Fair Credit Reporting Act Disclosures
Section 612(f)(1)(A) of the Fair Credit Reporting Act (FCRA) provides that a consumer reporting agency may charge a consumer a reasonable amount for making a disclosure to the consumer pursuant to section 609 of the FCRA. The Bureau of Consumer Financial Protection (Bureau) announces that the ceiling on allowable charges under section 612(f) of the Fair Credit Reporting Act (FCRA) will increase from $12.00 to $12.50, effective for 2019.
DHS Publishes Final Social Media Rule
On December 27th, the Department of Homeland Security published a final rule in the Federal Register that will allow U.S. Customs and Border Protection (CBP) to collect social media information from individuals crossing the border. CBP claims that the rule is necessary to identify and “understand relationships between individuals, entities, threats and events, and to monitor patterns of activity over extended periods of time that may be indicative of criminal, terrorist, or other threat.” Privacy groups opposed the rule claiming that it would allow the agency to collect social media information from Americans and would place the collected data outside the legal protections of the Privacy Act. Reported in Arnall Golden Gregory January 7, 2019 Daily Privacy & Consumer Regulatory Alert.
Vermont Releases Guidance for Data Brokers
On December 13th, the Vermont Attorney General’s Office released guidance for data brokers to comply with the new data broker regulations, which went into effect on January 1st, 2019. The new regulations require data brokers to register annually with the Secretary of State and maintain certain minimum data security standards. Reported in Arnall Golden Gregory January 2, 2019 Daily Privacy & Consumer Regulatory Alert.
Massachusetts Tightens its Ban-The-Box Law
Massachusetts is one of 11 states that currently mandate removing criminal history questions from job applications for private employers. These states are California, Connecticut, Hawaii, Illinois, Minnesota, New Jersey, Oregon, Rhode Island, Vermont, and Washington. At least 17 cities and counties across the country have also extended these requirements to private employers. The beginning of the new year is a good time for employers to review their hiring policies and procedures and what information they collect from applicants in this regard.
Recently, Massachusetts amended its Criminal Offender Record Information law (commonly referred to as CORI). Massachusetts law already prohibited employers from asking applicants about:
- Arrests, detentions, or dispositions for any violation of law in which no conviction resulted;
- First convictions for the misdemeanors of simple assault, drunkenness, affray, speeding, minor traffic violations, or disturbing the peace; or
- Misdemeanors in which the date of conviction or completion of incarceration occurred five or more years before the application’s date, unless the person was convicted of an offense within the preceding five-year period.
The changes to the CORI law now also prohibit employers from inquiring orally or in writing about an applicant’s misdemeanors when the conviction or period of incarceration occurred three years (rather than five years as under prior law) or more before the application’s date, unless the person was convicted of an offense within the preceding three-year period.
The changes further prohibit employers from asking applicants about criminal records that have been sealed or expunged.
Finally, employers who request criminal record information from applicants must include the following language on any information request:
“An applicant for employment with a record expunged pursuant to section 100F, section 100G, section 100H or section 100K of chapter 276 of the General Laws may answer ‘no record’ with respect to an inquiry herein relative to prior arrests, criminal court appearances or convictions. An applicant for employment with a record expunged pursuant to section 100F, section 100G, section 100H or section 100K of chapter 276 of the General Laws may answer ‘no record’ to an inquiry herein relative to prior arrests, criminal court appearances, juvenile court appearances, adjudications or convictions.”
Massachusetts has been aggressive in enforcing its ban-the-box law. In June 2018, the Massachusetts Attorney General reached agreements with several national employers (Edible Arrangements, Five Guys Burgers and Fries, and L’Occitane), and issued warning letters to 17 other Boston area businesses found to be violating state law by asking applicants about criminal record information on initial job applications.
Michigan Bars State Employer Inquiries into Salary History
One week after taking office, Michigan Governor Gretchen Whitmer signed a directive that prohibits state departments and agencies from asking about current or previous salaries until after extending a conditional offer of employment with proposed salary. Executive Directive No. 2019-10, intended to ensure equal pay for equal work among state employees, went into effect immediately upon receiving the governor’s signature on January 8, 2019. The directive also prohibits public employers from searching public records databases to obtain an applicant’s current or previous salary information. The directive does not prevent an applicant from volunteering salary information; however, the state cannot consider an applicant’s refusal to do so in any employment decision. The state may verify salary information only if the applicant voluntarily provides the information or verification is required by applicable law. Less than a year ago, former Michigan Governor Rick Snyder signed a bill that prevented local governments from regulating the questions employers could ask during job interviews, essentially blocking city or county regulations prohibiting employers from inquiring about salary history information. Wisconsin passed a similar bill last year. Such bills ostensibly prevent a patchwork quilt of local salary history regulations being passed where such a regulation has not yet been passed at the state level, such as in New York.
