Employers Prevail in FCRA Class Actions
The FCRA is not a classic employment law but regulates the procurement and use of background checks by employers. Before procuring a background check from a consumer reporting agency (CRA), the employer must disclose its intention to do so and obtain the individual’s authorization (known as the “stand-alone disclosure requirement”). And, before taking any adverse action against the individual based, in whole or in part, on the background check, the employer must provide the individual with a copy of the background check and the statutory summary of FCRA rights (known as the “pre-adverse action” notice). The plaintiffs’ bar has been flooding the courts with class action lawsuits asserting technical violations of these requirements. Some of these lawsuits have settled on a class-wide basis. However, employers have notched some significant victories in recent cases.
Lewis v. Southwest Airlines
In Lewis, the plaintiff asserted class wide and “willful” violations of the FCRA’s disclosure requirement and corresponding violations of California’s fair credit reporting act. The plaintiff did not accuse Southwest of ignoring the FCRA outright, but rather of impermissibly presenting the statutory disclosure to him along with other supposedly “extraneous” information. Southwest successfully moved to transfer the case from California to Texas, persuaded the court to trim the plaintiff’s California claims by filing a motion to dismiss, and then convinced the court to dismiss the suit by filing a motion for summary judgment. Relying on the U.S. Supreme Court’s opinion in Safeco Insurance Company of America v. Burr, the court agreed that Southwest’s precise disclosure obligation was too uncertain to support a willful violation when the plaintiff applied for a job in January 2015. The court reasoned that the district courts that have considered whether extraneous information in an FCRA disclosure constitutes a willful violation have provided inconsistent and even conflicting answers.
Branch v. GEICO
In Branch, GEICO did not defeat a pre-adverse action claim on summary judgment but did beat the plaintiff’s motion to certify a class action. The plaintiff alleged that GEICO took an adverse action when it assigned the plaintiff’s background check a preliminary grade of “Fail”—based on GEICO’s “Adjudication Process.” Because this grading occurred before the plaintiff was provided her report and the statutory summary of rights, she alleged a FCRA violation. GEICO moved for summary judgment—relying on substantial evidence that its preliminary grading is not a “final” decision and citing to prior cases holding that the grading (or scoring) of a background check, without more, does not constitute an adverse action. The court acknowledged the “legitimacy” of GEICO’s pre-adverse action notice processes and commented that they exemplify “the very manner in which dispute processes are supposed to operate under the FCRA.” The court also agreed that the grading of a background check, alone, does not constitute an adverse action. However, the court denied summary judgment because a GEICO employee allegedly told the plaintiff, on the day of the grading, that the plaintiff’s job offer had been rescinded. If GEICO’s employee deviated from its normal process by denying the plaintiff an opportunity to dispute the background results, a jury could find the plaintiff’s “Fail” grade was an adverse action. At the same time, the court denied class certification because no common proof existed as to whether calls made to any other class members deprived them of an opportunity to respond to the pre-adverse action notice before adverse action was taken. Relying on the U.S. Supreme Court’s opinion in Spokeo v. Robins, the court also refused to certify a class that included class members both with and without Article III standing.
Culberson v. Walt Disney
Culberson involved allegations similar to those in Branch. Disney “coded” the plaintiffs’ background checks as “no hire” based on certain criminal convictions. The plaintiffs alleged that this pre-notice “coding” constituted an adverse action and a “willful” violation of the FCRA. Disney moved for summary judgment following an order certifying the case as a class action.4 Similar to GEICO, Disney argued that its “coding” was not an adverse action itself, but rather only an “internal decision” to potentially take an adverse action in the future. Disney further argued that its alleged conduct (i.e., “coding” prior to sending applicants their reports) was not based on an “objectively unreasonable” FCRA interpretation, and thus the plaintiffs could not prove any willful violation. The court agreed. Relying on the opinion in Lewis v. Southwest, the court held that Disney did not act “objectively unreasonable” even if its FCRA practices were similar to those in recent cases in which courts found non-compliance. As the Culberson court explained, the plaintiffs cannot demonstrate a willful violation by relying on authorities that “were decided years after Plaintiffs applied for employment at Disneyland.”
Appellate Court Joins Growing Chorus Finding That Procedural FACTA Violations on Their Own Are Insufficient for Standing
In keeping with its recent decision in Bassett v. ABM Parking Services, the U.S. Court of Appeals for the Ninth Circuit held in Noble v. Nevada Checker Cab (March 9, 2018) that alleged procedural violations of the Fair and Accurate Credit Transactions Act, such as the inclusion of a credit card’s first digit on a receipt, were insufficient to constitute a concrete injury sufficient for Article III standing absent some other allegation of harm. Thus far, every circuit court that has addressed allegations of technical FACTA violations unaccompanied by actual injuries has found that these violations do not establish standing.
The Fair and Accurate Credit Transactions Act
The FACTA was a 2003 amendment to the Fair Credit Reporting Act and provides that “no person that accepts credit cards or debit cards for the transaction of business shall print more than the last five digits of the card number or the expiration date upon any receipt provided to the cardholder at the point of the sale or transaction.” 15 U.S.C. 1681c(g)(1). Willful noncompliance with FACTA entitles consumers to “any actual damages sustained by the consumer as a result of the failure or damages of not less than $100 and not more than $1,000.” 15 U.S.C. 1681n(a)(1)(A).
The plaintiffs filed a putative class action complaint against Nevada Checker Cab and other taxi companies, alleging that these companies had violated the FACTA by providing receipts that contain the first digit as well as the last five digits of the cardholder’s credit card number. The plaintiffs did not allege that the receipts were given to anyone other than the cardholder customers. The district court dismissed the complaint, finding that the plaintiffs lacked standing.
