FTC Data Security Settlement
On June 12th, the Federal Trade Commission (FTC) announced a settlement with LightYear Dealer Technologies, LLC for allegedly failing to implement adequate data security standards, in violation of the FTC Act and the Gramm-Leach-Bliley Act Safeguards Rule. LightYear, which also does business as DealerBuilt, is an Iowa-based company that sells software and data services to automobile dealerships. The FTC alleges that LightYear failed to implement readily available and low-cost measures to protect the personally identifiable information (PII) of customers obtained from automobile dealerships. The lack of data protection measures led to a data breach in October 2016, which exposed the PII of 12.5 million of consumers—including names, addresses, birth dates, and Social Security numbers. LightYear allegedly stored and transmitted PII in clear text, without access controls or authentication protections, and stored backup data on an unencrypted server. Under the settlement, LightYear will implement more specific security requirements and is required to obtain third-party assessments of its information security program every two years. Reported in Arnall Golden Gregory June 13, 2019 Daily Privacy & Consumer Regulatory Alert.
FTC EU-U.S. Privacy Shield Action
On June 14th, the Federal Trade Commission (FTC) announced a settlement with background screening company SecurTest, Inc. for allegedly falsely claiming to participate in the EU-U.S. Privacy Shield framework. According to the complaint, SecurTest falsely claimed on its website that it participated in the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield frameworks, which allow certified companies to transfer data between EU countries and Switzerland to the U.S., in compliance with EU and Swiss law. SecurTest did not complete the necessary certification steps and misrepresented its status on its website.
On June 14th, the FTC also sent warning letters to thirteen companies for falsely claiming participation in the U.S.-EU Safe Harbor and the U.S.-Swiss Safe Harbor privacy frameworks, which were replaced by the Privacy Shield frameworks in 2016. The Safe Harbor agreements have expired, so the FTC warned the thirteen companies to remove any statements claiming to participate in either the EU or Swiss Safe Harbor agreement. The FTC also sent warning letters to two companies falsely claiming to participate in the Asia-Pacific Economic Cooperation Cross-Border Privacy Rules system. Reported in Arnall Golden Gregory June 17, 2019 Daily Privacy & Consumer Regulatory Alert.
Background Screening Legislation
Recent state legislation regarding background screening:
Arnall Golden Gregory June 7, 2019 Daily Privacy & Consumer Regulatory Alert
- On June 5th, the Maine Legislature passed H.P. 968, which requires all prospective employees of the Office of the State Auditor to complete a fingerprint-based criminal background check;
- On June 4th, the New York Senate passed S. 03335, which would require prospective employees of nonpublic and private elementary and secondary schools to complete a fingerprint-based criminal background check; and
- On May 16th, South Carolina enacted S. 595, which requires background checks for employees of child care facilities.
Arnall Golden Gregory June 7, 2019 Daily Privacy & Consumer Regulatory Alert
- On May 23rd, the Alabama Legislature passed H.B. 403, which would require background checks for employees working in child care centers or maternity centers;
- On June 4th, Oregon enacted S.B. 484, which would limit landlords to a single applicant screening charge per 60-day period;
- On June 7th, the Oregon Legislature passed S.B. 725, which would specify the types of professional licenses for which convictions, arrests, deferred sentences, conditional discharges, or referrals to diversion programs for certain crimes may be disqualifying;
- On June 7th, Richland County, South Carolina passed a Ban-the-Box ordinance, prohibiting all employers from inquiring about criminal convictions on job applications. The county government will conduct criminal background checks on employment applicants only after a conditional offer of employment. The ordinance also prohibits employers from inquiring about salary history on job applications; and
- On June 4, Oregon enacted S.B. 484, which would limit landlords to a single applicant screening charge per 60-day period: https://olis.leg.state.or.us/liz/2019R1/Measures/Overview/SB484.