Connecticut Prohibits Salary Inquiries
As of January 1, 2019, Connecticut became one of the latest jurisdictions to prohibit employers from inquiring into applicants’ salary history. San Francisco, New York City, Philadelphia, Oregon and Massachusetts have recently enacted similar laws. Connecticut employers are now prohibited from inquiring about a job applicant’s wage and salary history. This prohibition also applies if an employer is using a third party (like an employment agency). The law allows salary inquiries if the applicant has voluntarily disclosed that information. Additionally, salary inquiries are allowed if federal or state law specifically authorizes the disclosure or verification of salary history for employment purposes. An employer may inquire about other elements of an applicant’s compensation structure, as long as such employer does not inquire about the value of the elements of such compensation structure. The law provides for a private right of action, and individuals can recover compensatory damages, attorney’s fees, costs, and punitive damages. There is a two-year statute of limitations. The law became effective on January 1, 2019.
Amended Massachusetts Data Breach Law Requires Additional Disclosures and Free Credit Monitoring
The Situation: In the wake of the Equifax data breach, Massachusetts has amended its data breach law.
The Result: Companies reporting security breaches under the amended data breach law must provide additional information about the incident and their written information security program (“WISP”), and they must provide credit monitoring services to any affected residents whose Social Security numbers were disclosed.
Looking Ahead: Massachusetts’s data breach law is now one of the most expansive in the country. The new law also reaffirms the need for companies that own or license personal information of Massachusetts residents to maintain a WISP.
As of April 10, 2019, Massachusetts will implement an amended data breach law, Mass. Gen. L. 93H, initially introduced as a response to the Equifax data breach.
The amendments do not alter the triggers for notification. Rather, they focus on the content of breach notifications and the “mitigation services” companies must offer victims. The most significant amendments: (i) expand the information that companies reporting breaches must disclose; (ii) require companies to provide, at no cost to affected individuals, at least 18 months of credit monitoring services if the breach involved the disclosure of Social Security numbers; (iii) provide that companies shall not delay notice on grounds that the total number of affected Massachusetts residents is unknown; and (iv) increase the public visibility of reported breaches.
Additional Information Required in Breach Notices
The amendments require companies reporting breaches under the law to provide additional information to the Massachusetts Attorney General (“AG”) and the Director of the Office of Consumer Affairs and Business Regulation (“OCABR”). Companies typically already provide much of the information now required by law—the company’s name and address, the identity of the person reporting the breach, and his or her relationship to the entity that experienced the breach—as well as the “the type of personal information compromised, including, but not limited to, social security number, driver’s license number, financial account number, credit or debit card number or other data.”
The law, however, also imposes three new and novel requirements:
- A company must disclose in the notice to the AG and OCABR “the person responsible for the breach of security, if known.”
- The amendments require companies to inform regulators whether the company “maintains a written information security program,” and whether the company has updated or plans to update the WISP in response to the incident. A WISP has been a legal requirement since 2010 for companies that own or license the personal information of a Massachusetts resident, and must contain appropriate administrative, technical, and physical safeguards for such personal information.
- If the company reporting the breach “is owned by another person or corporation,” then the notice to affected residents “must include the name of the parent or affiliated corporation.”
These provisions are unique to Massachusetts’s data breach law, and notably expand the regulatory focus from the incident to include the company’s information security program.
Mitigation Services for Residents
Massachusetts also joins California, Connecticut, and Delaware in requiring companies to provide identity theft protection or credit monitoring to residents whose Social Security numbers were disclosed in a breach. The new law requires a company reporting a breach to provide at least 18 months of credit monitoring (consumer reporting agencies must provide at least 42 months), at no cost, to residents whose Social Security numbers were, or are “reasonably believed to have been,” disclosed. The company must provide affected residents with all information necessary for enrollment in credit monitoring services, and the company may not require them to waive their right to a private cause of action as a condition to obtaining the services. The company must file a report with the AG and OCABR certifying that its credit monitoring complies with these requirements. The company also must advise residents that consumer credit reporting agencies will not charge them for placing or lifting credit freezes.
The amendments add a new provision that notice “shall not be delayed on grounds that the total number of residents affected is not yet ascertained.” The law contemplates that companies make supplemental notice in these circumstances, providing that “[i]n such case, and where otherwise necessary to update or correct the information required, a [company] shall provide additional notice as soon as practicable and without unreasonable delay upon learning such additional information.”