The Ninth Circuit affirmed, finding that the plaintiffs had failed to allege a concrete injury sufficient for Article III standing. Citing Spokeo v. Robins (2016), the Ninth Circuit explained that Article III standing required that a plaintiff allege a “concrete and particularized” injury, which may be intangible, in the context of statutory violations and not simply a “bare procedural violation, divorced from any concrete harm.” The court referenced its recent decision in Bassett v. ABM Parking Services, where it held that the alleged inclusion of a credit card’s expiration date on a receipt in violation of the FACTA without an actual injury did not constitute a concrete injury adequate to warrant Article III standing. In particular, the court noted that Bassett “did not allege that another copy of the receipt existed, that his receipt was lost or stolen, that he was the victim of identity theft, or even that another person apart from his lawyers viewed the receipt.” In addition, the court observed that Bassett could not even allege that “any risk of harm is real…given that he could shred the offending receipt along with any remaining risk of disclosure.”
The Ninth Circuit found that, like Bassett, the plaintiffs in the present case had not alleged a concrete injury as they failed to allege that “anyone else had received or would receive a copy of their credit card receipts.” Moreover, the court also found that the first digit of a credit card number which only identifies the card issuer was not the sort of “information that Congress determined could lead to identity theft,” and, therefore, “Congress ha[d] not prohibited printing the identity of the credit card issuer along with the last five digits of the credit card number.”
Beginning with Bassett and continuing now with Noble, the Ninth Circuit has decisively joined the ranks of circuit courts that have clarified and strengthened the limitations on Article III standing imposed by Spokeo in statutory violation cases, particularly those involving FACTA. Coupled with the Second Circuit in Crupar-Weinmann v. Paris Baguette America, and Katz v. Donna Karan Company and Seventh Circuit in Meyers v. Nicolet Restaurant of De Pere, Noble narrows standing to bring cases premised strictly on procedural violations of the FACTA. The plaintiffs in the Second, Seventh and Ninth Circuits must allege actual injuries, such as financial losses due to identity theft, to satisfy the requirements of Article III and survive a motion to dismiss for lack of standing.
Former Employees Hit Naples Hotel Group with FCRA Class Action Over Background Checks
On March 20, Naples Hotel Group LLC removed a putative Fair Credit Reporting Act class action to the U.S. District Court for the Middle District of Florida. The complaint, originally filed February 13 in the Ninth Judicial Circuit Court in Orange County, Florida, alleges that Naples improperly obtained and used consumer reports about prospective and existing employees—through an outside consumer reporting agency—without complying with the FCRA’s disclosure and authorization requirements. The lead plaintiffs, Shawana Sanders and Kenyatta Williams, are former employees of Naples. The putative class is defined as all Naples Hotel Group employees and job applicants in the United States who were the subject of a consumer report procured by the company within five years of the complaint’s filing. According to the plaintiffs, the authorization forms used to obtain their consumer reports during the initial application process contained “extraneous provisions” that distracted the applicants from understanding the import of the disclosure. According to the plaintiffs, Naples knew it was required by law to provide a stand-alone form, separate from its employment application, before obtaining and using consumer reports. They allege that Naples further violated the FCRA when it took adverse action against them. “Without clear notice that a consumer report is going to be procured, applicants and employees are deprived of the opportunity to make informed decisions or otherwise assert protected rights,” according to the complaint. These types of FCRA disclosure form claims are incredibly popular with the plaintiffs’ bar, and judicial decisions vary widely based on circuit and fact pattern. Last year in Syed v. M-I, LLC, the Ninth Circuit Court of Appeals issued a significant decision on the discrete issue of FCRA willfulness as applied to disclosure form claims, ultimately concluding that the prospective employer willfully violated the FCRA by including a liability waiver in its background check disclosure form.
Washington State Strikes Down Seattle “First-in-Time” Law
The Washington state superior court for King County struck down the Seattle’s “First-in-Time” tenant law (Municipal Code § 14.08.050). The law requires landlords to establish screening criteria for tenants, offer tenancy to the first applicant meeting the criteria, and imposes advertising restrictions. Landlord plaintiffs argued-and the court agreed-that the law violated the Washington Constitution’s protections for property rights, due process, and free speech. The court ruled that “[c]hoosing a tenant is a fundamental attribute of property ownership” and that the law was an improper taking for private use. The court also ruled that the law impermissibly restricts both the means and content of speech, and that the restrictions on constitutional rights were more extensive than necessary to achieve a legitimate public purpose when there exist other less oppressive alternatives. Because of its extensive analysis on relevant constitutional questions, the decision may be persuasive in other challenges to Seattle’s “First-in-Time Law”
Washington State Enacted H.B. 1298 (Fair Chance Act)
On Match 13, 2018, the State of Washington enacted H.B. 1298, the “Fair Chance Act,” which prohibits private and public employers from inquiring about job applicants’ criminal history or conducting background checks before they are determined to be qualified for a position. The law does not apply to:
- Any employer hiring a person who will or may have unsupervised access to children under the age of 18 or a vulnerable adult or person as defined elsewhere in state law;
- Any employer, including a financial institution, who is expressly permitted or required under any federal or state law to inquire into, consider, or rely on information about an applicant’s or employee’s criminal record for employment purposes;
- Certain law enforcement or criminal justice agencies;
- Employers seeking non-employee volunteers; or
- Any entity required to comply with the rules or regulations of a self-regulatory organization, as defined in section 3(a)(26) of the Securities and Exchange Act.
The law makes it unlawful for an employer to (1) include any question on any application for employment, (2) inquire either orally or in writing, (3) receive information through a criminal history background check, or (4) otherwise obtain information about an applicant’s criminal record (arrests or convictions) until after the employer initially determines that the applicant is “otherwise qualified” for the position. An applicant is considered “otherwise qualified” if he or she meets the basic criteria for the position as set out in any job advertisement or job description without consideration of a criminal record. Only after the employer deems the applicant to be “otherwise qualified” may it inquire into or obtain information about the applicant’s criminal record. Any policy or practice that automatically or categorically excludes applicants with a criminal record before they have been deemed “otherwise qualified” is unlawful.
