President Biden Signs Executive Order Regarding Non-Competes
On Friday, July 9th, President Biden issued an Executive Order (EO) covering a range of issues related to economic competition, including a directive aimed at employee non-compete agreements. The EO “encourages” the Federal Trade Commission (FTC) to limit or ban non-compete agreements. It remains to be seen whether the FTC or any other federal agency will act on the non-compete directive and, if so, the scope of any rulemaking (e.g., might more leeway be given where employees possess trade secret or other confidential information). Even if change does not occur at the federal level, the directive may drive state and local level legislation as more states enact measures to restrict the use of non-competes.
Illinois Enacts Equal Pay Certification Follow-Up Amendments
Signed by Governor J.B. Pritzker into law June 25, 2021, new amendments to the Equal Pay Act of 2003 alter and clarify the practical implications of obtaining an equal pay registration certificate under the Act.
A requirement enacted through Governor Pritzker’s signing an amendment to the Equal Pay Act on March 23, 2021, businesses with more than 100 employees must obtain an equal pay registration certificate certifying compliance with the Act from the Department of Labor.
To obtain the certificate, businesses are required to pay a $150 filing fee and submit an application containing a statement to the Department of Labor affirming compliance with the equal pay principles set forth in Title VII of the Civil Rights Act, the Equal Pay Act of 1963, the Illinois Human Rights Act, the Equal Wage Act, and the Equal Pay Act of 2003.
The statement signed by an officer or agent of the business must make several affirmations, including representing that:
- The average compensation for the business’s female and minority employees is not consistently below the average compensation for its male and non-minority employees within major job categories when accounting for various distinguishing factors;
- The business does not restrict certain genders to specific roles and makes employment decisions without regard to sex; and
- Wage and benefit disparities are corrected by the business when identified.
In addition, to obtain the certificate, businesses required to file a federal EEO-1 report (generally, companies with more than 100 employees) also must include a copy of their most recent EEO-1 report. EEO-1-eligible companies also must submit a “wage records” list of all employees in the past calendar year, categorized by gender and race/ethnicity with corresponding wages paid to each employee over that period, the employee’s start date with the business, and “any other information the Department [of Labor] deems necessary to determine if pay equity exists.” Employers with fewer than 100 employees must certify in writing to the Department of Labor that they are exempt.
The provision allowing “any other information” the Department of Labor deems necessary is a broad grant of deference to future Department of Labor guidance and regulations on the certificate application process. The pragmatic implications of this grant are yet to be determined.
Compliance and Enforcement
The legislative text previously prescribed businesses to comply with Equal Pay registration certificate requirements within three years of the passing of the amendments. The newly passed amendments provide a definitive deadline for compliance, requiring businesses subject to the requirement as of March 23, 2021, to apply for and obtain an equal pay registration certificate between March 24, 2022, and March 23, 2024. The amendment text details no apparent statutory advantages or drawbacks to filing earlier or later within that window.
Initially, the certification required employers to provide the Department of Labor with the system used to set compensation and required that employers select from the following options: market-based, prevailing wage/union contract, performance pay, internal analysis, or another alternative to be described by the employer. Under the new amendments, the employer is required to describe the “approach” used to determine wages, but the employer is not required to select from any specific system. Instead, the statute states that “acceptable approaches include, but are not limited to, a wage and salary survey.”
Penalties for revocation of or failure to procure the equal pay registration certificate have also changed in the latest iteration of the legislation. Before the June amendments, these deficiencies would subject a business to a fine of one percent of the business’s gross profits. This penalty did not account for a company’s net earnings, thus rendering the penalty potentially more punitive for less profitable businesses. The June additions to the text authorize a penalty of $10,000 per violation for businesses of more than 100 employees.
The amendments also provide a 30-day grace period to correct an inadvertent failure to file an application or to cure deficiencies in an application for the equal pay registration certificate.
Access to Application Data
The June amendments also provide parameters around third-party access to this data. A current employee of a business subject to the equal pay registration certificate requirements may request “anonymized” data regarding their job classification and the pay for that classification.
A provision of the amendments specifies that any “individually identifiable information” submitted as part of the certificate application will be considered confidential and not subject to FOIA requests. Aggregate data, however, is not considered confidential and not exempt from FOIA.
Finally, the amendments outline penalties for Department of Labor employees found to have leaked confidential application information. On the other hand, the Department of Labor is authorized to share aggregate and individually identifiable information submitted with the Illinois Department of Human Rights or the Office of the Attorney General pursuant to either entity’s authority to enforce provisions of the Illinois Human Rights Act.
Illinois Legislature Passes Sweeping Non-Compete And Non-Solicitation Bill
The Illinois General Assembly has unanimously passed a bill that will significantly affect the legality of post-employment non-competition and non-solicitation agreements between employers and their Illinois employees entered into after Jan. 1, 2022. Illinois Gov. J.B. Pritzker is expected to sign the bill into law. The bill, Amendment 1 to SB 672, amends the Illinois Freedom to Work Act in several respects. The amendment:
- Codifies the definitions of “covenant not to compete” and “covenant not to solicit” and carves out certain exceptions, as summarized later in this GT Alert;
- Requires that a covenant not to compete or covenant not to solicit be supported by “adequate consideration” to the employee, ancillary to a valid employment relationship, contain restrictions no greater than the protection of the employer’s legitimate business interest, not impose undue hardship on the employee, and not be injurious to the public;
- Defines “adequate consideration” as either: (i) two years of continuous employment with the employer after the employee signs a non-competition or non-solicitation agreement, or (ii) employment of the individual by the employer for “a period of employment” plus additional professional or financial benefits or merely professional or financial benefits that are “adequate by themselves.” These requirements essentially codify the criteria for adequate consideration established by the Illinois Appellate Court for the First District (Cook County) in Fifield v. Premier Dealer Services, 993 N.E.2d 938 (2013), which have not been unanimously adopted by Illinois state and federal courts. However, the bill does not define “a period of employment” or “adequate by themselves,” leaving those judgments up to further interpretation;
- Codifies the “totality of circumstances” test for determining the employer’s “legitimate business interest” as established by the Illinois Supreme Court in Reliable Fire Equipment Co. v. Arredondo, 965 N.E.2d 393 (2011). In that case, the court applied a three-prong test of reasonableness to restrictive covenants that are ancillary to an employment relationship. In order to meet that test, the covenant: (i) must be no greater than is required for the protection of a legitimate business interest of the employer; (ii) must not impose undue hardship on the employee; and (iii) must not be injurious to the public. The court explained: “Whether a legitimate business interest exists is based on the totality of the facts and circumstances of the individual case. Factors to be considered in this analysis include, but are not limited to, the near-permanence of customer relationships, the employee’s acquisition of confidential information through his employment, and time and place restrictions. No factor carries any more weight than any other, but rather its importance will depend on the specific facts and circumstances of the individual case.” 965 NE2d at 403;
- Requires the employer to (i) advise the employee in writing to consult with an attorney before entering into a non-competition or non-solicitation covenant, and (ii) provide the employee with a copy of such covenant(s) at least 14 calendar days before the employee begins employment or provide the employee at least 14 calendar days to review the covenant(s). An employee may voluntarily sign the covenant agreement before the 14-day period expires;
- Prohibits non-competition covenants with employees who have actual or expected “earnings” of $75,000 per year or less (to increase by $5,000 every five calendar years beginning Jan. 1 of each such year until the threshold of $90,000 is reached).“Earnings” include all forms of earned compensation reported on the employee’s IRS W-2 form such as salary, bonuses and commissions, plus elective deferrals that are not reflected on the employee’s W-2, such as employee contributions to a 401(k) or 403(b) plan, a flexible spending account, or a health savings account, or commuter benefit-related deductions;
- Prohibits non-solicitation covenants with employees who have actual or expected “earnings,” as defined above, of $45,000 per year or less (to increase by $5,000 every five calendar years beginning Jan. 1 of each such year until the threshold of $52,500 is reached);
- Prohibits non-competition covenants with employees covered by collective bargaining agreements under the Illinois Public Labor Relations Act or the Illinois Educational Labor Relations Act, and any employees employed in construction, except such employees who primarily perform management, engineering or architectural, design or sales functions, or who are shareholders, partners or owners in the employer; and
- Prohibits non-competition covenants and non-solicitation covenants with any employee who an employer terminates, furloughs or lays off as a result of business circumstances or governmental orders related to the COVID-19 pandemic or under circumstances similar to the pandemic. An exception to this prohibition exists if the covenant includes compensation to the employee equivalent to the employee’s base salary at the time of such a separation through the restricted period, less compensation earned by the employee through subsequent employment during the enforcement period.