Arnall Golden Gregory June 13, 2019 Daily Headlines
- June 6: Louisiana enacted H.B. 99, which requires background checks for certain coaches of youth athletics (LA Legislature): http://www.legis.la.gov/legis/BillInfo.aspx?s=19RS&b=HB99&sbi=y; and
- June 6: Louisiana enacted H.B. 491, which requires applicants for a license to produce industrial hemp seed to submit to a fingerprint-based criminal background check (LA Legislature): http://www.legis.la.gov/legis/BillInfo.aspx?s=19RS&b=HB491&sbi=y.
Arnall Golden Gregory June 14, 2019 Daily Headlines
- June 5: Nevada enacted S.B. 302, which establishes certain data protection standards for government agencies that collect state residents’ personal information: https://www.leg.state.nv.us/App/NELIS/REL/80th2019/Bill/6534/Overview.
Arnall Golden Gregory June 21, 2019 Daily Privacy & Consumer Regulatory Alert
- Nevada enacted A.B. 275, which requires professional regulatory bodies to maintain the confidentiality of the PII of applicants for certain occupational licenses; and
- Texas enacted H.B. 3175, which requires government agencies to maintain the confidentiality of the PII of applicants for disaster recovery funds.
Illinois Regulates the Use of AI in Video Interviews
Recently, the Illinois legislature passed legislation regulating companies’ use of artificial intelligence (AI) in evaluating job interview videos. The Artificial Intelligence Video Interview Act (the Act), which received nearly unanimous support in both legislative chambers and is likely to be signed into law by Governor Pritzker, requires employers using AI to assist in evaluating video interviews to provide a disclosure to applicants before the video interview takes place. Specifically, the Act requires employers to disclose that AI will be used to analyze the video interview, explain how the AI technology being used works, and explain the characteristics the AI uses to evaluate candidates. The Act also requires employers to obtain the applicant’s consent to use AI before recording the interview. In addition to these notice and consent requirements, the Act also requires employers to protect the collected video recordings by restricting access only to individuals that are necessary to evaluate the candidate. Employers must also destroy all active and backup copies of collected recordings within 30 days of receiving such a request by an applicant. In complying with destruction requests, employers are also responsible for ensuring that anyone else who received a copy of the recording, such as a vendor or business partner, also deletes all copies of the recording within the required time frame.
TIP: Illinois continues to be at the forefront of states in regulating emerging technologies. As with the state’s regulation of biometric information through the Biometric Information Privacy Act (BIPA), this legislation favors regulating, rather than restricting, the use of emerging technologies. Companies with operations in Illinois interested in using AI in evaluating interview videos should consult with counsel to craft appropriate disclosures and consent mechanisms that comply with this law.
Oregon Updates Data Breach Notification Law to Include Vendors of Covered Entities
Oregon has updated its breach notification laws and has broadened the definition of consumer information, updated the definition of covered entity, and expanded the law to cover vendors. The update (Senate Bill 684) renames The Oregon Consumer Identity Theft Protection Act as The Oregon Consumer Information Protection Act, which will come into effect on January 1, 2020. The update expands the definition of personal information to include usernames and other means of identifying a consumer which would allow access to be gained to a consumer’s account, along with any method used to authenticate a user. The definition of covered entity has been updated to “a person that owns, licenses, maintains, stores, manages, collects, processes, acquires or otherwise possesses personal information in the course of the person’s business, vocation, occupation or volunteer activities.” A vendor is defined as an individual or entity “with which a covered entity contracts to maintain, store, manage, process or otherwise access personal information for the purpose of, or in connection with, providing services to or on behalf of the covered entity.” Vendors are now required to notify the covered entity of a breach within 10 days of that breach being discovered. If the vendor is a subcontractor of another vendor that deals with a covered entity, the subcontractor must notify its vendor about a breach within 10 days. Vendors are also required to send a notification to the Oregon Attorney General if a breach impacts more than 250 consumers or “a number of consumers that the vendor could not determine.” The Oregon Consumer Identity Theft Protection Act already required covered entities to implement an information security program and reasonable safeguards to protect any data maintained, stored, managed, processed, collected, received, or otherwise acquired.