Additionally, employers may not advertise any job openings in a way that excludes people with criminal records from applying. Therefore, jobs advertisements must not state that people with criminal cases (or similar language) will not be considered for the position. The law is clear in that it should not be viewed as requiring any employer to “provide accommodations or job modifications in order to facilitate the employment or continued employment of an applicant or employee with a criminal record or who is facing pending criminal charges.” The law will have no impact on existing local laws that provide “additional protections to applicants or employees with criminal records” and will not prohibit local governments from enacting such laws in the future.
June Will Bring New Ban the Box and Fair Chance Laws
In June, new laws will go into effect that restrict employers’ ability to request and use criminal history information about applicants in three jurisdictions: Kansas City, Missouri; the State of Washington; and the city of Spokane, Washington. Below are summaries of the new restrictions and links to the laws.
Kansas City, Missouri
Effective June 9, 2018, new Ordinance Section 38-104 provides that employers employing six or more employees may not:
- inquire about an applicant’s criminal history until after they determine the individual is otherwise qualified for the position and the applicant has been interviewed for the position (the inquiry must be made of all applicants in the final selection pool); or
- base hiring or promotional decisions on an individual’s criminal history or related sentencing unless they can demonstrate that the decision was based on all information available, including consideration of the frequency, recentness and severity of a criminal record and that the record was reasonably related to the duties and responsibilities of the position.
Employers who are required by law or regulation to exclude from employment applicants with certain criminal convictions are exempt from these requirements. “Criminal history” is defined by the new law as (1) a record of a conviction, or a plea of guilty or no contest, to a violation of a federal or state criminal statute or municipal ordinance; (2) records of arrests not followed by a valid conviction; (3) convictions which have been, pursuant to law, annulled or expunged; (4) pleas of guilty without conviction; (5) convictions for which a person received a suspended imposition of sentence; and (6) misdemeanor convictions where no jail sentence can be imposed.
Effective June 7, 2018, a new law provides that employers may not:
- ask on an employment application, orally or in writing, or receive information about an applicant’s criminal record until after initially determining that the applicant is otherwise qualified for the position;
- advertise open jobs in a way that excludes people with criminal records from applying, such as by stating “no felons,” “no criminal background” or similar messages; or
- implement any policy or practice that automatically or categorically excludes individuals with a criminal record from consideration before determining that the applicant is otherwise qualified for the position (this includes rejecting an applicant for failing to disclose a criminal record prior to initially determining the applicant is otherwise qualified for the position).
There are exceptions for employers hiring for positions that will involve unsupervised access to children and certain vulnerable adults, those who are expressly permitted or required by law to inquire about arrest or conviction record for employment purposes, and where background checks are specifically permitted or required by law, among other things. “Otherwise qualified” is defined by the new law as the applicant meets the basic criteria for the position as set out in the advertisement or job description without consideration of a criminal record. “Criminal record” is defined by the new law as including any record about a citation or arrest for criminal conduct, including records relating to probable cause to arrest, and includes any record about a criminal or juvenile case filed with any court, whether or not the case resulted in a finding of guilt.
Effective June 14, 2018, new Ordinance No. C-35564 provides that employers acting directly or indirectly in the Spokane city limits may not:
- advertise open jobs in a way that excludes people with arrest or conviction records from applying, which includes stating “no felons,” “no criminal background” or similar messages (but, employers may advertise that a criminal history inquiry and/or background check will be done during or after the interview process as long as such advertisement does not state that an arrest or conviction record will automatically preclude the applicant from consideration for employment);
- ask on the application, orally or in writing, about an applicant’s arrest or conviction record, or receive information through a criminal history background check, or otherwise obtain information about an applicant’s arrest or conviction record prior to an in-person, telephonic or video interview or to making a conditional offer of employment;
- use, distribute or disseminate an applicant’s or employee’s arrest or conviction record except as required or otherwise allowed by law;
- disqualify an applicant prior to an in-person, telephonic or video interview solely because of a prior arrest or conviction (unless the conviction is related to significant duties of the job or disqualification is otherwise allowed by this chapter); or
- reject or disqualify an applicant for failure to disclose a criminal record prior to initially determining the applicant is otherwise qualified for the position.
There are exceptions for employers hiring for positions that will involve unsupervised access to children and certain vulnerable adults, those who are expressly permitted or required by law to inquire about arrest or conviction record for employment purposes, and where background checks are specifically permitted or required by law, among other things. “Arrest or Conviction Record” is defined by the new law as any record or information about a citation or arrest for criminal conduct, including records relating to probable cause to arrest, and includes any record about a criminal or juvenile case filed with any court, whether or not such a case resulted in a finding of guilt, has been vacated, or overturned on appeal.
Washington Governor Enacts Amendment Relating to Security Freeze Fees
On March 13, the Washington governor signed Senate Bill 6018, which amends sections of the state’s Fair Credit Reporting Act addressing the removal of security freezes. Among other things, the amended act prohibits credit reporting agencies (CRAs) from charging a fee for placing, temporarily lifting, or removing a security freeze, or when assigning consumers unique personal identification numbers. Additionally, the offices of cybersecurity and privacy and data protection and the Attorney General’s office are instructed to work with stakeholders to evaluate the amendment’s impact on consumers and CRAs. A findings report must be submitted by December 1, 2020 and include data breach trends and recommendations by federal and state agencies. The amendment takes effect June 7.
Multiple States Address Cost of Security Freezes
On March 19, the Michigan governor signed legislation, HB 5094, which amends the Michigan Security Freeze Act to prohibit consumer reporting agencies (CRAs) from charging a fee for “placing, temporarily lifting, or removing a security freeze” on a credit report. Previously, the state allowed for a fee of up to $10 to use the service, if the consumer had not previously filed a police report alleging identity theft. HB 5094 is effective immediately. On March 15, the Utah governor signed legislation, HB 45, which amends the Utah Consumer Credit Protection Act to prohibit CRAs from charging a fee in connection with placing or removing a security freeze. Additionally, the bill also prohibits CRAs from charging a fee in connection with mobile applications through which a consumer would place or remove a security freeze. The legislation outlines the manner in which a consumer may request a security freeze and the requirements CRAs must follow in responding to the requests. Previously, Utah allowed for CRAs to charge a “reasonable fee” in connection with a security freeze service.