Covenants Not to Compete and Not to Solicit
The bill defines “covenant not to compete” as an agreement between an employer an employee entered into after Jan. 1, 2022, that restricts the employee from performing: (i) any work for another employer for a specified period of time; (ii) any work in a specified geographical area; or (iii) work for another employer that is similar to the employee’s work for the employer that is a party to the covenant. This definition further includes an agreement between an employer and employee that by its terms imposes adverse financial consequences on an employee if the employee engages in competitive activities with the employer after the employee’s separation of employment with the employer. Excluded from the definition of “covenant not to compete” are: covenants not to solicit; confidentiality agreements and agreements prohibiting the use or disclosure of trade secrets or inventions; invention assignment agreements; agreements by a person purchasing or selling the goodwill of a business or acquiring or disposing of an ownership interest in a business; agreements that require advance notice of termination of employment during which the employee receives compensation and remains an employee of the employer; and agreements by which an employee agrees not to reapply for employment with the same employer after the employee’s termination of employment with the employer. The bill defines “covenant not to solicit” as an agreement between an employer and employee that: (i) restricts the employee from soliciting the employer’s employees for employment, or (ii) restricts the employee from soliciting, for the purpose of selling products or services of any kind to, or from interfering with the employer’s relationships with, the employer’s clients, prospective clients, vendors, prospective vendors, suppliers, prospective suppliers, or other business relationships.
Illinois courts have historically upheld covenants not to compete and not to solicit that are broader in scope than those contained in employments agreements where the agreements are ancillary to sale and purchase of a business, even in situations where an owner of the selling entity becomes an employee of the purchaser. The bill, as written, excludes covenants or agreements by a person purchasing or selling the goodwill of a business or acquiring or disposing of an ownership interest in a business from the definition of “covenant not to compete.” However, that provision contains no similar reference to the exclusion from the sale of ownership of business agreements from the definition of “covenant not to solicit.” It is not clear whether that omission was intentional or was an oversight by the legislature. Until this issue is clarified, employers who purchase businesses should proceed with caution in drafting covenants not to solicit in purchase agreements in situations where they agree to hire the previous owner or seller.
Reformation of Overly Broad Covenants
The bill also provides guidance on when courts may modify overly broad covenants rather than holding them unenforceable. Courts continue to enjoy broad discretion to modify or sever an otherwise unenforceable restriction. Therefore, it is not clear whether these provisions of the bill will have any effect on the historic reluctance of Illinois state judges to reform otherwise unenforceable post-employment restrictions. In order for a court to exercise this discretion, the agreement between the employer and employee should specifically authorize the court (or an arbitrator) to do so.
Remedies for Violations
Employees who prevail in actions or arbitrations by employers to enforce covenants not to compete or not to solicit are entitled to recover their costs and reasonable attorney’s fees and such other relief that the court or arbitrator determines appropriate, as well as any relief authorized under the agreement between the parties or under any other applicable statute. A fee-shifting provision in favor of a prevailing employer is not prohibited in the bill.
Attorney General Enforcement
The Illinois attorney general, on behalf of the People of Illinois, may intervene in any civil action or initiate a civil action if the attorney general has reasonable cause to believe that there is a pattern or practice of conduct prohibited by the bill. In addition to other legal and equitable relief, the attorney general may seek a civil penalty of up to $5,000 for each violation or up to $10,000 for each repeat violation within a five-year period. A violation is considered separate for each employee who was subject to an invalid agreement under the bill. The attorney general may also conduct an investigation prior to initiating such an action and require compliance with the investigation.
Key Takeaways for Employers
Although the bill will apply only to covenants not to compete and not to solicit entered into after Jan. 1, 2022, employers may wish to take the opportunity before that date to have legal counsel review their existing non-competition and non-solicitation agreements with Illinois employees, including fee-shifting provisions. Employers may consider entering into new or updated agreements before that date or modifying existing agreements to better conform to the bill’s requirements, since courts may look to those requirements in construing pre-bill covenants. Once the bill is effective, employers will need to work with legal counsel to comply with the new law for new and modified covenant agreements for Illinois employees. Choice of law and forum provisions will also need to be carefully considered. In general, this bill is not favorable to employers, and if enacted into law, it raises significant concerns about predictability of contract enforcement and government intrusion into employment agreement terms that are important to many companies.
Nevada Now Among States Requiring Employers To Disclose Wage Ranges & Banning Salary History Inquiries
Seyfarth Synopsis: Nevada has enacted legislation that will require employers to provide applicants and some current employees with wage ranges for positions. The new law also makes it unlawful for employers to seek or rely on an applicant’s wage or salary history (even if this information is voluntarily provided) or take certain actions against an applicant who refuses to provide his or her wage or salary history.
Employers Must Disclose Wage or Salary Ranges or Rates to Applicants and Some Current Employees
Effective October 1, 2021, Nevada will require employers to provide wage or salary range or rate information to new hire applicants and to employees who apply for promotions or transfers. The Nevada law follows the nationwide trend toward greater pay transparency and similar wage range disclosure laws in California, Colorado, Connecticut, Maryland, Washington State, the City of Toledo, and the City of Cincinnati. Similar to laws in Connecticut, Colorado and Washington, the law will require disclosure to applicants and, to some extent, current employees.
Under the new law, Nevada employers and employment agencies must proactively provide the “wage or salary range” or “rate” for a position as follows:
- To applicants who have completed an interview for a position.
- To current employees for a promotion or transfer to a new position if the employee has
- applied for the promotion or transfer;
- completed an interview for the promotion or transfer or been offered the promotion or transfer; and
- requested the wage or salary range or rate for the promotion or transfer.
“Wage or salary range” and “rate” are not defined in the law.