Increased Public Access to Breach Notifications
The amendments also contain provisions designed to increase the visibility of breaches to the general public, including:
- OCABR will post on its website sample consumer notices received from companies reporting breaches—typically within one business day of receipt; and
- OCABR will instruct consumers on how to file public records requests to obtain copies of the reporting company’s breach notification submitted to regulators.
The law contains a number of ambiguities and interpretation questions, which eventually may prompt the OCABR to promulgate further regulations, as permitted under the amendments.
Four Key Takeaways
- Companies reporting security breaches under the amended Massachusetts data breach law must disclose more information to regulators and consumers.
- Notification letters will be more readily available to the public.
- Companies must provide 18 months of credit monitoring services at no cost to Massachusetts residents whose Social Security numbers are disclosed in a breach.
- Companies that own or license personal information of Massachusetts residents should implement, and where necessary, update a WISP satisfying the Massachusetts legal requirements.
Employer Use of Criminal Records of Applicants Limited in U.S. Virgin Islands
All public and private employers in the U.S. Virgin Islands, regardless of size, are barred from asking applicants to disclose information on an arrest that did not result in a conviction or in which the conviction was dismissed or sealed.
Act No. 8134, which amends Title 24 of the Virgin Islands Code Chapter 17, broadly prohibits employers from asking applicants, whether orally or in written form, to disclose information of (1) an arrest or detention that did not lead to a conviction, (2) “a referral to, or participation in, any pretrial or post trial diversion program,” or (3) “a conviction that has been judicially dismissed or ordered sealed pursuant to law.”
Employers are also prohibited from seeking such criminal record information through any other means, regardless of the source.
Additionally, the criminal background information may not be used as a factor in determining any condition of employment, including “hiring, promotion, termination, or any apprenticeship training program or any other training program leading to employment.” For purposes of the law, a conviction means a plea, verdict, or finding of guilt, “regardless of whether sentence is imposed by the court.”
An employer, however, may ask about an arrest for which the applicant has been released on bail or is out on his or her own recognizance.
Likewise, employers at a qualified “health facility,” as defined by applicable law (19 V.I.C. § 221(1)), may inquire of applicants seeking certain positions with regular access to patients, drugs, or medication about arrests for violations of laws.
Exceptions to Bar
Like the carve-outs in similar laws across the United States, Act No. 8134 does not apply where:
- State or federal law requires the applicant to be rejected based on his or her criminal background;
- “[T]he employment requires a satisfactory criminal background as an established bona fide occupational position or a group employees”;
- “[A] standard fidelity or equivalent bond is required and a conviction of one or more specified criminal offenses would disqualify the applicant from obtaining such a bond”; or
- “[T]he employment is within a facility that provides programs, services, or direct care to minors or vulnerable adults including the educational system or child care.”
Similarly, the law does not apply to applicants for employment by, or current employees of, criminal justice agencies.
Special Restrictions on Use of Information by Criminal Justice Agencies
Act No. 8134 also includes specific prohibitions on the dissemination and use of criminal background information by local law enforcement agencies. It is unlawful for an employee of a criminal justice agency with access to criminal record information maintained by a local criminal justice agency to “knowingly disclose, with intent to affect a person’s employment, any information contained therein” pertaining to an arrest or detention or proceeding not resulting in a conviction to any person not authorized by law.
Furthermore, the statute makes it unlawful “for any other person authorized by law to receive criminal offender record information” that is maintained by local law enforcement to knowingly disclose criminal record information. However, it does not bar the disclosure of such information if “authorized for release to a government agency employing a peace officer.”
Penalties and Remedies
Violations can lead to both civil and criminal penalties. Aggrieved applicants may recover either $200 or actual damages, whichever is greater, plus costs and reasonable attorneys’ fees.
Employers found to be in violation of the law also may face a criminal fine of up to $500, six months’ imprisonment, or both. Moreover, the statute expressly states that its penalties “are in addition to and not in derogation of” remedies available to aggrieved applicants or employees “under any other law.”
Act No. 8134 imposes a new set of obligations on employers in the U.S. Virgin Islands that potentially apply before, during, and after the application process. Indeed, the statute expressly applies to the most significant employment decisions, including “hiring, promotion, and termination.” Employers should consider reviewing and updating existing procedures on applications and background checks, including training those involved in hiring, promotion, and termination decisions.