South Dakota Passes Data Breach Legislation
On March 21st, South Dakota enacted S.B. 62, which would require an “information holder,” in the event of a data breach, to notify any state resident whose personal information was acquired by another person within 60 days of discovery or notification of a breach. The holder must also notify the Attorney General. Notification is not required, following an investigation by the Attorney General if the information holder determines that the breach will not result in consumer harm.
New Jersey Passes Equal Pay Legislation Aimed at Closing the Wage Gap for All Protected Classes
On March 27, 2018, New Jersey became the latest state to pass comprehensive equal pay legislation, and one of the first states to pass an equal pay law that extends protections beyond gender to all classes of employees that are protected under the state’s antidiscrimination law. New Jersey’s wage and hour law already prohibits employers from “discriminat[ing] in any way in the rate or method of payment of wages to any employee because of his or her sex.” The Diane B. Allen Equal Pay Act expands this protection and amends the New Jersey Law Against Discrimination (“LAD”) to make discrimination in wages on the basis of any protected class an unlawful employment practice. With the new law taking effect July 1, 2018, employers need to carefully analyze their existing pay practices to ensure compliance. The law makes it an unlawful employment practice “[f]or an employer to pay any of its employees who is a member of a protected class at a rate of compensation, including benefits, which is less than the rate paid by the employer to employees who are not members of the protected class for substantially similar work, when viewed as a composite of skill, effort and responsibility.” Similar to the federal Equal Pay Act and other states’ equal pay laws, there are a handful of legally permissible reasons for a different rate of compensation, including if the differential is based on a seniority system or merit system. However, the “any other factor” catchall present in the federal law and other jurisdictions is much more precise under New Jersey’s law. Specifically, other than a seniority or merit system, a different rate of compensation may only be permitted if the employer demonstrates:
- The differential is based on one or more legitimate, bona fide factors other than the characteristics of members of the protected class (like training, education, experience, or the quantity or quality of production);
- The factor(s) are not based on, and do not perpetuate, a differential in compensation based on sex or any other characteristic of a protected class;
- Each of the factors is applied reasonably;
- One or more factors account for the entire wage differential; and
- The factors are job-related with respect to the position in question and based on a legitimate business necessity, where there is no alternative business practice that would serve the same business purpose without producing the wage differential.
The comparison of wage rates is based on the wage rates in all of an employer’s operations or facilities and is not limited to employees who work within a specific geographic area or region.
What Are the Protected Categories? The list of protected categories in New Jersey is expansive. Under the LAD, employers are prohibited from discriminating against an individual on the basis of any of the following: race, creed, color, national origin, nationality, ancestry, age, marital status, civil union status, domestic partnership status, affectional or sexual orientation, genetic information, pregnancy, sex, gender identity or expression, disability or atypical hereditary cellular or blood trait of any individual, or liability for service in the armed forces.
What Are the Damages Available to Prevailing Employees? The law enhances damages that are available to a prevailing employee in a lawsuit filed under the LAD. Typically, an employee would be awarded compensatory damages, punitive damages if the conduct was willful, attorney’s fees, and costs if they succeed on a claim of discrimination against their employer. Under the Diane B. Allen Equal Pay Act, if a jury determines an employer discriminated on the basis of pay, the employee will be awarded treble damages—that is three times the amount of the pay differential. Treble damages would also be available to an employee who succeeds on a claim that the employer took reprisals against the employee for requesting from, discussing with, or disclosing to another employee or former employee, a lawyer from whom the employee seeks legal advice, or any government agency, information related to employee compensation. The same enhanced damages are available to an employee who prevails on a claim that they were required, as a condition of employment, to sign a waiver or agree not to make these types of requests or disclosures. The law also provides that an unlawful employment practice occurs each time the employee is affected by the discrimination in compensation. That is, each occasion that wages, benefits, or other compensation are paid is a separate act of discrimination. An employee can go back and obtain back pay for a period of six years.
The following bills were recently passed or enacted in state legislatures:
- Colorado – The Colorado Senate passed H.B. 1233, which would prohibit consumer reporting agencies from charging a fee for the placement, temporary lift, partial lift, or removal of a security freeze on a protected consumer’s report.
- Iowa – The Iowa House of Representatives passed H.F. 2458, which would establish an apprenticeship development program and require volunteers to undergo a background check.
- Maryland – The Maryland House of Representatives passed H.B. 695, which would authorize a public body to discuss cybersecurity-related issues in a closed meeting.
- Missouri – The Missouri Senate passed S.B. 819, which would make a number of changes to provisions related to the state’s foster care case management system and criminal background checks.
- Oklahoma – The Oklahoma House of Representatives passed H.B. 2518, which would require applicants of multistate nursing licenses to undergo a background check; and H.B. 3336, the “Physical Therapy Licensure Compact,” which would implement a background check requirement for applicants of physical therapy licenses.
- Wyoming – Wyoming enacted S.F. 42, which clarifies background screening provisions related to applicants for certain licenses and requires disqualifying criminal history offenses for applicants to relate directly to the profession or occupation.
Retailers Can Maintain Drug Free Workplace Despite State Legalization of Marijuana
Many retailers wonder what effect, if any, legalization of recreational marijuana has on their ability to maintain a drug free workplace. Recreational marijuana has been legalized in Alaska, California, Colorado, Maine, Massachusetts, Nevada, Oregon and Washington. Marijuana still remains an illegal Schedule I substance under the federal Controlled Substances Act, and therefore still subject to prosecution under federal law. Legalization of marijuana in the above states does not affect an employer’s ability to enact and enforce workplace restrictions related to drug possession, use, impairment, and testing. For example, California’s “Control, Regulate, and Tax Adult Use of Marijuana Act,” commonly referred to as Proposition 64, contains express language specifying that it does not:
- affect the rights and obligations of public and private employers to maintain a drug and alcohol-free workplace;
- require an employer to permit or accommodate the use, consumption, possession, transfer, display, transportation, sale, or growth of marijuana in the workplace;
- affect the ability of employers to have policies prohibiting the use of marijuana by employees and prospective employees; or
- prevent employers from complying with state or federal law. (Cal. Health & Safety Code § 11362.45.)