Salary History Ban
The new law also restricts employers from inquiring into an applicant’s salary history. Specifically, the new law prohibits an employer or an employment agency from:
- Seeking the wage or salary history of an applicant for employment;
- Relying on the wage or salary history of an applicant to determine whether to offer employment to the applicant or the rate of pay for the applicant; or
- Refusing to interview, hire, promote, or employ an applicant, or discriminating or retaliating against an applicant if the applicant does not provide wage or salary
“Wage or salary history” is defined as “the wages or salary paid to an applicant for employment by the current or former employer of the applicant. The term incudes, without limitation, any compensation and benefits received by the applicant from his or her current or former employer.”
Unlike many salary history bans; the Nevada law does not provide an exception for relying on information voluntarily disclosed by an applicant. The Nevada law, similar to the salary history ban in Illinois, does not allow employers to consider or rely on the voluntary disclosures as a factor in determining whether to offer a job applicant employment or making an offer of compensation. This makes Nevada’s salary history ban law one of the more onerous salary history bans.
That said, nothing in the Nevada law prohibits an employer from asking prospective employees about their wage or salary expectations. Quite the opposite, the law explicitly provides that an employer may ask for such information.
The above requirements apply to private employers and employment agencies. The law defines an “employer” as a public or private employer in the State of Nevada. The statute also separately specifies that the above requirements do not apply to “[a]ny employer with respect to employment outside [Nevada].”
An “employment agency” means “any person regularly undertaking with or without compensation to procure employees for an employer or to procure for employees opportunities to work for an employer.”
Enforcement, Penalties and Damages
There is a private enforcement mechanism discussed in the statute. A person may file a complaint with the Labor Commissioner; and upon receipt of a right-to-sue notice, may bring a civil action in district court against the alleged violating party.
Under the law, employers may be subject to administrative penalties. That is, in addition to any other remedy or penalty, the Labor Commissioner may impose an administrative penalty of not more than $5,000 for each violation against the violating employer or staffing agency. The Labor Commissioner may also recover any costs associated with the proceeding (including attorney’s fees).
In addition, a court may award an employee the same legal or equitable relief that may be awarded to a person pursuant to Title VII of the Civil Rights Act of 1964, if the employee is protected by Title VII.
State Privacy Law Patchwork Expands As Colorado Passes Comprehensive Privacy Law
Colorado just became the third state to pass a comprehensive data privacy law, creating more challenges for businesses trying to navigate a variety of state, federal, and international privacy regimes. The Colorado Privacy Act (“CPA”) will become effective July 1, 2023. Although the CPA includes many of the concepts in the California Consumer Privacy Act of 2018 (“CCPA”), the California Privacy Rights Act of 2020 (“CPRA”), and the Virginia Consumer Data Protection Act (“VCDPA”), how Colorado implements those concepts does not align perfectly with California or Virginia law, making it critical that organizations consider adopting a holistic approach to complying with their increasingly varied data privacy obligations.
Who Is Covered?
The CPA applies to legal entities that conduct business in or deliver products and services that are intentionally targeted to Colorado residents and meet one or both of the following thresholds: the entity either (1) controls or processes personal data of at least 100,000 Colorado residents annually, or (2) derives revenue or receives a discount on goods or services from selling personal data and processes or controls the personal data of at least 25,000 Colorado residents. Unlike the CCPA and the CPRA, the CPA does not have a revenue threshold.
The new law applies to “personal data,” which is information that is not publicly available and that is linked or reasonably linkable to an identified or identifiable individual. The CPA also recognizes “sensitive data,” which is personal data that reveals racial or ethnic origin, religious beliefs, a mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship or citizenship status. Sensitive data also includes genetic or biometric data and personal data from a known child. As described below, the CPA imposes heightened requirements for the collection and processing of sensitive data.
Who Is Exempt From the CPA?
Similar to the CCPA, CPRA, and VCDPA, the CPA does not apply to personal data that is already governed by certain federal and state privacy laws, such as protected health information, health-care information, and patient identifying information, and does not apply to certain entities. The exemptions are specific and can be complicated. For example, the CPA has data exemptions for information governed by the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Gramm-Leach-Bliley Act, the Family Educational Rights and Privacy Act of 1974 (“FERPA”), and the Children’s Online Privacy Protection Act of 1998 (“COPPA”). It also does not apply to certain activities regulated by the federal Fair Credit Reporting Act, such as those involving the collection, sale, or use of personal data that is related to creditworthiness or reputation when provided by a consumer reporting agency. Other exemptions include personal data maintained for employment records purposes, and customer data maintained by public utilities.
Notably, the CPA has entity exemptions for financial institutions and their affiliates that are subject to the Gramm-Leach-Bliley Act, national securities associations registered pursuant to the Securities Exchange Act of 1934, and air carriers regulated under 49 U.S.C. § 40101, et. seq. and 49 U.S.C. § 41713. Finally, individuals acting in a commercial or employment context, as a job applicant, or as a beneficiary of someone acting in an employment context are excluded from the definition of a protected “consumer.”
Below is an overview of some of the notable provisions included in the CPA, including data subject rights, roles and responsibilities for controllers and processors, vendor and service provider relationships, privacy notice requirements, principles of data processing, and data protection assessments.
Controller and Processor Roles and Responsibilities. Like the VCDPA, the CPA designates businesses as controllers, i.e., an entity that determines the purposes for and means of processing personal data, and processors, i.e., an entity that processes personal data on behalf of a controller and assigns rights and responsibilities to each. In general, a processor must follow the controller’s instructions, protect the personal data entrusted to it, and assist the controller in meeting its obligations under the CPA.
Vendor and Service Provider Relationships. Similar to the CPRA and the VCDPA, the CPA requires that controllers and processors enter into a contract with specific requirements for processing and protecting personal data. This is not unlike the requirements set forth in Article 28 of the EU General Data Protection Regulation (“GDPR”), but the requirements under the CPA are not as extensive. Under the Colorado law, the contract must include processing instructions, details on processing, a promise to return or delete data after the contract is terminated, requirements to assist the controller in demonstrating compliance with the CPA, and a requirement that the processor allows the controller to perform annual audits to ensure the processor is meeting its obligations under the contract.
Data Subject Rights. The CPA affords consumers similar privacy rights to those provided by the CPRA and the VCDPA, including the right of access, right to correction, right to deletion, and right to data portability. The CPA differs from the CCPA and CPRA in that it expands the right to opt out of sale of personal data by giving consumers the right to opt out of targeted advertising and profiling to make decisions that have significant effects on them. Additionally, the CPA requires that by July 1, 2024, a controller must allow consumers to use a universal opt-out mechanism to opt out. The Attorney General is responsible for establishing technical specifications for the opt-out mechanism.
Privacy Notice Requirements. Similar to its counterparts in California and Virginia, the CPA requires that controllers provide a privacy notice to consumers detailing the personal data practices for information collected by a controller or on its behalf. The notice must include the categories of personal data collected, the purposes for processing, how to exercise consumer privacy rights, and details of sharing and selling personal data with third parties.