Under the new Oregon Consumer Information Protection Act, covered entities and vendors that are able to demonstrate compliance with the security requirements of federal laws such as HIPAA and the HITECH Act can use that as an affirmative defense in actions and proceeding that allege noncompliance with the security requirements of the Oregon Consumer Information Protection Act to maintain reasonable safeguards to protect the security, confidentiality and integrity of personal information. That exception applies even if the types of data are covered by the Oregon Consumer Information Protection Act but are not covered by the requirements of those federal acts.
Legal Recreational Marijuana is Coming to Illinois: The Impact on Employers
- The legalization of recreational cannabis in Illinois will not prevent Illinois employers from adopting and implementing reasonable workplace policies precluding employees from being impaired by or under the influence of cannabis in the workplace or while “on call,” including “zero tolerance” and “drug free workplace” policies.
- The Cannabis Regulation and Tax Act (the Act) does not compel employers to come out of compliance with applicable federal rules or regulations, such as U.S. Department of Transportation restrictions, that require compliance with federal law, under which cannabis remains an illegal controlled substance.
- Outside of the workplace, recreational cannabis is a lawful product under Illinois law, whose use during non-working hours in compliance with the Act is subject to the protections of the Illinois Right to Privacy in the Workplace Act.
- Illinois employers should immediately review their workplace policies to confirm compliance with the Act.
The Illinois General Assembly adopted House Bill 1438, the Cannabis Regulation and Tax Act (the Act) on May 31, 2019, legalizing the sale, possession and use of marijuana for recreational purposes by adults age 21 and older. Gov. J.B. Pritzker is expected to sign the bill following the flurry of last-minute activity by the General Assembly that closed the spring legislative session. The Act will take effect on Jan. 1, 2020.
Overview of the Act
As of Jan. 1, 2020, Illinois residents age 21 and older will be allowed to possess up to 30 grams of raw cannabis, 5 grams of cannabis concentrate or cannabis-infused products containing up to 500 milligrams of tetrahydrocannabinol (THC). All permitted cannabis products must be purchased from a licensed dispensary. Adults 21 and over will be allowed to consume cannabis on private property away from minors and certain prohibited areas. Although the sale and use of cannabis will be legal on Jan. 1, 2020, possession and consumption will still be regulated, including its use being prohibited in public places, on school grounds, “in close physical proximity” to persons under 21, and smoking cannabis where smoking is prohibited under state or local law. Recreational cannabis may be purchased only by adults age 21 and older, may not be purchased via home delivery, may not be possessed or consumed by a minor under age 21 except for legal medical purposes, and may not be transported in a motor vehicle unless sealed and reasonably inaccessible. Driving under the influence of cannabis (DUI) is prohibited and, as with alcohol-related offenses, the enforcement and prosecution of most cannabis offenses will be the responsibility of local governments.
Overview of Labor and Employment Impacts
The Act maintains important protections for employers building from those previously established under the Compassionate Use of Medical Cannabis Pilot Program Act of 2013 (the Medical Cannabis Act). Crucially, employers retain the ability to adopt and enforce reasonable workplace policies such as “drug free” or “zero tolerance” policies and to impose discipline up to, and including, termination if an employee is impaired or under the influence of cannabis while in the workplace or on call. The Act includes significant protection for employees by designating recreational cannabis used in compliance with the Act as a “lawful product” subject to the protections against discrimination provided under the Illinois Right to Privacy in the Workplace Act. Thus, employers generally cannot take adverse employment action against an employee who lawfully uses cannabis outside of working hours and is not impaired or under the influence of cannabis during working hours, while on duty or while “on call.” However, because cannabis remains an illegal controlled substance under federal law, and because the Act does not require employers who must comply with applicable federal rules and regulations—such as U.S. Department of Transportation regulations (U.S. DOT)—to become non-compliant, it is expected the Act will be interpreted to allow employers to continue to maintain employment policies prohibiting all cannabis use where necessary to comply with applicable federal law.