Employers also maintain the right to enforce workplace restrictions on medical marijuana. In 2008, the California Supreme Court held in Ross v. RagingWire Telecommunications, Inc. that an employer lawfully may enforce drug free workplace policies even if an employee uses the marijuana for medical purposes. Proposition 64, does not limit the scope of that California Supreme Court holding.
Given the potential for confusion, employers should remind employees of any drug free workplace policies that extend to marijuana, and inform them that, although recreational marijuana is no longer prohibited under state law, it is still prohibited in the workplace.
Will drug testing become a thing of the past?
Incremental “tweaks” might be the best course for employers.
According to an article in Bloomberg BNA’s Daily Labor Report, employers are beginning to scale back their drug testing programs—especially employers in states that have legalized marijuana use. In one study cited in the article, the percentage of Colorado employers who tested for illegal drugs declined from 77 percent in 2014 to 62 percent in 2017, after that state legalized marijuana use. Another reason for the decrease in drug testing is the tight labor market, according to the DLR article. According to an employment lawyer quoted in the article, “Employers are really strapped and saying, ‘We’re going to forgive certain things.'” Drug testing has also reportedly made it hard for employers to employ workers in areas affected by the opioid crisis. Finally, the article cited Gallup polls showing that Americans in general have become more tolerant of drug use and favor legalization of marijuana. In 1969, only 12 percent of those polled favored legalization of marijuana. In October 2017, that percentage had skyrocketed to 64 percent.
But before you toss your drug testing program, a few caveats are in order:
No. 1: Drug use—even if it’s legal—can impair an employee’s ability to perform work that is safety-sensitive, such as operating machinery. (And “operating machinery” includes driving a car.) Even if you scale back your drug testing, continue to test applicants for and employees in safety-sensitive positions.
No. 2: Federal law, and our current Attorney General, continue to take a hard line on illegal drugs. Marijuana is still an illegal drug under federal law.
No. 3: For many jobs, of course, drug testing is required by law. This would include jobs subject to U.S. Department of Transportation or Federal Aviation Administration requirements, among others.
No. 4: Depending on which state you’re in, you may get a significant discount on your workers’ compensation premiums if you maintain a “drug-free workplace.”
No. 5: Rather than throwing the “drug testing baby” out with the bathwater, consider keeping your program with some modifications. Here are some alternatives to dispensing with drug testing entirely: (1) limit your drug testing to safety-sensitive jobs, (2) eliminate marijuana testing if you’re in a “legal marijuana” state and don’t care about prohibiting marijuana use in jobs where it isn’t governed by federal law, but continue to test for other drugs, (3) continue to test for all Schedule 1 drugs but make reasonable accommodations for any applicants or employees who use marijuana for medical reasons or who are addicted to or dependent on opioids, and/or (4) have a robust employee assistance program that puts more emphasis on rehabilitation than termination (but leave yourself a little room to terminate in appropriate cases).
No. 6: Whatever you do, don’t abandon the following, whether the job is safety-sensitive or not: Post-accident testing, testing for “cause” (such as an employee who shows up for work in an apparent impaired state), or any drug testing that is required by law or recommended in standards that apply to your industry or profession.
(Note by ClearStar’s General Counsel: It is a good article, especially where they elaborate on the caveats before considering making changes to any drug screening program. It would have been helpful if the statistics they cited distinguished between marijuana testing (medical and/or recreational) and other drug testing as well as to whether or not the statistics took into consideration whether testing was mandated by the DOT and/or the FAA. ClearStar touched on this issue in various Monthly Screening Compliance Updates, which are available online on ClearStar’s website.)
Medical Marijuana is Coming to Ohio – What Employers Need to Know
In 2016, Ohio approved the legalization of medical marijuana, but the law does not go into effect until September 2018. Some Ohio business owners might be nervous at the prospect of employees soon having greater access to marijuana, but they needn’t worry, as the law was written in a pro-employer manner.
Nothing in Ohio’s medical marijuana law:
- Requires employers to accommodate an employee’s use, possession, or distribution of marijuana in the workplace
- Prohibits employers from disciplining, terminating, refusing to hire, or otherwise taking an adverse employment action because of that employee’s use, possession, or distribution of marijuana in the workplace
- Prohibits employers from establishing and enforcing a drug-testing policy, drug-free workplace policy, or zero-tolerance drug policy
- Interferes with federal laws, which still ban marijuana use, medical or otherwise
- Permits an employee to sue an employer for disciplining him or her for use, possession, or distribution of medical marijuana
- Allows an employee injured on the job while under the influence of marijuana to recover workers’ compensation benefits.
In short, if you are an Ohio employer, you likely do not need to change your approach to employees’ use of marijuana, regardless of whether it is legalized medical marijuana.
What can employers do with regard to background checks and inquiries in Vermont?
Criminal records and arrests: Vermont has adopted the ban-the-box restriction for initial applications. An exception applies for positions where the law imposes limitations on hiring employees with criminal backgrounds, but the application questions must be limited to the disqualifying convictions. Employers may ask about convictions during the interview or they may condition employment on a criminal background check.
Medical history: Employers may not require an employee to pay for a medical exam. Employers cannot require genetic testing or use genetic testing results or genetic information from a person or a member of a person’s family (18 V.S.A. Section 9333).
Drug screening: Vermont imposes significant limitations on the use of drug testing. For job applicants, employers may test only after giving the applicant an offer of employment on the condition of a test result. The employer must then provide the applicant with a copy of its policy, a list of drugs to be tested, and a statement to say that therapeutic levels of prescription drugs are not reported. The test must comply with the administrative provisions of the law (21 V.S.A. Sections 511-519). The law imposes stringent restrictions for the testing of existing employees, including a prohibition on random testing. An employer may test only if it has probable cause to believe that an employee is under the influence and the employer meets numerous other requirements. If a test is positive, an employer cannot immediately terminate the employee, but must allow the employee to seek treatment.