Principles of Data Processing. The CPA requires that controllers follow certain principles and duties of data processing. These include the duty of purpose specification, data minimization, and limiting secondary use. Controllers have a duty of care to take reasonable security measures to secure personal data from unauthorized acquisition during storage and use. Controllers may not violate federal and state laws prohibiting unlawful discrimination against consumers when processing personal data. Finally, controllers must obtain the consumer’s consent before processing sensitive data. These requirements are similar to the principles included in the VCDPA and CPRA.
Data Protection Assessments. In addition to imposing a duty on businesses to use reasonable security measures to protect personal data, the CPA also requires that the controller conduct data protection assessments for high-risk processing. The Act includes a list of circumstances that are considered high-risk, as well as the requirements that the data protection assessments must meet, including the benefits, risks, and mitigating safeguards of the intended processing.
Enforcement. The CPA gives enforcement authority exclusively to the Colorado state attorney general and district attorneys, and specifically states that it does not create a private right of action. Before taking legal action against a violator of the CPA, the attorney general or district attorney must issue a notice of violation to the controller, giving them sixty days to cure the violation. Violations of the CPA are deemed to be deceptive trade practices under the state’s unfair or deceptive trade practices law.
Steps To Prepare For Compliance
While the CPA effective date is almost two years away, businesses should consider the following activities now:
- Updating the organization’s business privacy notice to ensure it conforms to the CPA’s requirements;
- Preparing processes and templates for conducting data protection assessments;
- Auditing the business to ensure it has implemented the core principles for data processing into its operations;
- Putting in place a process to respond to consumer privacy requests;
- Begin the process of redrafting contracts with vendors as needed so that there are CPA-compliant contracts in place by the effective date; and
- Ensuring that the business can demonstrate its compliance with the CPA requirements.
NYC Businesses: Do You Have Your “Biometric Identifier Collection” Notice Up?
New York City’s Biometric Identifier Information Law the “NYC Law”) is now in force, effective Friday, July 9th. The NYC Law requires that places of entertainment, retail stores and food and drink establishments that collect biometric identifying information, including from customers and employees, post a “clear and conspicuous” notice to that effect near customer entrances. Further, the NYC Law prohibits the establishment from selling the information or exchanging it for value. Financial institutions are exempt from the signage requirement but not the prohibition on sale. Businesses who have CCTV’s are not required to post a notice, provided that: i) they do not analyze the footage to collect biometric identifying information, such as facial recognition; and ii) they do not share the footage except with law enforcement. Notably, the NYC Law provides a private right of action, but the potential plaintiff must give the business 30 days’ written notice before commencing an action for violation of the signage requirement, during which time the business may cure. There is no cure period for violations of the sale requirement.
The NYC Law also provides that the NYC Department of Consumer Affairs issue regulations regarding the signage, but as of Monday, July 12, the regulations have not yet been published. Since the NYC Law is in effect, covered businesses that collect the broad scope of “biometric information” should post some notice today.
Ohio Introduces Data Privacy Legislation
On July 13, 2021, Ohio Lieutenant Governor John Husted announced the introduction of the Ohio Personal Privacy Act (OPPA), a comprehensive privacy framework following in the footsteps of recent legislative enactments in California (the CCPA as modified by the CPRA), Virginia (the CDPA), and Colorado (the Colorado Privacy Act).
The Ohio Personal Privacy Act generally resembles the privacy laws enacted in California, Virginia, and Colorado, but it more closely aligns with the Virginia CDPA in regard to structure, approach, and language. The Ohio Privacy Act also contains a notable deviation from privacy laws enacted in other states: Businesses can utilize an affirmative defense from an enforcement action by the Ohio Attorney General or a lawsuit filed by a consumer if the business creates, maintains, and complies with a written privacy program that reasonably conforms to the National Institute of Standards and Technology privacy framework.
Scope and Applicability
The OPPA applies to organizations that conduct business in Ohio, or produce products or services targeted to consumers in Ohio, and either:
- Has annual gross revenues generated in Ohio that exceed $25 million;
- During a calendar year, the business controls or processes personal data of 100,000 or more Ohio consumers;
- During a calendar year, the business derives over 50 percent of its gross revenue from the sale of personal data and processes or controls personal data of 25,000 or more Ohio consumers.
Similar to Colorado and Virginia, the OPPA defines “consumer” more narrowly than California by excluding individuals acting in a “business capacity or employment context.”
Of specific importance for online advertising, the OPPA defines “personal data” as “any information that relates to an identified or identifiable consumer processed by a business for a commercial purpose.” The OPPA then defines “commercial purpose” as “the processing of information for the purpose of obtaining any form of consideration” from either “the person that is the subject of such information” or “any third party.”
The OPPA contains several exemptions, including exemptions for business-to-business transactions, specified governmental agencies and institutions of higher education, activities regulated by the Fair Credit Reporting Act, and data subject to the Children’s Online Privacy Protection Act.
Like the Colorado and Virginia laws, the OPPA contains an exemption relating to the Gramm-Leach-Bliley Act that covers not only data governed by the act but also financial institutions subject to and in compliance with the act. For health care institutions, like the Virginia law, the OPPA contains a similar “entity-level” exemption for covered entities and business associates subject to HIPAA. In addition, the OPPA contains separate exemptions relating to protected health information and medical information as well as other information processed in certain research contexts.
The OPPA outlines multiple consumer rights, including rights for access and deletion, as well as an opt-out right for the sale of personal data. A business that sells personal data must provide a “clear and conspicuous notice” to enable the consumer to opt-out of the sale of the consumer’s personal data. While other states require such notice to be included on the business’ website, the OPPA gives businesses discretion to decide what is considered “clear and conspicuous notice.” In addition, businesses are prohibited from discriminating against consumers who exercise their rights under the OPPA as well.
No Private Right of Action/Affirmative Defense
The OPPA expressly does not contain or create a private right of action. The Ohio Attorney General (OAG) maintains exclusive jurisdiction to enforce the law and has the power to bring an action in a county court of common pleas if the OAG “has reasonable cause to believe that a business has engaged or is engaging in an act or practice that violates the OPPA.” In such an action, the OAG could seek a declaratory judgment, injunctive relief, civil penalties (including triple damages for any knowing or willful violations), or attorney’s fees and investigative costs.
Although such penalties could be severe, the OPPA provides a 30-day cure period prior to the initiation of an action by the OAG. Importantly, the OPPA provides an important deviation from prior U.S. privacy laws: Businesses may utilize an affirmative defense from an enforcement action by the OAG or a lawsuit filed by a consumer if the business creates, maintains, and complies with a written privacy program that reasonably conforms to the National Institute of Standards and Technology (NIST) privacy framework entitled “A Tool for Improving Privacy through Enterprise Risk Management Version 1.0.” The OPPA then outlines a list of scalable factors to determine whether the business’ written privacy program complies with the NIST framework, such as the sensitivity of the personal information processed and whether the business complied with any applicable state or federal laws.
Connecticut Bans Inquiries Into Job Applicants’ Age
Connecticut’s An Act Deterring Age Discrimination In Employment Applications prohibits Connecticut employers with at least three employees from inquiring into the age of prospective employees. The new law goes into effect on October 1, 2021.
Under the new law, employers (directly or through a third party) may not ask a prospective employee about the following information on an initial employment application:
- Date of birth;
- Dates of attendance at an educational institution; or
- Date of graduation from an educational institution.