Prohibition on Working While Impaired or Under the Influence of Cannabis
Employers may prohibit employees from using or being under the influence of cannabis in the workplace, while performing the employee’s job duties or while on call. An employer may consider an employee impaired by or under the influence of cannabis if the employer has a good-faith belief that the employee manifests specific, articulable symptoms that decrease or lessen the employee’s performance of assigned duties or tasks, including the following symptoms:
- physical dexterity
- irrational or unusual behavior
- negligence or carelessness in operating equipment or machinery
- disregard for the employee’s own safety or the safety of others
- involvement in any accident resulting in serious damage to equipment or property
- disruption of a production or manufacturing process
- carelessness that results in any injury to the employee or others
The Act describes symptoms of impairment or being under the influence of cannabis as “including” these examples, which suggests this list is not exhaustive and that an employer may identify additional symptoms of impairment if the employer determines in good faith that the symptoms exist and negatively impact the employee’s job performance.
Discipline and Termination
The Act authorizes employers to discipline employees, up to and including termination, for violating the employer’s employment policies or workplace drug policy. If an employer elects discipline for an employee based on being impaired or under the influence of cannabis, the employer must afford the employee a reasonable opportunity to contest the basis of the determination.
Intersection with Other Federal and State Laws
Recreational cannabis remains illegal under federal law, and the Act does not require employers who must comply with federal regulations to come out of compliance with federal law in order to comply with the Act. The Act expressly does not interfere with any federal, state or local restriction on employment, including without limitation U.S. DOT regulation 49 CFR 40.151(e) (concerning drug testing). Further, the Act expressly does not “impact” an employer’s ability to comply with federal or state law or require an employer to lose a federal or state contract or funding to comply with its terms.
The Act also expressly does not “enhance or diminish” protections afforded to the use of cannabis under any other state law, including the medical cannabis statute (the Compassionate Use of Medical Cannabis Pilot Program) or the Opioid Alternative Pilot Program.
As discussed below, the Act does provide additional employee protections by amending the Illinois Right to Privacy in the Workplace Act.
Limitation of Causes of Action Against Employers
The Act precludes employees from asserting causes of actions against employers for taking the following actions:
- subjecting an employee or applicant to reasonable drug and alcohol testing under the employer’s workplace drug policy, including an employee’s refusal to be tested or to cooperate in testing procedures
- disciplining the employee or terminating employment, based on the employer’s good faith belief that an employee used, possessed, was impaired by or was under the influence of cannabis in violation of the employer’s workplace policies while in the employer’s workplace, performing the employee’s job duties or while on call
- injury, loss or liability to a third party if the employer neither knew nor had reason to know that an employee was impaired
Employee Protections Under Illinois Right to Privacy in the Workplace Act
Use of recreational cannabis by an employee in compliance with the Act and while outside of working hours will constitute lawful activity subject to the protections of the Illinois Right to Privacy in the Workplace Act (the Right to Privacy Act). The Right to Privacy Act generally precludes employers from discriminating against employees for the use of lawful products off the premises of employers during nonworking hours.
The Act amends the Right to Privacy Act’s definition of “lawful products” to mean “products that are legal under state law,” including the Act. The Right to Privacy Act thus clarifies that it is unlawful for an employer to refuse to hire, discharge or otherwise disadvantage any individual, with respect to compensation, terms, conditions or privileges of employment because the employer uses lawful products (including recreational cannabis) off the premises of the employer during nonworking hours and non-call hours. These amendments to the Right to Privacy Act were not included in the Medical Cannabis Act, and reasonably are understood as a policy statement by the General Assembly that employers generally cannot consider legal recreational cannabis use outside of the workplace as the basis for an adverse employment action.
Nevertheless, because the Act does not require employers to deviate from federal law, it remains unclear whether an employment policy that reasonably precludes off-hours cannabis use to comply with federal rules and regulations is permissible. In other words, it remains uncertain whether an employee would have a claim under the Right to Privacy Act if disciplined for off-work consumption in violation of a policy requiring non-consumption to comply with applicable federal law. Holland & Knight will carefully monitor how courts will strike a balance between the competing rights of employers and employees.