Credit checks: Subject to limited exceptions, employers may not enquire about an applicant’s credit report or credit history (21 V.S.A. Section 495(i)).
Immigration status: Employers may not recruit, solicit or refer for employment, or employ, an individual who is not authorized to work in the United States.
Social media: Effective January 1, 2018, Vermont limits access to employee social media accounts (21 V.S.A. Section 495(l)). The law contains exceptions for conducting appropriate investigations and accessing an employer-issued device. It also includes retaliation protection.
U.S. Companies Doing Business in the EU or Impacting EU Individuals Must Comply with the EU GDPR by May 25, 2018
Companies with people in the EU or doing business in the EU need to be thinking about the EU’s General Data Protection Regulations (GDPR) and whether the regulations apply to them. In approximately two months, the EU’s GDPR will take effect. The deadline for complying with this considerable change in law is May 25, 2018. If your company is covered by the GDPR, it is urgent that you pay attention to the new requirements, considering the monumental size of potential penalties for failing to comply. The GDPR significantly expand the jurisdiction of the EU’s data privacy regulatory framework to companies processing or controlling the personal data of employees or other individuals residing in the EU—regardless of the company’s location.
The GDPR cover companies if they fall under one (or more) of the following three tests:
- the “establishment test” – applies where processing takes place in the context of activities of an establishment in the EU, regardless of whether the processing takes place in the EU. The term “establishment” is not strictly defined;
- the “goods and services test” – applies to the processing of personal data of individuals who are in the EU by entities not established in the EU, where processing relates to the offering of goods and services; or
- the “monitoring test” – applies to the processing of personal data of individuals who are in the EU by an entity not established in the EU, where processing relates to the monitoring of their behavior within the EU.
A company could also technically be subject to the GDPR if the company is not established in the EU but is subject to the laws of the EU by virtue of public international law. Such circumstances are rare.
Among other heightened requirements and obligations, if a company is covered under the GDPR:
- It will be subject to stricter rules on obtaining employee consent to process and share personal data.
- It may have to appoint a data protection officer.
- Its employees will have greater rights with respect to access and control of their personal data.
- It will be subject to stricter record keeping requirements.
- It must comply with stricter and enhanced reporting obligations to the data protection authority(ies).
- It could be subject to significant penalties for committing a breach, including up to 4 percent of annual global revenues or €20 million (whichever is greater).
Various EU member states are also in the process of adjusting and updating their applicable data privacy and protection rules to comply with the GDPR. Thus, it will also be important for companies who do business in the EU or involving EU-based individuals to make sure that they remain in compliance with applicable local guidelines on data privacy and protection.
GDPR Privacy Notice for Employees – What employers need to know
Under the General Data Protection Regulation (‘GDPR’), privacy notices are to be issued to all data subjects who an organization may handle personal data in relation to, including employees and job applicants. In addition, Privacy Notices will need to contain far more detailed information about how any relevant personal data will be processed, so as to meet the enhanced requirements of the GDPR.
What is an employee Privacy Notice?
An employee Privacy Notice is a source of information that explains to an individual the “what, how, where, why and when?” regarding how a data controller (in our case an employer) processes an employee’s personal data. Processing is a broad term and includes (amongst other things) collecting, recording, storing, amending, reviewing, using and deleting personal data. A vast array of employment-related data is processed by employers and under the GDPR, they will have to be more transparent and open than ever before about such processing.
Why do employers need to draft a Privacy Notice?
It is a mandatory obligation under the GDPR for employers to provide certain information (detailed further below) to their staff. It is also a core GDPR principle for employers to process HR related data in a fair and transparent way. Issuing a bespoke and adequately informative Privacy Notice to staff, is therefore a key step towards achieving GDPR compliance. There is no set way for employers to provide this information. However, our firm recommendation is that an employer does this by means of a Privacy Notice. How that Privacy Notice is communicated to staff is however left to the discretion of the organization and we discuss this further below. Arguably, this is one of the most important documents that an employer will need to prepare in order to become GDPR compliant. Organizations hold a vast amount of personal data, and often special categories of personal data in relation to their employees, and as one of the new concepts under GDPR is ‘transparency’, it is imperative that employers are open, honest and sufficiently detailed in the information that they provide to their staff in relation to the handling of their data. The Privacy Notice, alongside appropriate, policies, procedures and relevant training is a fundamental part of the GDPR jigsaw but will likely be the most scrutinized documents by staff who have much increased rights under GDPR.
What information must be included in an employee privacy notice?
The mandatory information “types” that must be set out in a Privacy Notice include:
- The identity and contact details of the employer;
- A description of the personal data that is collected;
- The purposes for processing the data;
- The legal basis on which the processing will take place;
- Who the personal data is shared with;
- Whether personal data is transferred outside of the EEA and if so, details of the safeguards that are in place to protect the security of the data;
- How long the personal data will be kept for; and
- Details about the rights that employees have in relation to that personal data, for example the right to request that the employer rectify any incorrect information
How does an employer start constructing a meaningful Privacy Notice for its employees?
The Privacy Notice must be “meaningful”. Essentially this means that it must be tailored to reflect the structure of the employer’s business, the types of personal data that the employer processes and the nature of the processing (amongst other things). As such, whilst a template privacy notice is a useful starting point for an employer, it will only become a purposeful document when it is specifically tailored to reflect the relevant processing of employees’ personal data within the organization. The first step for an employer to be able to complete a Privacy Notice is to understand exactly what data it holds, how it is processed, who has access to it, why is it processed and what is the company’s legal basis for being able to process that data. This can most effectively be done by carrying out some form of HR data audit or data mapping exercise. Once an employer has a clear picture of the data it holds and how it handles that data, it can start to work these details into a Privacy Notice. In relation to each data type, the employer will need to confirm within the Privacy Notice, the purpose(s) for which it is processing that data and the legal ground(s) that it is relying on to carry out that processing activity. Once a meaningful Privacy Notice has been produced for existing staff, the employer will need to think about tailoring it to job applicants or other forms of atypical workers. The Privacy Notice needs to provide sufficient detail so that the data subject has clear knowledge of the types of data held about them, the nature of the processing activities and their rights under the GDPR. However, notwithstanding the level of detail that needs to be provided, the GDPR requires the document to be written in clear and concise language. Including all of the necessary information whilst remaining concise is something of an art form!