Are Medical Records Discoverable in FCRA Cases
Like most legal questions, it depends. The Northern District of California recently grappled with this issue in the case of Prado v. Equifax Information Services LLC, No. 18-CV-02405-PJH (LB), 2019 WL 88140 (N.D. Cal. Jan. 3, 2019). In that case, the plaintiff alleged that Equifax mixed up her credit history with that of her sister’s, which contained several delinquencies. The plaintiff claimed that Equifax failed to respond adequately to her attempts to correct these errors, resulting in FCRA violations and causing plaintiff emotional distress. However, the plaintiff did not assert a separate cause of action for this supposed infliction of emotional distress. In light of plaintiff’s general allegation that she suffered emotional harm, Equifax issued a request for production seeking all documents relating to “any medical or mental treatments” plaintiff “received in the past seven years.” Id. at *1. The plaintiff served objections, asserting, among other things, that this discovery was overly broad, irrelevant, and constituted an invasion of plaintiff’s privacy. Equifax, citing non-FCRA cases outside the Ninth Circuit, argued that plaintiff’s medical records were relevant based on plaintiff’s generic allegation of emotional distress. Equifax also highlighted the distinction between its document request and a request for a medical examination under Federal Rule 35, which specifically requires in the rule that the party’s mental or physical condition be in controversy before a court orders such an examination. The court in Prado, however, was not swayed by Equifax’s arguments and sustained the plaintiff’s objections. The court’s decision mirrored the reasoning of other courts in the Northern District of California: “when a plaintiff alleges only ‘garden variety’ distress and does not allege emotional distress as a separate claim, does not allege unusually severe emotional distress, and does not intend to rely on experts or medical records to prove emotional-distress damages, she does not place her medical history so at issue as to warrant compelling production of her medical records.” Id. (citing Basich v. Petanaude & Felix, APC, No. C 11-04406 EJD (HRL), 2012 U.S. Dist. LEXIS 91634, at *3-4 (N.D. Cal. July 2, 2012)). The court further disagreed with the distinction Equifax attempted to draw between a request for documents versus a medical examination, stating that “delving into a plaintiff’s medical or psychiatric records is even more invasive than conducting a medical or psychological examination[.]” Id. at *2 (quoting EEOC v. Lexus of Serramonte, 237 F.R.D. 220 (N.D. Cal. 2006). While the result may have been different before a different judge or under different circumstances, the court in Prado clearly did not believe that a general allegation of emotional distress was enough to trigger discovery of a plaintiff’s medical records.
Federal Appeals Court Holds That Public-School District May Drug Test Substitute Teacher Applicants
A federal appeals court has held that a public-school district may drug test applicants for substitute teacher positions, concluding that such testing does not violate the Fourth Amendment’s prohibition against unreasonable searches and seizures. Friedenberg v. School Bd. Of Palm Beach County, 9:17-cv-80221-RLR (11th Cir. Dec. 20, 2018). Joan Friedenberg applied for a position as a substitute teacher in the Palm Beach County School District. Among other things, the School District required her to take and pass a pre-employment drug test. She refused to do so. Friedenberg subsequently sued the School Board in federal court, claiming that the suspicion-less drug testing of applicants violated the Fourth Amendment. She sought class action relief, describing the putative class as including “all job applicants for non-safety-sensitive positions with the Palm Beach County School District.” She sought declaratory and injunctive relief. The district court denied injunctive relief, noting that the School Board had established a “special need” to conduct drug testing of substitute teacher applicants because even “a momentary lapse of attention…could be the difference between life and death,” and that the balance of the interests weighed in the School Board’s favor. Friedenberg appealed. In reviewing whether injunctive relief was appropriate, the Court first analyzed whether there was a substantial likelihood of success on the merits, i.e., whether the drug testing constituted an unreasonable search and seizure in violation of the Fourth Amendment. Given that the drug test was conducted without individualized suspicion, the School Board was required to demonstrate a “special need” to conduct the drug testing. The Court agreed with the School Board that a “special need” existed, given that the School Board has a “compelling interest in ensuring that teachers—including substitutes—are not habitual drug users.” Among other things, the Court focused on the safety-sensitive aspects of the substitute teacher’s job, including: being alone with students; monitoring students for safety purposes such as preventing or stopping fights; reporting and addressing hazards or other unsafe circumstances; detecting and promptly responding to student health issues; detecting and reporting student drug use or possession; and reporting suspected child abuse. Once the “special need” was established, the Court then weighed the competing private and governmental interests implicated by the search. Noting that public school teachers “enter a heavily regulated field with diminished privacy expectations,” the Court examined the testing protocol adopted by the School District and the efficacy of the testing regime. The drug testing was performed in accordance with the requirements of the Florida Administrative Code, Fla. Admin. Code R. 59A-24.005(3), and pursuant to the School District’s written policy. The Court concluded that the urine drug testing regime was “minimally intrusive” and that the School District had a “compelling interest” in weeding out applicants who abuse drugs “in order to better achieve the basic safety and tutelary obligations of our schools.” In sum, the Court held: “[a]s we see it, ensuring the safety of millions of schoolchildren in the mandatory supervision and care of the state, and ensuring and impressing a drug-free environment in our classrooms, are compelling concerns. Because we recognize today a special need to conduct such testing, and because the balance of interests weighs heavily in its favor, we hold that the suspicion-less testing of substitute teacher applicants in Palm Beach County is permissible…”
Delta Settle Class Action Lawsuit
Delta Air Lines agreed to pay $2.3 million to settle a class-action lawsuit alleging that the company failed to provide approximately 44,000 job applicants with a stand-alone background check disclosure during the hiring process, in violation of the Fair Credit Reporting Act (FCRA). Delta’s hiring forms allegedly contained extraneous and misleading information that could not be easily understood without reading the FCRA itself. The FCRA requires a “clear and conspicuous” stand-alone disclosure be provided to job applicants prior to requesting a background check. Employers should annually review their disclosure and authorization notice to ensure it is compliant with federal/state law or risk exposure to litigation. Read the motion for preliminary approval of class action settlement: https://d12v9rtnomnebu.cloudfront.net/diveimages/Delta.pdf (Schofield v. Delta Air Lines, Case 3:18-cv-00382).