An employer, however, may request or require such information if:
- The request or requirement is based on a bona fide occupational qualification or need; or
- The employer has a need for such information to comply with applicable state or federal laws.
Next Steps for Employers
Employers should review their current job application forms to ensure the forms do not request a job applicant to provide their age, date of birth, or dates of attendance or of graduation from an educational institution.
In addition, employers should review each position they employ to determine if each requires that a job applicant be a certain age to perform the duties of the position.
Employers also should review applicable state and federal laws to determine if an employer must have information relating to a job applicant’s age to comply with such laws.
Further, employers should ensure their key employees in the hiring process are educated about these new inquiry limitations.
Connecticut Expands Data Breach Notification Requirements And Establishes A Cybersecurity “Safe Harbor”
On June 16 and July 6, 2021, Connecticut Governor Ned Lamont signed two new cybersecurity laws that continue the national trend of expanding cyber incident disclosure obligations, shortening notification timelines, and incentivizing the implementation of recognized cybersecurity standards. Both laws take effect on October 1, 2021.
“An Act Concerning Data Privacy Breaches” Amends Connecticut’s Existing Data Breach Law
The amended data breach law includes three key changes:
- The time businesses have to notify affected Connecticut residents and the Office of the Attorney General of a data breach has been shortened from 90 days to no later than 60 days after discovery of the breach;
- If notice cannot be effected within the new 60-day window, a novel and significant amendment requires companies to provide preliminary substitute notice to individuals, and follow up with direct notice as soon as possible; and
- The law significantly expands the definition of “personal information” that may trigger notification obligations to include an IRS identity protection personal identification number, certain medical information, biometric information, a user name or email address in combination with a password or security question and answer (regardless of whether or not the individual’s name is accessed in combination with it), and a number of other data elements commonly included in other states’ data breach notice laws.
“An Act Incentivizing the Adoption of Cybersecurity Standards for Businesses” Establishes a Cybersecurity “Safe Harbor” Statute
The new law will establish an affirmative defense against tort claims alleging that a business’s failure to implement reasonable cybersecurity controls caused a data breach. Businesses that have created, maintained, and complied with a written cybersecurity program can take advantage of this “safe harbor” if their written cybersecurity program complies with one or more of the industry-recognized frameworks (such as the National Institute of Standards and Technology’s Cybersecurity Framework or the Center for Internet Security’s Critical Security Controls) or applicable federal laws (such as the cybersecurity requirements of the Health Insurance Portability and Accountability Act).
Connecticut is the third state, after Ohio and Utah, to enact a cybersecurity safe harbor statute.
Connecticut Legalizes Recreational Marijuana, Will Allow Employers To Continue Prohibiting Recreational Marijuana Use
Connecticut Governor Ned Lamont recently signed Senate Bill 1201, making Connecticut the 19th state to legalize recreational marijuana for adults 21 years or older. The new law not only requires expungement of certain existing marijuana convictions, but also creates employment protections for recreational marijuana users. While these protections are more limited than those recently recognized in neighboring states New York1 and New Jersey,2 Connecticut employers should review current policies and practices to ensure they are prepared for the changes by July 1, 2022, the effective date of the new employment provisions.
Notably, the new law expressly permits employers to continue to prohibit employees from engaging in the recreational use of marijuana, subject to certain statutory requirements. Employers that wish to take action based on positive recreational marijuana test results must carefully comply with those requirements. A positive marijuana test result, standing alone, otherwise will be insufficient to justify adverse employment action.
Drug-Free Workplace Provisions Under Connecticut’s New Law
Employers in Connecticut should be aware of the following key employment provisions:
- Workplace Use/Possession Can be Prohibited. Employers may continue to prohibit the use or possession of marijuana during work hours, on employer premises and while using an employer’s equipment or other property.
- Employers Should Update Their Drug-Free Workplace Policies. Employers may continue to take adverse employment action based on recreational marijuana use provided a written policy is in effect to prohibit such use. Similarly, the law expressly allows employers to rescind conditional offers of employment to applicants who test positive for recreational marijuana use, provided the policy is made available to the applicant at the time the offer is made.
- A Written Policy is Not Required to Support Reasonable Suspicion Drug Testing. Employers are permitted to take adverse action against an employee who fails a reasonable suspicion drug test for marijuana, even if the employer has not implemented a written policy. (Of course, urinalysis testing—other than federally mandated testing—must continue to satisfy the Connecticut workplace urinalysis testing law).3
- Certain Industries are Expressly Exempt from Provisions Prohibiting Adverse Action Absent a Written Policy. Although the new law lacks clarity, it appears that employers in certain industries, including but not limited to mining, utilities, construction, transportation and delivery, healthcare or social services, educational services, and justice, public order or safety activities are specifically exempted from the statutory provisions prohibiting adverse employment action unless taken pursuant to a written policy.
- Certain Positions are Also Expressly Exempt. Employees in certain positions are also expressly excluded from protections offered workers who engage in off-duty recreational marijuana use. Express exemptions include, but are not limited to, positions regulated by the Department of Transportation (DOT), positions funded by federal grants, positions requiring supervision of children, medical patients or vulnerable persons, and positions with any potential health/safety impact (as determined by the employer). Individuals working in these positions are not entitled to legal protection for off-work marijuana use.
Prohibited Employer Conduct
Once effective, the new law will largely prohibit adverse action by a non-exempt employer absent a written substance abuse/testing policy establishing rules against recreational marijuana use outside of work. This prohibition will affect testing of employees as well as applicants. Absent such a policy, non-exempt employers will be prohibited from taking adverse action based on a positive marijuana drug test unless the employer had reasonable suspicion an employee was under the influence at the time of referral for testing. Notably, the law reinforces the previously established protections for medical marijuana users already recognized under Connecticut law.4
Significantly, the new law will expressly permit employees to pursue a private cause of action if the employer fails to observe its employment provisions. Any applicant or employee who prevails in asserting such a claim may be entitled to back pay, reasonable attorneys’ fees and costs and other damages, or an order for reinstatement.
What Employers Should Do Now
Connecticut employers with rules prohibiting recreational marijuana use and those who test for marijuana should manage for compliance now, before the law becomes effective in 2022. Employers are encouraged to review and update their existing drug-testing policies or implement a written policy if one is not already in place. If your organization is using urine drug testing, keep in mind that the provisions of Connecticut’s general drug-testing statute regulating the use of urinalysis remain in place. Employers subject to federal drug-testing requirements (e.g., testing required by the DOT) should continue testing as mandated by federal law and seek guidance as necessary for state law compliance relating to its non-regulated workforce.
Baltimore Bill Is Most Draconian Facial Recognition Ban Yet
On June 14, Baltimore passed Council Bill 21-0001 and will become the second U.S. jurisdiction to enact sweeping facial recognition regulation that bans the use of facial biometrics by any private entity or individual within city limits.
While a number of cities have enacted laws prohibiting law enforcement and other governmental agencies from using facial recognition, Portland, Oregon, became the first jurisdiction to extend a blanket ban over the use of this technology to the private sector in September 2020.
The Baltimore ordinance goes even further than its Portland counterpart by imposing criminal penalties of up to a year in jail on companies and individuals that run afoul of the ban.
