checks differ from company to company, and the approach to them (and lawfulness) is not the same internationally. Amongst them, background checks on criminal records are a particularly sensitive matter.
In Spain, the well-known General Data Protection Regulation (GDPR) together with the Spanish Organic Law 3/2018 on Personal Data Protection and digital rights guarantees (LOPDGDD for its Spanish abbreviation) must always be considered when undertaking background checks (no matter how deep) on individuals. Mixing criminal background checks and data protection regulations may not end well, as particular conditions must be met. In this context, the Spanish Data Protection Agency (AEPD) recently imposed a EUR 2 million fine to a controller that is worth highlighting and bearing in mind when setting up background checks.
General legal regime on the processing of data regarding criminal convictions and offences in Spain
In Spain, data protection rules mainly arise from the GDPR and the LOPDGDD. Both Articles 10 of the GDPR and LOPDGDD regulate the main conditions for processing data related to criminal convictions and offences:
Article 10 – Processing of personal data relating to criminal convictions and offences
Processing of personal data relating to criminal convictions and offences or related security measures based on Article 6(1) shall be carried out only under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects. Any comprehensive register of criminal convictions shall be kept only under the control of official authority.
Article 10 – Processing of data of criminal nature
1. The processing of personal data relating to criminal convictions and offences, as well as to proceedings, and related security and precautionary measures, for purposes other than the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal sanctions, may only be carried out where permitted by Union law, this organic law or other rules with rank of law.
2. The complete registry of data relating to criminal convictions and offences, as well as to proceedings, and related security and precautionary measures referred to in Article 10 GDPR, may be carried out in accordance with the provisions of the regulation on the administrative registries System in support of the Justice Administration.
3. In cases other than the ones above, the processing of personal data relating to criminal convictions and offences, as well as to proceedings, and related security and precautionary measures, shall only be possible when carried out by lawyers and attorneys and their purpose is to collect information provided by their clients for the exercise of their functions.
Notwithstanding that processing these categories of data will most probably be subject to additional data protection requirements (such as carrying out a data protection impact assessment (DPIA), designating a DPO, etc.), the main rule is clearly established above: any processing of this kind of data must be authorised by Union or Member State law. Otherwise, such processing will be unlawful and be deemed a very severe infringement of data protection obligations (ex. Art. 72.1(f) LOPDGDD).
It is worth highlighting that, in Spain, processing of administrative infringements and sanctions (fines imposed by public authorities) related-data is also regulated under Article 27 LOPDGDD (following the former pre-GDPR practice). The main difference between the processing of such data and criminal-related data is that with regard to the former, an individual may consent to waive the requirement of having a law authorising its processing. With regard to criminal data, consent is not enough to waive the prohibition under Article 10 GDPR and LOPDGDD.
Main takeaways from the AEPD’s sanctioning decision
To sump up the background of the case and go straight to the point, the AEPD imposed a EUR 2 million fine (and an order to discontinue the declared infringement and erase the concerned data) to a transport company for requesting its freelance-carriers to provide their certificate of absence of criminal records as a contractual requirement.
The first interesting thing analysed relates to the nature of a certificate of absence of criminal records (i.e. a negative criminal records certificate) and whether the information contained therein qualifies as personal data subject to Articles 10 GDPR and LOPDGDD. A criminal record certificate is a public document that certifies both the existence or non-existence of criminal records (i.e. criminal court decisions in force imposing a sanction or security measures).
Without entering into details on how these certificates are regulated, it is worth remarking how the AEPD clarified that not only positive certificates, but also negative ones (asserting that there are no criminal records), shall be deemed as data related to criminal convictions and offences foreseen under Articles 10 GDPR and LOPDGDD (and, therefore, subject to its rules). In fact, the AEPD goes further and clarifies that even a mere responsible statement of absence of criminal records would fall under the scope of Article 10 GDPR and LOPDGDD.
After clarifying that both the positive and negative certificates constitute personal data, the decision focuses on whether there is a law authorising the processing of criminal record data or not, as required for lawful processing. In this regard, please note that, in Spain, there are very few laws permitting the request of such certificates (e.g. in the context of certain jobs involving contact with minors, taxi drivers, certain employees of casinos, etc.). In the case at hand, the AEPD does not identify a law supporting the sanctioned entity directly requesting the pertinent certificates from freelance-carriers.
Taking the above into consideration, controllers should very carefully assess on a case-by-case basis whether they can lift the prohibition to process data related to criminal convictions and offences (and more specifically, criminal record certificates), and clearly identify a bulletproof law grounding such processing before taking any related-action. Taking further steps to ensure compliance with certain GDPR obligations (such as carrying out a DPIA) in relation to processing criminal record data without the existence of a law legitimizing the processing could be deemed pointless otherwise.