When should the Privacy Notice be issued to employees?
Privacy information needs to be communicated to individuals at the point the data is collected. Practically speaking, this will mean issuing an “applicant” Privacy Notice to anyone that applies for a vacant role. It will them mean issuing a new “employee” privacy notice as part of the on-boarding exercise for new employees. This is in addition to issuing a Privacy Notice to all existing employees.
How should the Privacy Notice be distributed to employees?
A Privacy Notice can be communicated in a variety of ways, either as a hard copy document or electronically. However, it is good practice to use the same medium that you use to collect personal information from individuals, to communicate the Privacy Notice. For example, where employers issue candidates with a printed job application form, then this could be accompanied by a printed copy of the Privacy Notice. Whilst the information must be communicated to individuals at the point it is collected, this does not mean that all of the mandatory information needs to be contained in the same document. In this respect, the Information Commissioners Office (“ICO”) also recognizes that some organizations may choose to take an innovative approach to distributing this information. This is therefore an opportunity for an organization to be as creative in the way it provides this information to staff and is equally an opportunity to engage staff with data protection issues. This could be achieved for example by creating an app whereby employees can read and engage with the notice or, perhaps by setting some of the key information out in a text message sent to the employee, which would direct the employee to a link to a fuller policy document. Whatever method is chosen, it is essential that an organization can ensure that all staff receive this information and can acknowledge receipt of it by some means
What are the potential consequences for failing to communicate the mandatory information to employees?
The GDPR is very clear about the information that must be provided to employees. If employers do not have a clearly documented record of having done this and are either subject to an ICO spot check inspection or dealing with the ICO for some other reason, then a failure to provide this information will not be looked upon favorably as part of the ICO’s assessment of the employer’s overall compliance strategy.
GDPR’s Most Frequently Asked Questions: If I receive a right to be forgotten request from an employee, do I have to honor it?
The European Union’s General Data Protection Regulation (“GDPR”) is arguably the most comprehensive—and complex—data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
Question: If I receive a right to be forgotten request from an employee do I have to honor it?
Answer: Not necessarily. The GDPR indicates that people have a “right to be forgotten” in some situations, but that right is not absolute. Rather it only exists in the following six situations—many of which do not apply to personal data collected as part of an employment relationship.
- Companies must delete data upon request, if data is no longer necessary. If personal data that was collected by a company about an individual is “no longer necessary in relation to the purposes for which [it was] collected,” the company typically must honor a right to be forgotten request.1 If an employee, or a former employee, makes a right to be forgotten request therefore a company should begin by asking (1) why was the data collected in the first place, and (2) is the data needed any longer for that purpose.
- Companies must delete data upon request, if data was processed based solely on consent. The GDPR allows companies to process data in six different types of situations. While one of those situations is where a person has “given consent” to the processing, the Article 29 Working Party—an influential, independent advisory body to the European Commission on data protection matters that is chiefly comprised of representatives from each member state’s data protection authority—has taken the position that “for the majority of . . . data processing at work, the legal basis cannot and should not be the consent of the employees” because of the perceived unequal bargaining position between an employer and an employee. As consent is typically not the sole basis for which an employer processes data, an employer typically is not required to honor a right to be forgotten request simply because an employee purports to be withdrawing his or her consent.
- Companies must delete data upon request if the data was processed based upon the controller’s legitimate interest, and that interest is outweighed by the data subject’s rights. One of the other grounds upon which a company can process data is to further the company’s “legitimate interest.” When processing is based upon a company’s legitimate interest, an employee has a right to request deletion unless the employer’s or a third party’s interest is demonstrably “overriding.” In the employment context most processing is not based upon the controller’s legitimate interest, but rather the performance of the employer’s obligations to the employee or legal requirements to collect information. That said, if a company did collect information for its legitimate interest (e.g. shirt size of employees in order to provide jerseys for an office softball team), the data subjects request that the information be deleted would typically not be overridden by the company’s interest in the information.
- Companies must delete data upon request if data is being processed unlawfully. The GDPR states that a right to be forgotten request must be honored if the processing of the personal data is (or has become) unlawful. Assuming that an employer is lawfully processing data relating to an employee, or former employee, this situation may have little applicability.
- Companies must delete data upon request if erasure is already required by law. The GDPR states that a right to be forgotten request must be honored if the data is required to “be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject.”6 If an employer is required to erase data pursuant to another member state law and is complying with that requirement, there may be few, if any, situations in which additional action would be necessitated by a right to be forgotten request.
- Companies must delete data upon request if it is collected from a child as part of offering an information society service. The GDPR requires the deletion of information when requested where the information was “collected in relation to the offer of information society services” to children under 16. Even if your organization employs children under the age of 16, it is unlikely that the situation would be characterized as the offering of an information society service. As a result, this situation does not apply to most employers.
Even if one of the situations described above is present, a company does not always need to honor a right to be forgotten request. For example, a company can choose to decline such a request if honoring it would interfere with a legal obligation imposed on the company to maintain employee data, or if an employee’s data is needed to establish, exercise, or defend a legal claim.