The ordinance is currently awaiting signature from Baltimore Mayor Brandon Scott and will go into effect 30 days after it is enacted.
Council Bill 21-0001: Baltimore’s Private-Sector Face Surveillance System Ban
Under the ordinance, individuals and businesses are prohibited from obtaining, retaining, accessing or using within the city limits of Baltimore any facial surveillance system or any information obtained from it. A facial surveillance system is defined as any software or application that performs an automated or semiautomated process to assist in identifying or verifying an individual based on the physical characteristics of the individual’s face.
The ordinance is essentially boundless in its scope, applying to both individuals and all types of entities alike and offering only a single, narrow carveout for biometric security systems designed to protect against unauthorized access to a particular location or electronic device. With that said, the law does provide one additional noteworthy carveout—for law enforcement, which is completely exempted from the ordinance.
The ordinance also contains a sunset provision, which will trigger the automatic expiration of the law at the end of 2022 in the event that Baltimore lawmakers do not vote approve a five-year extension of the ban before that time.
Enforcement and Penalties
One of the most noteworthy aspects of the ordinance is its enforcement and penalty scheme. The law not only subjects violators to civil penalties of up to $1,000 but also makes any violation a criminal misdemeanor offense punishable by up to 12 months in jail.
This element of the Baltimore ordinance goes far further than the private-sector facial biometrics ban instituted by Portland—which only subjects violators to liquidated damages and attorney fees—and is the first piece of biometric privacy legislation to criminalize the use of facial recognition. In addition, under the law each day that a violation continues is a separate offense.
Analysis and Takeaways
Recently, states and cities from coast to coast—and even the federal government—have increased their efforts to enact legislation directly targeting the use of facial recognition technology. Until the Portland ordinance, however, other jurisdictions had limited the scope of their facial biometrics bans to the public sector and law enforcement in particular.
Baltimore has now taken this new, draconian form of biometrics regulation a significant step further by applying criminal penalties to private entities and individuals that violate the ban.
The new Baltimore ordinance continues the recent trend of municipal lawmakers taking matters into their own hands and enacting biometric privacy regulation while state and federal legislators continue to drag their feet on implementing new requirements and restrictions over the collection and use of biometric data.
Moreover, the recent success seen by both Portland and now Baltimore in enacting sweeping, across-the-board private-sector bans may provide lawmakers in other jurisdictions with significant motivation to try their hand at enacting similar laws banning private entities from using facial recognition or other types of biometrics altogether.
Similarly, the Baltimore ordinance may provide strong encouragement to lawmakers who are contemplating the prospect of enacting robust requirements and limitations over the use of this technology—but who do not have an appetite for passing an outright ban—to push forward with strict regulation paralleling that of the well-known Illinois Biometric Information Privacy Act.
Taken together, it is clear that potential liability exposure stemming from the use of facial biometrics will increase steadily—if not drastically—in the immediate future.
What To Do Now
Due to the rapidly expanding liability risk associated with the use of facial biometrics, it is imperative that companies utilizing facial recognition software devote the necessary time, effort and resources to minimize their liability exposure to the greatest extent possible.
Companies located in Baltimore should take immediate action to ascertain whether any form of facial recognition software is being used. If so—and the technology does not serve the purpose of protecting against unauthorized access to a particular location or electronic device—the use of facial recognition should be eliminated across the board immediately.
And although the ordinance has yet to go into effect, companies should act now in order to give themselves sufficient time to ensure all facial recognition tech has been fully disabled and to evaluate whether an alternative, suitable technology can be implemented in its place to accomplish the objectives for which facial recognition was used.
From a broader perspective, all companies—regardless of where they are located—should take proactive measures to build out their biometric privacy compliance programs to ensure the ability to adeptly respond to the additional new facial recognition laws that will likely be put in place in other parts of the country in the coming months and years. In particular, companies should consider the following:
Accuracy and Bias Testing
Because facial recognition software can produce results that are biased in ways that harm particular ethnic and racial groups, pre-deployment testing of facial recognition technology should be completed to ensure its effectiveness and accuracy before it is used in real-time situations.
Provide written notice—prior to the time any facial template data is collected—that clearly informs individuals that facial template data is being collected, used and/or stored by the company; how that data will be used and/or shared; and the length of time over which the company will retain the data until it is destroyed.
Written Consent (Release)
Obtain written consent by ensuring all individuals execute a written release relating to the collection and use of their facial template data prior to the time any scans of facial geometry are collected that permits the company to collect/use the individual’s facial template data and disclose that data to third parties for business purposes.
Permit individuals to opt out of the collection of their facial template data.
Safeguarding facial template data by maintaining data security measures satisfy the reasonable standard of care applicable to the company’s given industry. The measures should also protect facial template data in the same or a more protective manner as that by which the company protects other forms of sensitive personal information.
Explicit Prohibitions on Using Technology for Discriminatory Purposes
Maintain an explicit policy strictly barring the use of facial recognition technology by employees, contractors or vendors to discriminate unlawfully against individuals or groups of individuals.
The responsible use of facial recognition technology by commercial entities continues to be a popular topic of national conversation.
To further complicate matters, facial biometrics continues to receive a significant amount of negative media coverage stemming from allegedly improper or controversial uses of this technology. All of this has put significant pressure on lawmakers to implement greater regulation over the collection and use of facial template data.
As such, companies that operate in Baltimore must take action immediately—if they have not already done so—to ensure compliance with the city’s new private-sector facial recognition ban.
At the same time, all companies that use facial biometrics—even those that are not currently subject to any biometric privacy laws at this time—should ensure they have in place flexible, adaptable biometric privacy compliance frameworks that integrate the common elements required across today’s growing body of biometric privacy regulation.
Doing so now will put companies in a position where only small adjustments will be required to come into compliance with any new requirements or restrictions placed on the collection and use of facial template or other types of biometric data. This will allow entities to maintain ongoing compliance even if many new wrinkles are added to the legal landscape over a condensed period of time.
Maine Ban The Box – Maine LD 1167 (HP 845)
This “ban the box” legislation follows the nationwide trend of states prohibiting employers from seeking criminal history record information on an initial employee application form. Currently, Maine has no restrictions on private employers that wish to inquire about applicants’ criminal history. The legislature’s intent with LD 1167 is to remove obstacles that preclude applicants with criminal histories from gainful employment.
Governor Mills signed LD 1167 into law on July 6, 2021. It prohibits an employer from requesting criminal history record information on an initial employee application form or stating on an initial employee application form or advertisement that a person with a criminal history may not apply or will not be considered for a position. LD 1167 also prohibits an employer from otherwise specifying prior to determining a person is qualified for the position that an individual with a criminal history will not be considered. The law provides exceptions to those prohibitions, including instances in which federal or state law, regulation, or rule mandates that a criminal conviction disqualifies an applicant from a position, imposes an obligation on an employer not to hire an applicant who has been convicted of a certain type of offense, or requires that an employer conduct a criminal history record check. An employer that violates this prohibition is subject to a penalty of not less than $100 nor more than $500 for each violation, to be enforced by the Maine Department of Labor.
LD 1167 will take effect October 18, 2021. In the interim, employers should review their job application materials to ensure that they are not asking about criminal history on the initial application or in advertisements. Employers also may wish to consider training for personnel who participate in the hiring process.