FCRA Class Action Survives Early Procedural Challenge
This week we got another big FCRA decision in Sanders v. Global Radar Acquisition. In Sanders, the plaintiffs filed a putative class action claiming that the Defendants failed “to obtain certification prior to furnishing a consumer report for employment purposes in violation of 15 U.S.C. § 1681b(b)(1)(A).” The Plaintiffs were employed by Naples Hotel Group, which was not a party to the action, but were terminated based on the contents of background checks provided by Global HR, a consumer reporting agency. The crux of the claim was not that the Defendant reported false information but rather that the Defendant lacked certifications from the Naples Hotel Group that were required by the FCRA before providing reports. The issue before the district court was whether the plaintiffs had Article III standing to sue. By way of some background: When applying for a position at Naples Hotel Group, Plaintiffs were required to sign documents titled “Notice and Acknowledgment”, which purportedly authorized Naples Hotel Group to procure their consumer reports for employment purposes. Global HR supplied the “Notice and Acknowledgement” forms, which plaintiffs allege did not comply with the FCRA. The relevant statutory provisions are 15 U.S.C. § 1681b(b)(1)(A)(i)-(ii), (b)(2), and (b)(3). In the Amended Complaint, Plaintiffs allege they were terminated on October 5, 2016 based upon the consumer reports Global HR unlawfully furnished to Naples Hotel Group and were never provided with pre-adverse action notification required by the FCRA. They further allege that Global HR invaded their “right of privacy” by providing their confidential information without proper authorization. The Defendant moved to dismiss. Importantly, the question in the Sanders case isn’t whether the Plaintiffs had statutory standing to sue. Instead, the issue was whether under Spokeo the plaintiffs had Article III standing. Article III standing is a threshold requirement to bring a claim, which (like jurisdiction) must be addressed before the merits. To establish Article III standing, a plaintiff must establish injury in fact, causation, and redressability. For injury in fact, it’s not enough to allege a procedural violation. The plaintiff must actually have suffered harm. That harm must be caused by the Defendant’s conduct. It must be “fairly traceable” to the Defendant. Finally, the harm suffered must be capable of redress by a favorable decision. The Sanders court found that the Plaintiffs’ harm wasn’t a mere technical violation of the statute but, rather, was precisely the type of harm the FCRA intends to protect against: the distribution of consumer reports without authorization. As to causation, the Court also found that, critically, that harm was “fairly traceable” to the Defendant’s conduct. Specifically, the injury flowed from the Defendant’s conduct. The Court denied the Defendant’s motion to dismiss and found that the Plaintiffs had Article III standing to sue.