Impact of Ohio’s Medical Marijuana Law on Employers
What rights does Ohio’s medical marijuana law grant to employees?
Ohio law provides no protection for medical marijuana use in an employment context. Therefore, an employee may be disciplined or even discharged for his/her use of medical marijuana if he/she violates an employer’s drug policy. Furthermore, Ohio’s medical marijuana law does not permit an employee to sue an employer for refusing to hire, discharging, disciplining, discriminating, retaliating, or otherwise taking adverse employment actions against that employee as a result of medical marijuana use.
What rights does Ohio’s medical marijuana law grant to employers?
The Ohio legislature recognized the potential workplace health and safety risks associated with an employee’s use of medical marijuana. The law preserves the rights of employers to prohibit the use and possession of medical marijuana by their employees and to discharge employees for using medical marijuana if such use violates the employer’s anti-drug policies, even if an employee is legally exercising his or her right to use marijuana for a medical condition.
An employer has many rights and very few obligations regarding the use of medical marijuana by its employees. Ohio’s medical marijuana law allows an employer to:
- Refuse to accommodate an employee’s use or possession of medical marijuana;
- Refuse to hire a potential employee who uses medical marijuana;
- Apply its existing substance abuse policies to the use and possession of medical marijuana;
- Establish and enforce new drug-testing, drug-free workplace, or zero-tolerance drug policies to expressly prohibit the use of medical marijuana;
- Discharge, discipline, or otherwise take adverse employment action against an employee for his/her use or possession of medical marijuana; and
- Disqualify an employee from receiving unemployment compensation benefits if the employee was discharged for using medical marijuana in violation of the employer’s drug policy.
Ultimately, a drug-free workplace policy is unaffected by Ohio’s medical marijuana law.
Nevada Becomes the First State to Ban Pre-Employment Cannabis Tests
Following closely on the heels of a similar law in New York City, effective January 1, 2020, it will be unlawful for Nevada employers to reject a job applicant who tests positive for cannabis on a pre-employment drug test. While there is debate as to whether some medical and recreational cannabis laws, including in Maine, allow an employer to take action based on off-duty or off-premises cannabis use, when it comes to job applicants, Nevada law could not be more clear. Nevada quickly followed suit. On June 5, 2019, Governor Steve Sisolak signed Assembly Bill 132, which makes it unlawful for any Nevada employer to fail or refuse to hire a prospective employee because the prospective employee submitted to a blood, urine, hair, or oral fluids drug test and the results of the test revealed the presence of cannabis. The law also provides that if an employer requires an employee to submit to a screening test within the first 30 days of employment, the employee shall have the right to submit to an additional screening test, at his or her own expense, to rebut the results of the initial screening test. The employer shall accept and give appropriate consideration to the results of the second screening test. Of course, there are exceptions. Specifically, the prohibition does not apply if the prospective employee is applying for a position as a firefighter or an emergency medical technician (as defined in state law), or if the position will require the prospective employee to operate a motor vehicle for which federal or state law mandates the employee submit to screening tests. AB 132 also states the law does not apply to a position that, “in the determination of the employer, could adversely affect the safety of others.” Moreover, the law does not apply to the extent it is inconsistent or otherwise in conflict with the provisions of an employment contract, a collective bargaining agreement, or federal law, or to a position funded by a federal grant.
New York State Set to Enact Ban on Salary History Inquiries
New York State is set to be the latest jurisdiction to prohibit employers from asking job applicants and employees about their wage or salary history. The bill has been sent to Governor Andrew Cuomo, who is expected to sign.