How Employers Can Begin Preparing for the EEOC’s Focus on AI
For years, employers have increasingly automated the recruiting and hiring process using artificial intelligence (AI) and other algorithmic tools. While there is added value in such automation, researchers have cautioned that the technology may result in biased and/or discriminatory results, largely because the data (e.g., search terms, traits of ideal candidates, etc.) entered into this technology may suffer from past biases and unlawful discrimination. We previously wrote about these concerns in a past edition. Tellingly, the EEOC has examined the issues of people analytics, big data, and AI in hiring and other employment decisions since 2016, even holding a public meeting on the implications of big data in the workplace. These and other actions by the EEOC demonstrate its early concern that potential systemic discrimination issues might arise from the use of AI and big data.
The pandemic, along with other issues featured in the media, such as issues with identification of Black female faces using facial detection software and algorithms producing biased results, highlight potential concerns underlying these technologies. Social distancing during the pandemic required remote work and the need for and use of more AI and related technology throughout the employment process, including interviewing, recruiting, and hiring. The use of such technologies is expected to continue to increase. Indeed, in December 2020, ten United States senators sent a joint letter to the chair of the EEOC inquiring about the agency’s “oversight authority for hiring technologies,” noting that as businesses begin to reopen in accordance with COVID-19 guidance, “some companies will seek to hire staff more quickly” and “are likely to turn to technology to manage and screen large numbers of applicants to support a physically distant hiring process.” The senators went on to note that “Black and Latino workers are experiencing significantly higher unemployment rates than their white counterparts,” with the “gap between Black and white workers [being] the highest it’s been in five years.” The senators indicated that the Commission is tasked with ensuring that these hiring technologies do not act as “built-in headwinds for minority groups,” explaining that there should be proactive efforts to effectively oversee the use of these hiring technologies.
Subsequently, on October 28, 2021, Charlotte A. Burrows, EEOC chair, announced that the Commission was “launching an initiative to ensure that artificial intelligence (AI) and other emerging tools used in hiring and other employment decisions comply with federal civil rights laws that the agency enforces.”1 Notably, Title VII of the Civil Rights Act of 1964 prohibits the use of neutral policies and procedures that disproportionately adversely impact (or here screen out) a group protected under the Act because of their race, national origin, ethnicity, gender, disability, or other protected trait. This initiative will be used to examine how these technologies are being applied during the recruiting and hiring process and to provide guidance to not only employers but also applicants, employees, vendors, and those developing the technology.
As part of these efforts, the EEOC is hosting listening sessions to gather more information on how these technologies are used or could otherwise adversely impact others, most recently focusing a session on the impact on people with disabilities. As the EEOC continues its efforts, it is important for employers who are using these technologies to be proactive. It will not be enough to simply say you relied on the representations made by the vendor or software developers concerning what they are doing to prevent potential violation of federal, state, or local employment laws. Employers should create measures to ensure that the vendors are vetted and that the technologies (in whatever form) being used for recruiting, interviewing, hiring, testing, or other aspects of the employment relationship are validated and audited for potential biases and legal concerns. In short, employers should ensure the technologies are actually doing what they are supposed to do in a lawful manner. This includes having a working knowledge of what algorithms are being used; understanding what information is being used, the source of the information, and in what manner the information is being used throughout the process; and determining whether there are any concerning patterns in the results from using the tools (e.g., are certain groups always screened out, are people who live in certain zip codes always screened out, is the candidate pool diverse, etc.). Employers should also continue to train human resource and management employees on best practices when navigating the hiring process to add additional layers of bias interrupters. This might include DEI-related training topics on inclusive leadership, interview techniques, communication skills, reducing the influence of implicit bias, how to properly use the technologies, and other topics.
As the use of AI and related algorithms and technologies continues to increase, employers should be diligent about ensuring there are multiple measures in place to overcome claims that an organization’s use of these technologies is discriminatory or otherwise adversely impacting groups of people based on their protected traits. This goal cannot be separated from the need to invest in the company’s human capital and to continue human interaction, the importance of which was elevated by the pandemic.
Kentucky: Governor signs act relating to insurance data security
The Kentucky Governor signed, on 8 April 2022, House Bill (‘HB’) 474 for an Act relating to insurance data security, to create a new Section of §304-3 of the Kentucky Revised Statutes. In particular, HB 474 is based on the National Association of Insurance Commissioners’ (‘NAIC’) Insurance Data Security Model Law, which was adopted in October 2017, and will require licensees to comply with data security provisions such as:
- conducting risk assessments;
- developing an information security program, including an incident response plan;
- investigating cybersecurity events; and
- establishing recordkeeping and reporting requirements relating to cybersecurity events.
Moreover, HB 474 authorises the Kentucky Insurance Commissioner to examine and investigate licensees for potential violations and take the necessary actions to enforce relevant provisions.
HB 474 will enter into effect on 1 January 2023.