Court Rejects Defendant’s Attempt to Recover Attorneys’ Fees Under “Bad Faith” Provision of the FCRA
A recent case out of the U.S. District Court in Arizona has shown that it is not easy for a defendant to recover attorneys’ fees under the “bad faith” provision of the Fair Credit Reporting Act. In Perri v. Diversified Adjustment Serv., 2018 U.S. Dist. LEXIS 213612 (D. Ariz. Dec. 19, 2018), a district court denied the defendant’s motion for attorneys’ fees under the FCRA after the pro se plaintiff’s case was dismissed. The plaintiff, Joshua Perri, filed a complaint against Diversified Adjustment Services, a debt collector, alleging defamation, negligent enablement of identity theft, and violation of the FCRA. However, Perri failed to comply with the district court’s orders and failed to prosecute the claims. The district court dismissed the case as a result. Diversified moved for attorneys’ fees under the FCRA. § 1681n(c) provides that “[u]pon a finding by the court that an unsuccessful pleading, motion, or other paper filed in connection with an action under this section was filed in bad faith or for purposes of harassment, the court shall award to the prevailing party attorney’s fees reasonable in relation to the work expended in responding to the pleading, motion, or other paper.” In bringing the motion, Diversified argued that Perri was acting in bad faith because he disobeyed several court orders, including failing to attend the Rule 16 conference. Diversified also argued that the action was frivolous because Perri never prosecuted the claims. Finally, Diversified argued that because the complaint contained no facts coupled with an email he sent calling the defense counsel “dishonest dirt bags,” it was evident that the complaint was filed for the purpose of harassment. The Court found Diversified’s arguments unpersuasive, stating that the debt collector had not shown that Perri filed any document in the case in bad faith or for harassment purposes as required for an award of attorneys’ fees under the FCRA. The Court pointed out that Perri’s actions in disobeying several court orders coupled with his failure to prosecute the case was the reason why the Court terminated the case as a sanction. The Court reasoned that attorneys’ fees under § 1681n(c) may be awarded based on an action filed in bad faith, not for misconduct of the parties during the pendency of the action. The Court also noted in its opinion that it could not infer bad faith or harassment from the lack of factual allegations in the complaint because it did not know enough about the allegations to know whether they were frivolous.
Ultimately, the Perri Court held that to be awarded attorneys’ fees under § 1681n(c) of the FCRA, a defendant must show that the motion or complaint was filed in bad faith or for purposes of harassment. It is not enough that a pleading or motion in question later turned out to be baseless.
Court Certifies Class of 5M Walmart Applicants in Background Check Suit
A California district court has certified a class of approximately 5 million people who once applied to Walmart in a suit alleging background check violations (Pitre v. Walmart Stores, Inc., No. 17-cv-01281 (C.D. Cal. Jan. 17, 2019)). The lawsuit alleges that Walmart willfully included extraneous information in disclosure forms and procured investigative reports without informing class members of their right to request a written summary of their rights under California and federal law. The court concluded that the proposed class met the requirements for certification and also agreed to add two additional class representatives. Walmart is now one of several employers that have recently faced allegations of improper background check procedures, in violation of the federal Fair Credit Reporting Act (FCRA) and/or state law.
Delta recently paid $2.3 million to settle a class action involving approximately 44,000 applicants. Like Walmart, Delta was accused of (among other things) including extraneous information on its disclosure forms. Frito-Lay and Target have paid out multimillion-dollar background check settlements as well within the past year.
The FCRA has specific rules employers must follow. A disclosure form, for example, must consist of only the legally required disclosure. Multi-state employers often try to consolidate and standardize their compliance efforts to satisfy the requirements of multiple jurisdictions, but where background checks are concerned, this move can backfire. As these employers recently found, a single problematic background check form can give rise to a costly class action involving thousands of plaintiffs.
The U.S. Equal Employment Opportunity Commission (EEOC) and the Fair Trade Commission (FTC) have jointly issued background check guidance for employers, suggesting some best practices:
- Treat everyone equally; it’s illegal to base a background check on the applicant’s race, religion, age or other protected characteristic.
- Except in rare circumstances, don’t seek to obtain genetic information from applicants.
- Follow the procedures required by the FCRA before you start compiling background information, including notifying the applicant in advance and getting the required written permission.
- Take special care when basing employment decisions on background factors that may be more common among applicants within a certain protected group.
- Be prepared to make exceptions for problems revealed during a background check that may be caused by a disability.
- Follow additional required procedures when you reject an applicant on the basis of information uncovered by the background check.
- Be sure you satisfy recordkeeping and disposal rules relating to background check results.
Employers should note that the law has additional requirements and that state and local laws may apply as well.
9th Circuit Says FCRA Background Check Disclosures Cannot Reference State Laws
A U.S. appeals court on Tuesday held that documents employers give to job applicants disclosing their rights under the federal law governing background checks cannot contain any reference to comparable state laws. A unanimous three-judge panel of the 9th U.S. Circuit Court of Appeals said the federal Fair Credit Reporting Act’s requirement that job applicants be given a document consisting “solely” of disclosures mandated by the law means they cannot include any information about state laws.
Spain’s New Data Protection Act Now in Force
When the GDPR came into effect on May 25, 2018, several European Member States had yet to put in place further implementing legislation. And while the data protection world watches and eagerly digests each new interpretive guidance from data protection authorities, Member State legislation provides additional interpretive tones of harmony or discord in data protection across Europe. After much delay and almost seven months after the EU’s General Data Protection Regulation (“GDPR”) came into force, the Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (“LOPDGDD”)—which implements the GDPR in Spain—entered into force on 7 December 2018. As with the other national implementing laws, though the leitmotif remains the same, Spain takes advantage of a number of the derogations under the GDPR including inter alia the following:
- Sensitive Personal Data: the processing of sensitive personal data (e.g., health data, ethnicity, race) is prohibited under Article 9(1) of the GDPR unless one of the conditions for processing such data are satisfied under Article 9(2) of the GDPR. The LOPDGDD provides that consent will not be a valid condition where the primary purpose of the processing is to identify e.g., the individual’s ethnicity. Instead, it will be necessary to rely on another condition under Article 9(2) of the GDPR.