Appeals Court Deals Another Blow To Landlords On Eviction Freeze
An Atlanta-based federal appeals court on Wednesday dealt another blow to landlords seeking to end a nationwide eviction freeze put in place amid the pandemic.
The ruling by a divided three-judge panel of the 11th Circuit Court of Appeals leaves intact the Centers for Disease Control and Prevention’s (CDC) eviction moratorium, which is set to run through July.
The move comes after the Supreme Court last month voted 5-4 to reject an emergency request from a separate group of landlords who also sought to have the eviction ban lifted, arguing it amounts to unlawful government overreach at a cost of some $13 billion each month to property owners.
The CDC order was enacted in September and subsequently extended by Congress and President Biden. Most recently, the Biden administration announced a one-month extension, through July, which is expected to be the final extension of the protections.
The federal moratorium allows tenants who have lost income during the pandemic to protect themselves from eviction by declaring under penalty of perjury that they have made their best effort to pay rent and would face overcrowded conditions if evicted.
The extended protections come as landlords and property owners have sought to evict tens of thousands of cash-strapped renters from their homes and as federal rental aid continues to make its way to needy tenants. Some state governments, which bear responsibility for distributing more than $45 billion in federally funded rental assistance, have been slow to make those disbursements.
The eviction pause has faced numerous legal challenges, leading to a patchwork of legal interpretations nationwide on the moratorium’s lawfulness.
A federal judge in Washington, D.C., held in May that the moratorium was an invalid exercise of the CDC’s authority. But the judge, U.S. District Judge Dabney Friedrich, a Trump appointee, delayed enforcement of her ruling, citing the risk to public health if evictions were allowed to proceed.
Iowa Supreme Court Takes On Employer Drug Testing Practices
Seyfarth Synopsis: On June 25, 2021, concluding that Iowa’s comprehensive drug testing statute requires employers to “substantially” comply with its mandates, the Iowa Supreme Court issued two separate decisions finding that employers violated the statute after terminating employees in response to failed drug tests. The decisions serve as important reminders to employers to ensure their drug testing policies and practices can withstand scrutiny in any jurisdiction.
Iowa’s Drug Testing Statute
Iowa’s drug and alcohol testing statute is considered one of the more onerous and difficult to navigate in the nation (along with Maine and Minnesota). It includes numerous requirements that employers must follow to lawfully conduct pre-employment and employment drug and alcohol tests, including (but not limited to):
- A requirement that employers implement a written policy that is distributed to employees (including the parents of any employees who are minors) and made available to job applicants and employees for review.
- A requirement that employers establish an awareness program to inform employees of the dangers of drugs and alcohol in the workplace.
- If the employer has at least 50 employees in Iowa, and if an employee with a confirmed positive alcohol test (1) has been working for at least 12 of the preceding 18 months, (2) agrees to rehabilitation and (3) has not previously violated the employer’s substance abuse policy, the employee must be given an opportunity to participate in rehabilitation in lieu of termination or other disciplinary action.
- A requirement that supervisory personnel involved with drug or alcohol testing submit to two hours of initial training and, on an annual basis thereafter, a minimum of one hour of additional training. The training must address a number of topics, including information on how to recognize employee alcohol and drug abuse, documentation of such abuse, and referral of employees who abuse drugs or alcohol to the employer’s employee assistance program or the provision of other resources available to assist employees with substance abuse.
Two recent Iowa Supreme Court decisions demonstrate both the complexity and importance of complying with the statute.
Any notice of the right to a re-test must include the cost of the test
In Woods v. Charles Gabus Ford, Inc. (June 25, 2021), the employer terminated an employee after his random test result revealed the presence of methamphetamines. The employer sent the employee a letter that informed him of the drug test result and advised that he had the right to a confirmatory test provided that he paid for it. The letter explained that if the sample tested negative, the employer would reimburse him the cost of the confirmatory test. However, the letter did not, among other things, include the cost for the test.
In claiming that the employer failed to comply with the drug statute by, among other things, not specifying the cost of the confirmatory test, the plaintiff pointed to the Iowa Code, which states:
If a confirmed positive test result for drugs or alcohol for a current employee is reported to the employer by the medical review officer, the employer shall notify the employee in writing by certified mail, return receipt requested, of the results of the test, the employee’s right to request and obtain a confirmatory test of the second sample…at an approved laboratory of the employee’s choice, and the fee payable by the employee to the employer for reimbursement of expenses concerning the test. The fee charged an employee shall be an amount that represents the costs associated with conducting the second confirmatory test, which shall be consistent with the employer’s cost for conducting the initial confirmatory test on an employee’s sample.
According to the court, substantial compliance with this portion of the statute means providing the employee with enough information to determine whether to request a confirmatory test. The “cost of a retest, even if one expects to be reimbursed upon being exonerated by a retest, is vital information for making an informed decision.” This was an especially important consideration for the employee given his assertion that “he was the sole provider for his children,” and without this information, he could not decide which option to choose. Having failed to include this vitally important piece of information in the notice, the court agreed with the plaintiff and remanded the decision to the lower court to calculate damages.
Court clarifies what it means for a job to be “safety-sensitive” under the statute
In Dix, et al. v. Casey’s General Stores, Inc. (June 25, 2021), the court considered, among other issues, what it means for a position to be considered “safety-sensitive” and, thus, subject to a random drug test. The Iowa Code allows an employer to conduct an “unannounced, suspicionless drug testing of employees selected from a predefined pool…” One possible pool could be “[a]ll employees at a particular work site who are in a pool of employees in a safety-sensitive position,” which is defined to mean “a job wherein an accident could cause loss of human life, serious bodily injury, or significant property or environmental damage, including a job with duties that include immediate supervision of a person in a job that meets the requirement of this paragraph.”
In the case, the employer admittedly treated the plaintiffs as being in safety-sensitive positions simply because they worked in a warehouse setting, regardless of their specific job duties. Two employees terminated for failed drug tests brought suit claiming they were not properly classified as working in “safety-sensitive” roles and, thus, should not have been tested in the first instance. The court agreed.
Borrowing from the definition of “safety-sensitive” in the context of drug testing by public agencies as well as Department of Transportation regulations, the court noted that the term “safety-sensitive” identifies employees who, “if performing their job functions while under the influence of drugs or alcohol, could pose such a risk of harm to people or damage to property that subjecting them to suspicionless drug testing is justified.” This being the case, it is not enough that an employee works in a particular environment. Instead, in determining whether a job falls under the “safety-sensitive” umbrella, the court reasoned that “employers must base their designations on the functions of the job an intoxicated person could be performing that would lead to the type of serious accident identified, not just the environment in which the job is performed.” Because neither plaintiff worked in a safety-sensitive position at the time of the test, they were awarded economic damages, which the Court upheld.
States are enacting recreational and medical marijuana laws at an increasing pace. Moreover, marijuana use is on the rise across the country. These two considerations have caused employers to place greater emphasis on their drug testing policies, especially for safety-sensitive roles. The Iowa Supreme Court’s decisions confirm that some jurisdictions have very detailed and specific requirements that employers must follow to lawfully test their applicants and employees for drugs. Employers in all jurisdictions, especially in those with drug testing laws on the books, would be well-advised to consider a fresh look at their drug and alcohol testing policies to ensure not only compliance with the applicable statutes but also that their policies fit the company’s overall views and goals about applicant and employee marijuana use.