European Union and United Kingdom Reach Brexit Transition Deal
On March 19th, the European Commission released a draft agreement for the United Kingdom’s withdrawal from the European Union, which addresses new data protection and processing regulations between the regions. The draft would establish a 21-month transition period if agreed to by the EU27 at the European Council summit later this week. The draft proposes:
- The UK is no longer entitled to access any network or database established on the basis of EU law;
- The controller of a database at the end of the transition period will maintain intellectual property rights;
- EU law on the protection of personal data processing should apply in the UK if the subjects are outside of the UK
Ontario, Canada Introduces New Legislation Banning Compensation Questions
In an effort to combat gender discrimination and increase transparency during this process, on March 6, 2018, the Ontario government introduced The Pay Transparency Act (the “PTA”), which, as the name suggests, establishes requirements concerning disclosure of compensation particulars of employees and prospective employees. If passed, the PTA, which is proposed to come into force on January 1, 2019, will prohibit employers from asking candidates about their compensation history, whether personally or through an agent, with few exceptions. It will also require employers to:
- include a range of expected compensation for any publicly advertised job posting; and
- prepare a “transparency report”, which will highlight compensation gaps, if any, based on gender and diversity, which will be submitted to the government.
The PTA contains anti-reprisal language, prohibiting employers from, for example, penalizing employees for making inquiries about compensation or disclosing his or her compensation to another employee. The Ontario Labour Relations Board (the “Board”) imposes a reverse-onus on employers to prove that it did not engage in the alleged reprisal behavior and the Board retains broad discretion, if a finding of reprisal is made, to impose discipline “as seems just and reasonable in the circumstances.”
Ontario, which has allocated up to $50 million over the next three years in connection with the PTA and related initiatives, is the first Canadian jurisdiction to introduce this type of legislation, although similar laws exist in certain areas of the United States, Germany, Australia and the United Kingdom.
In addition to keeping an eye on the PTA, Ontario employers should be aware of existing legislation that affects the hiring process, for example:
- The Ontario Employment Standards Act, 2000 which requires equal pay for equal work regardless of sex or employment status;
- The Integrated Accessibility Standards, made under the Accessibility for Ontarians with Disabilities Act, requires employers to notify the public about the availability of accommodation for applicants with disabilities in the recruitment process; and
- The Ontario Human Rights Code prohibits job advertisements from directly or indirectly classifying or indicating qualifications based on a prohibited ground of discrimination.
What can employers do with regard to background checks and inquiries in Nigeria?
Criminal records: Employers can engage a service provider to conduct background checks on potential employees. Employers may also apply to the Nigerian police force to ascertain whether an employee has a criminal record or apply to the competent court for a judgment in respect of a decided criminal matter. However, employers cannot access criminal records if such records will result in the identification of a juvenile offender, as these records are confidential and closed to third parties.
Medical history: An employer may, with the employee’s consent, conduct medical tests on the employee. However, employers are prohibited from conducting HIV/AIDS tests on employees and may only do so if they have obtained the employees’ specific prior written consent.
Drug screening: Employers can conduct such tests with employees’ consent.
Credit checks: Employers may, with employees’ consent, conduct credit checks. In practice, such tests are conducted by the employer submitting an application to any of the credit bureau companies in Nigeria.
Immigration status: Any employer that intends to employ a foreign national must obtain an expatriate quota approval from the Federal Ministry of the Interior. This approval permits a company to employ non-Nigerians for specifically approved job designations for a specified duration, usually two years in the first instance. In relation to nationals of ECOWAS member states who are entitled to reside and work in Nigeria, an employer can require the employee to provide his or her ECOWAS card or international ECOWAS passport. The employer will require either document to apply for an ECOWAS residence card, which enables the employees to live and work in Nigeria.
Social media: An employer can access information on its employees’ social media platforms if the information is already in the public domain.
Other: Employers can also access information held by a public institution (i.e. a legislative, executive, judicial, administrative or advisory body of the government). This access is permitted under the Freedom of information Act 2011. In order to access such information, the employer must submit an application to the institution. The employer need not demonstrate specific interest in the information in respect of which the application is made. However, this right is not absolute, and the institution may deny access to the information where it contains personal information (defined in the act as any official information held about an identifiable person, not including information that bears on the public duties of public employees and officials).
What can employers do with regard to background checks and inquiries in Luxembourg?
Criminal records: During the recruitment process, an employer can request police clearance based on the needs of the job advertised. Such a request must be indicated in the job offer. The potential employer can also request a criminal record check if a driving license is a prerequisite for the job and this is mentioned in the employment contract. A special criminal record check can also be requested for tasks that involve contact with children. This data can be stored for no more than two months. Following the EU General Data Protection Regulation’s entry into force, an employer will need to keep criminal record requests and the justification of such requests for future and existing employees.
Medical history: Health-related information is covered by personal and private data provisions and thus cannot be subject to inquiries from employers. However, the Labour Code includes a medical exam to assess the general medical state of employees who are entering into a new employment relationship. These results are private and belong to the employee; the employer has no access to this data.
Drug screening: Drug screening may be lawful if performed legitimately and proportionately with employee consent considering the nature of the work involved or the conditions in which it is conducted. Data protection rules must be respected when drug screening is conducted.
Credit checks: Credit checks are covered by personal and private data provisions and thus cannot be the subject of employer inquiries. However, depending on the applicant’s position and the nature of his or her activities, an employer may request the provision of such information, which is not mandatory.
Immigration status: Immigration status is regarded as private information which can be obtained only on agreement by employees or future employees. Such information must be sought and used according to the principles of non-discrimination and the data protection rules. An employer’s human resources department may request the disclosure of such information. The Luxembourg labor market prioritizes access for Luxembourg, EU and European Economic Area nationals. This constitutes a legal and justified discrimination.
Social media: Social media information is freely accessible to employers. When performing such background checks, employers must respect the non-discrimination principle and the data protection rules. However, these principles may be tempered by employee obligations to employers, including professional discretion, which is a principle that extends to social media posts by employees. Any misconduct on social media at the direct expense of an employer can be punished.
Other: Background checks are permitted provided that they comply with the anti-discrimination and data protection principles. An employer may request from a job applicant a copy of his or her:
- identity card or passport;
- diplomas; and
- social security card.
Equifax, Experian, and TransUnion announced that they will be removing tax liens from consumers’ credit reports.