Specifically, the recently passed bill would amend the New York Labor law to prohibit employers from:
- Relying on the wage or salary history of an applicant in determining whether to offer employment to such individual or in determining the wages or salary for such individual;
- Orally or in writing, seeking, requesting, or requiring the wage or salary history from an applicant or current employee as a condition of being interviewed, or as a condition of continuing to be considered for an offer of employment, or as a condition of employment or promotion;
- Orally or in writing, seeking, requesting, or requiring the wage or salary history of an applicant or current employee from a current or former employer, current or former employee, or agent of the applicant or current employee’s current or former employer;
- Refusing to interview, hire, promote, otherwise employ, or otherwise retaliating against an applicant or current employee based on prior wage or salary history;
- Refusing to interview, hire, promote, otherwise employ, or otherwise retaliating against an applicant or current employee because the individual did not provide wage or salary history in accordance with the law; or
- Refusing to interview, hire, promote, otherwise employ, or otherwise retaliating against an applicant or current or former employee because the individual filed a complaint with the State’s department of labor alleging a violation of the law.
Applicants and employees may voluntarily and without prompting disclose or verify their salary history, including for the purpose of negotiating wages or salary. In addition, an employer would be permitted to confirm salary history if at the time an offer of employment with compensation is made, the applicant or employee responds to the offer by providing prior salary history to support a salary higher than that offered by the employer. The bill also would not diminish any rights or privileges enjoyed by employees under a collective bargaining agreement, nor would it affect any laws that otherwise require the disclosure or verification of salary history information. Individuals alleging violations of the law would be able to file a civil action in court, and potential remedies include compensatory damages, injunctive relief, and attorneys’ fees. As many employers are aware, salary history inquiries have been prohibited in New York City since October 31, 2017, and are similarly prohibited in Suffolk and Westchester Counties.
If enacted, the new statewide law would take effect 180 days after signing. Notably, once effective, the New York State law will render Westchester County’s law null and void since the Westchester law makes clear that it will be nullified once statewide legislation is enacted.
Kansas City (Missouri) Passed Salary History Ban
The City Council of Kansas City, Missouri unanimously passed an ordinance effective October 31, 2019 that bans private employers with six or more employees from asking job applicants about their salary history. Private employers need to be aware of the growing number of states and cities enacting salary history bans during the hiring process. Other states and cities to be aware of-California, Connecticut, Delaware, Hawaii, Massachusetts, Oregon, Vermont, New York City, Philadelphia, and San Francisco. Reported in Arnall Golden Gregory June 21, 2019 Compliance News Flash.
Swedish Data Inspection Authority GDPR Investigation
On June 12th, the Swedish Data Protection Authority announced an investigation into music streaming company Spotify for its handling of customer requests under the EU General Data Protection Regulation (GDPR). Spotify allegedly failed to provide the necessary information when consumers requested copies of all the data that Spotify collects on them, in violation of the GDPR right to access. GDPR Study. Reported in Arnall Golden Gregory June 17, 2019 Daily Privacy & Consumer Regulatory Alert.
Results of European Commission Study
On June 13th, the European Commission published the results of a study which found that 73 percent of Europeans are aware of at least one of their rights under the GDPR—such as the right to access their own data, correct any errors, object to direct marketing, or have their own data deleted. The European Commission announced that it will launch a privacy awareness campaign to encourage citizens to read privacy statements and optimize privacy settings. Reported in Arnall Golden Gregory June 17, 2019 Daily Privacy & Consumer Regulatory Alert.
Execution Law of the General Data Protection Regulation by Portugal
Portugal adopted its new data protection law, “Lei de Execução do Regulamento Geral sobre a Proteção de Dados” (English translation: “Execution Law of the General Data Protection Regulation (GDPR).”) To enter into force, the new law must be signed by the President and then published in the Official Journal. It will then enter into force a day after publication in the Official Journal. That leaves European Union (EU) member states Greece and Slovenia as the only EU member states who have not passed GDPR-implementing legislation. Why is GDPR-implementing legislation important? Because, while the GDPR is about harmonizing data protection rules throughout Europe, it does provide for certain areas where EU member states “shall” and “may” carve out exceptions within the articles of the regulation. This requires implementing legislation at the member state level. Reported in Arnall Golden Gregory June 21, 2019 Compliance News Flash.