UK: Guidance Published On Working Safely From 19 July As Employers Prepare For Return To Workplaces
Ahead of the move to Step 4 of the Roadmap on 19 July, the Government has published guidance for businesses on working safely during COVID-19 and reducing the risk in workplaces.
The following guidance has been published:
From Step 4, legal restrictions are lifted, all businesses can open and the government is no longer instructing people to work from home.
The overview guidance states: “To support businesses through this next phase, the ‘Working Safely’ guidance will continue to provide advice on sensible precautions employers can take to manage risk and support their staff and customers.
Businesses still have a legal duty to manage risks to those affected by their business. The way to do this is to carry out a health and safety risk assessment, including the risk of COVID-19, and to take reasonable steps to mitigate the risks you identify.
You should use the guidance to consider the risk within your premises and decide which mitigations are appropriate to adopt”.
The priority actions identified in the guidance are as follows:
- Complete a health and safety risk assessment that includes the risk from COVID-19 (including considering reasonable adjustments needed for staff and customers with disabilities);
- Provide adequate ventilation;
- Clean more often;
- Turn away people with COVID-19 symptoms. If you know that a worker is self-isolating, you must not allow them to come to work. It will remain an offence to do this;
- Enable people to check in at your venue;
- Communicate and train.
The guidance contains the following additional specific recommendations in respect of existing risk mitigation measures:
Working from home: the government expects and recommends a gradual return over the summer. Employers should discuss the timing and phasing of a return with your workers.
Social distancing: employers do not need to implement social distancing in the workplace. However, employers should reduce the number of people workers come into contact with.
Employees at higher risk from COVID-19: employers should give extra consideration to people at higher risk and to workers facing mental and physical health difficulties. Those who are clinically extremely vulnerable are no longer advised to shield. Employers should continue to support these workers by discussing with them their individual needs and supporting them in taking any additional precautions advised by their clinicians.
Face coverings: Face coverings are no longer required by law. However, the government expects and recommends that people continue to wear face coverings in crowded, enclosed spaces. Consider encouraging the use of face coverings by workers (for example through signage), particularly in indoor areas. This is especially important in enclosed and crowded spaces. When deciding whether you will ask workers or customers to wear a face covering, you would need to consider the reasonable adjustments needed for staff and clients with disabilities.
Self-isolation: Where there is a positive case, Employers should Immediately identify any close workplace contacts and ask them to self-isolate rather than wait for NHS Test and Trace.
Testing: Anyone with symptoms can get a free NHS test. Employees who do not have symptoms of COVID-19 can access testing free of charge at home or at a test site.
There is no specific guidance here regarding vaccination. The COVID-19 vaccination guide for employers urges employers to encourage employees to have the vaccine.
The guidance applies in England only.
As predicted, the guidance shifts much of the responsibility for health and safety measures from the government to individuals and businesses; employers’ individual health and safety risk assessments will be critical in addition to communication and consultation with the workforce.
COVID-19: Processing Of Vaccination Data By Employers In Europe
With the rollout of COVID-19 vaccination programs across the EU and the UK, employers are faced with questions about whether or not they are legally permitted to ask employees about their vaccination status and, if so, how that information may be used.
Employers may wish to inquire about the vaccination status of their employees in order to comply with their general obligation to ensure a safe workplace and minimize the risk of exposure to COVID-19. This raises privacy issues under the General Data Protection Regulation (“GDPR”) because employees’ vaccination status falls within a special category of personal data that concerns the health of individuals (Art. 9(1)). This category is subject to more stringent data protection measures due to the sensitive and personal nature of data and can only be processed in very limited circumstances (Art. 9(2)).
(1) Divergent Views Across Europe
The approaches taken to the collection and processing of vaccination data across the EU and the UK are varied. Several countries including Belgium (see here in French), France (see here and here in French), Germany (see here, here, here and here in German), Italy (see here and here in Italian), the Netherlands (see here in Dutch), and Ireland (see here) have issued guidance indicating that employers are not permitted to ask employees about their vaccination status because there is no valid legal basis to do so.
In some countries, such as the Netherlands and Italy, if employees disclose information relating to their vaccination status to occupational health physicians, the physician may be permitted to process health data in certain circumstances (e.g., the Netherlands permits processing of such data in the event of absenteeism or reintegration of employees) but will be bound by confidentiality obligations and therefore cannot disclose this information to the employer. That said, inquiries of a general nature may be allowed (e.g., the Italian regulations permit an employer to ask the occupational health physician whether an employer is fit for work).
By contrast, other countries such as Austria (see here in German), Finland (see here in Finish), Spain (see here in Spanish) and the United Kingdom (see here) permit an employer to collect health data from employees to the extent that the information is necessary to ensure the safety of the workplace (i.e., to prevent infections at the workplace). This processing of data is based on Article 9(2)(b) of the GDPR, which permits the processing of health data “for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment”.
(2) Necessity and Proportionality
Any measures taken to ensure the safety of the workplace must be necessary and proportionate, such that there are no less intrusive alternative measures to achieve the same result. The UK requires that employers have a “clear and necessary” reason to collect vaccination data from employees, and that they assess these reasons by conducting a legitimate interest assessment and/or data protection impact assessment. Furthermore, with respect to the use of vaccination data, Spanish guidance indicates that the information may be used only in accordance with Spanish employment law, which prohibits employers from using that information to discriminate against employees that refuse to be vaccinated. This is in line with commitments made by EU institutions to ensuring non-discrimination between vaccinated and unvaccinated people.
To process vaccination data, potential exceptions to the prohibition against processing special categories of personal data under Article 9 GDPR include consent and necessity for the safety of certain professions. For example, though not an official statement, the spokesperson of the Polish data protection authority suggested in a recent article that employers could ask employees whether they were vaccinated on the basis of consent—noting that, given the inherent imbalance that exists in an employer-employee relationship, employers must ensure that such consent is freely and validly given (see here). Likewise, some countries—including Germany and Ireland—recognize that there are specific employment contexts where an employer may lawfully process vaccination data on the basis of necessity. For example, vaccinations may be considered a necessary safety measure for employees working in hospitals, medical facilities, emergency services, or any other frontline healthcare service.
(3) Other Key Considerations
In the absence of a more unified approach, employers should generally err on the side of caution when deciding whether or not to collect and process vaccination data from their employees. Sensitive health data of this kind should only be collected for specific legitimate purposes and only to the extent that it is necessary and proportionate to do so. If vaccination data is collected, it should only be used for lawful and nondiscriminatory purposes, kept secure and subject to existing duties of confidentiality owed to employees, and retained only for the minimum period of time required to fulfil their legitimate purpose. Employers should be transparent, via a privacy notice, as to their reasons for checking or recording employee vaccination status and how the information will be used.
Employers should be particularly careful if the collection of vaccine information could have a negative consequence for employees—e.g., denial of an employment opportunity. Such measures may result in breaches of local employment laws, including anti-discrimination laws, depending on the circumstances.