- Business Contact Data: there is a presumption that the processing of personal data of business contacts, where the sole purpose is to establish a relationship with the business, will be in the legitimate interests of the controller.
- Data Protection Officers: a list of entities that must appoint a data protection officer are set out in the LOPDGDD. These include, for example, insurers, investment service companies and providers of information society services. Organizations have ten days from the date of appointment of a data protection officer, to notify the Spanish data protection authority of the appointment.
- Children’s Data: only children aged 14 or over are able to provide valid consent with regard to the receipt of online services.
- Accuracy of Data: Article 5(1)(d) of the GDPR requires that personal data be accurate and where necessary kept up to date. The LOPDGDD provides that a controller will not be responsible for processing inaccurate personal data in certain limited circumstances, including where the data were obtained from a public register or the data were received from a third party as a result of a request for data portability.
- Digital Rights: the LOPDGDD introduces a number of new digital rights for individuals which go beyond those provided in the GDPR e.g., the right to privacy and use of digital devices in the workplace. This includes a right to “digital disconnection” that applies to both public and private sector workers. And while the precise details of how those rights of disconnection will be exercised is generally left to the internal policies of employers as well as collective bargaining processes, it is nonetheless a significant development for the digital economy.
Guidance for User Consent in Canada
The Offices of the Privacy Commissioner of Canada, British Columbia, and Alberta have released guidance for companies to obtain consent from users (Toronto Star). Reported in Arnall Golden Gregory January 7, 2019 Daily Privacy & Consumer Regulatory Alert.
EU Advocate General: Right to be Forgotten is Limited to EU
On January 10, 2019, Advocate General Szpunar of the Court of Justice of the European Union (CJEU) released his opinion regarding a 2016 enforcement action carried out by the French Supervisory Authority (CNIL) against Google. In that case, the CNIL ordered Google to de-reference links to webpages containing personal data. According to the CNIL, the de-referencing had to be effective worldwide. Google challenged the CNIL’s decision before the French administrative court, which then referred this matter to the CJEU. In his opinion, Advocate General Szpunar disagrees with the CNIL’s view on a worldwide application of the “right to be forgotten.” According to Szpunar, the EU Charter’s right to data protection must be balanced against other Charter rights, such as the right of access to information. These rights must be applied with a territorial link to the EU and cannot be broadly interpreted to apply across the whole world. To that end, Spuznar emphasizes that EU regulators cannot reasonably be expected to make this balancing test for the entire world. Moreover, a worldwide application of the de-referencing obligation would send a “fatal signal” to third countries eager to limit access to information. It could lead to a race to the bottom at the expense of freedom of information in the EU and worldwide. This does not mean that EU data protection law can never have an extra-territorial dimension, but not in this case. While a worldwide obligation to de-reference is not desirable, Szpunar does believe that Google should be required to make every effort to de-reference the relevant links across the EU (and not just in France). This includes by means of “geo-blocking”, irrespective of the search engine domain used—i.e., a user of Google.com, Google.fr or Google.de should not see the relevant links if it can be established that the user is in the EU (for example, on the basis of the user’s IP address). The opinion of the Advocate General will now be considered by the CJEU, who is expected to render a decision in a couple of months. The CJEU often follows the general analysis of the Advocate General.
ICO Fines Company for Failing to Respond to Data Request
On January 9th, The Guardian reported that the UK Information Commissioner’s Office (ICO) fined Cambridge Analytica’s parent company, SCL Elections, £15,000 for failing to respond to an American citizen’s request for copies of information it holds on him. David Carroll requested a copy of his data in 2017 from SCL and was later provided basic information and other documents regarding his political opinions. Carroll then requested further information from SCL regarding his political opinions, including the source of information used to create the predictions. However, the company did not provide the information saying that Carroll did not have a right to the additional information since he was not a UK citizen. ICO ordered SCL to provide the information in May 2018, but the company failed to comply. As a result, a UK district court imposed a penalty against the company. Reported in Arnall Golden Gregory January 15, 2019 Daily Privacy & Consumer Regulatory Alert.
Recruitment, Wage, and Hour Law in Mexico
What are the requirements relating to advertising positions?
Employers have the right to freely advertise vacancies and positions. Recruitment processes must be done carefully so as not to create a labor relationship while making assurances and provisions in writing. Offer letters must always be contingent on written acceptance by both parties and background checks. Even though solicitation is permitted, it is important not to advertise positions establishing requirements which are not essential (e.g. race, religion, gender, social status, physical appearance or any other category that could fall under a suspicious practice of corporate discrimination).
What can employers do with regard to background checks and inquiries in relation to the following:
Employers can freely ask any candidate and can also conduct legal searches with applicable authorities.
Employers can freely ask any candidate.
Employers may require screening and would be obliged to secrecy. If positive, the employer must be careful not to deny employment solely on the basis of a positive result.
Credit checks are applicable.
It is an obligation to inquire about immigration status and to resolve all migratory issues before hiring a foreign candidate. If the Migration Institute realizes that foreign nationals are working without permission, employees may be subject to deportation and the employer would be liable to pay penalties and fees.
This is private information and direct involvement by an employer could be considered an offense.
Employers can use any information that is publicly available, but must never pry or infiltrate social media, email or other closed personal accounts. Before offering employment, employees may be subject to drug screening and must sign a waiver. While recruiting, employers need to maintain objectivity and must never deny employment due to race, sexual preference, appearance, color, religion or other aspects that may imply discriminatory practices.
Wages and Working Time
Is there a national minimum wage and, if so, what is it?
National minimum wage changes yearly; for 2018 it is Ps88.36 per day.
Are there restrictions on working hours?
In accordance with the Organization for Economic Cooperation and Development, Mexico has an average working week of 43 hours, which is legally capped at 48 hours per week. Everything above 48 working hours in a week is considered overtime, which is also capped at nine hours per week (maximum three extra hours over three days). These hours must be paid at 100% of the normal rate and should an employee work over the nine hours, each subsequent hour must be paid at 200% of the normal hourly rate.
What are the requirements for meal and rest breaks?
Federal labor law establishes that during a continuous working day (eight hours per day), the employee must be given a rest or meal period of at least 30 minutes. If the employee cannot leave the workplace during the rest or meal period, the time corresponding to such periods is to be counted as time worked and included as part of the working day.
How should overtime be calculated?
Overtime is capped at nine hours per week (maximum three extra hours over three days). These hours must be paid at 100% of the normal rate, and if in any case an employee works over the nine weekly hours, each subsequent hour must be paid at 200% of the normal hourly rate.
What exemptions are there from overtime?
In case of emergency or imminent risk at the workplace, the employee must work regardless of overtime.
Is there a minimum paid holiday entitlement?
After one year of employment, an employee is entitled to a vacation period of six working days. This increases by two days over the next three years until the employee reaches 12 vacation days per year. Thereafter, the vacation period increases by two days for each additional five years of service. Vacations must be enjoyed during mandatory working days.
Years of Service Number of Vacation Days
5 to 9 14
10 to 14 16
Compulsory holidays are observed on 1 January, 5 February, 21 March, 1 May, 16 September, the third Monday of November, 1 December (every six years), 25 December and any day that election law mandates to exercise the right to vote. Employees that work a mandatory holiday are entitled to 200% of the normal rate per working day.
What are the rules applicable to final pay and deductions from wages?
As a general rule of law, deductions in wages are prohibited unless the following applies:
- reimbursement of balance owed by the employer for anticipated wages;
- a calculation error has occurred, and the employer has overpaid;
- acquiring goods are produced by the employer;
- the resultant balance is a result of slip-ups, misplaced equipment or errors; and
- other deductions, including union payments, maintenance or child support as mandated by applicable courts.
In all cases, deductions must be warranted and in writing. In no case can any deduction be for more than one month’s salary.
What payroll and payment records must be maintained?
All records must be kept by the employer as procedural burden of proof. Responsibility for employment conditions lies exclusively on employers. Payment records must be signed by the employee on receipt and kept safely in the workplace. Any and all payments made for statutory benefits must also be signed on receipt and kept by the employer.
To view full article: https://www.lexology.com/navigator#!results/310/view
EU Adopts Japan Adequacy
On January 23rd, the European Commission announced that it adopted its adequacy decision on Japan, which allows personal data to flow between the two countries. This is the last step in the adequacy process and the decision is now in effect. The first joint review will occur in two years to assess the “functioning of the framework.” Key elements of the decision include a set of rules to reconcile differences between the two data protection systems to strengthen safeguards relating to the protection of sensitive data, the exercise of individual rights, and the conditions in which EU data can be transferred from Japan to a third party; and a complaint mechanism to investigate and resolve complaints from Europeans regarding access to their data by Japanese public authorities. Reported in Arnall Golden Gregory January 25, 2019 Daily Privacy & Consumer Regulatory Alert.