Warning: The Federal Trade Commission Will Prosecute Companies Over Consumer Data Breaches—its Recommendations Should be Heeded
There is no comprehensive federal statutory scheme governing breaches of consumers’ private data. However, the Federal Trade Commission (“FTC”) has a history of trying to protect consumers’ private data based on its general mandate to regulate unfair business practices pursuant to the FTC Act. Importantly, the FTC’s power to do so has been upheld by at least one court. (See FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015).)
While the reach of the FTC may be limited, liability exposure can be high when the FTC does take action. As such, adhering to its recommendations could prove useful to avoid prosecution by the FTC. Given that President Donald Trump’s nominees to the FTC have indicated that data breaches will be a top priority for them, the FTC’s efforts to protect private consumer data will undoubtedly continue and may accelerate.
The FTC’s Recommendations to Protect Consumers
In 2012, the FTC finalized a 2010 preliminary report offering the following recommendations to protect consumers and to take some of the burden off consumers to protect themselves:
Privacy by Design
Weave privacy protection procedures into daily business practices.
- Secure consumers’ private data, but also limit its collection and retention.
- Task designated employees with creating, monitoring, and periodically reviewing privacy procedures.
Simplified Choice for Businesses and Consumers
Provide consumers with an option not to have private data collected and shared, as opposed to presenting them with a long disclosure form containing legalese.
- Provide consumers with open disclosure regarding how their collected, private data is used so consumers can compare those practices to other companies’ practices.
- Provide consumers with reasonable access to their collected, private data.
- Encourage a culture of privacy protection by educating consumers about commercial data privacy practices
When Companies Have Failed to Protect Their Consumers’ Private Data, The FTC Has Taken Action
- In 2004, Petco, Inc. settled a case the FTC brought against it based on allegations that its website contained security flaws. The FTC argued that Petco violated federal law by failing to keep promises it had made to consumers regarding their privacy protection. Pursuant to the settlement reached with the FTC, Petco was required to roll out a twenty-year program to protect its website from hackers trying to steal its consumers’ private data.
- In 2006, the FTC brought an action against ChoicePoint, Inc. because its database of consumer data had been compromised, which allowed private data to be misused. The FTC argued that ChoicePoint did not adequately screen subscribers to its database. ChoicePoint was also required to implement a twenty-year program to protect private consumer data and better screen how that data was being used. ChoicePoint was also required to pay $5 million in consumer restitution and $10 million in fines.
- Genica Corporation. In 2009, Genica Corporation settled a case brought by the FTC based on how the company collected and stored its consumers’ data through one of its consumer electronics websites. The FTC argued that Genica had violated federal law by failing to keep its promise to consumers to adequately protect their data.
- Heartland Payment Systems. In 2010, Heartland Payment Systems had to pay $60 million to Visa card issuers because of their losses resulting from a data breach.
- Dave & Busters. Also in 2010, the FTC argued that Dave & Buster’s failed to secure its network, resulting in hackers accessing private consumer data and amassing hundreds of thousands of dollars in fraudulent charges. The FTC required Dave & Buster to create a program to protect private data it obtained from its consumers.
- Sacket National Holdings, Inc. In 2011, Sacket National Holdings, Inc. and SettlementOne settled a case brought by the FTC as a result of hackers having breached the networks of clients who had purchased consumer credit products from the companies, which allowed the hackers to obtain consumers’ private data. Both companies were required to create a twenty-year program to secure consumer data.
- Uber & Equifax. More recently, in August 2017, the FTC penalized Uber for misusing its consumer’s private data. Uber is now required to submit to 20 years of privacy checks. In September 2017, the FTC announced it was investigating the Equifax, Inc. data breach.
Following the FTC’s recommendations may prevent data breaches that expose companies to liability and will certainly be considered by the FTC should a breach occur. Moreover, securing consumers’ private data, being transparent with consumers, and providing consumers with choices regarding how their data is used are simply good business practices.
Altaba (Yahoo) Agrees to Pay $35 Million Penalty as SEC Continues to Emphasize Importance of Cybersecurity Data Breach Disclosures
On April 24, 2018, the Securities and Exchange Commission (the “SEC”) announced that Altaba Inc. (f/k/a Yahoo! Inc.) agreed to pay a $35 million penalty relating to charges that it misled investors with respect to disclosure of its 2014 data breach affecting hundreds of millions of Yahoo! subscribers. The breach, one of the largest in history, compromised Yahoo users’ personal information including usernames, passwords, birthdates and telephone numbers. While the SEC has investigated potential securities law violations related to data breaches since at least 2005, this is the first SEC cybersecurity disclosure enforcement action and follows the release of updated guidance on the topic earlier this year. The SEC’s Order Instituting Cease and Desist Proceedings (the “Order”) against Altaba tracks the guidance in several ways and demonstrates the SEC’s willingness to aggressively pursue violations of disclosure obligations relating to cybersecurity incidents. The guidance focuses on the need to maintain effective disclosure controls and procedures to ensure proper disclosure of material cybersecurity incidents in SEC filings. Specifically, among other items, issuers were reminded of the need to evaluate disclosure in the risk factors and MD&A sections of their SEC filings, including the possibility that significant costs and expenses of a material breach may trigger MD&A disclosure obligations to discuss known trends and uncertainties that may affect liquidity or net revenue. The SEC found Yahoo’s filings deficient in both of these areas. According to the Order, the SEC concluded that Yahoo violated Sections 17(a)(2) and 17(a)(3) of the Securities Act of 1933 and Section 13(a) of the Securities Exchange Act of 1934 (the “Exchange Act”), and certain rules promulgated thereunder, relating to Yahoo’s failure to timely disclose the massive data breach discovered in 2014, which the company did not publicly disclose until 2016 when the company was in the process of being acquired by Verizon. Yahoo did not admit or deny the SEC’s findings. The SEC’s release states that “[a]though information relating to the breach was reported to members of Yahoo’s senior management and legal department, Yahoo failed to properly investigate the circumstances of the breach and to adequately consider whether the breach needed to be disclosed to investors.”
- The SEC has now shown it will actively pursue enforcement actions relating to a failure to disclose material cybersecurity incidents. The Yahoo settlement merits scrutiny given its size, scope and related media attention. The SEC, based on its updated guidance and its action against Altaba, is clearly seeking to crack down on perceived cybersecurity breach disclosure deficiencies. All companies, regardless of size and industry, should take heed to conduct a thorough review of their risk management practices, disclosure controls and procedures and insider trading policies in light of the SEC’s guidance and enforcement activity.
- Generic risk factors discussing the potential for data breaches and the likely material consequences of a material breach are not sufficient. The Order notes that Yahoo’s public filings included thorough risk factors outlining the severe negative consequences of a possible breach including “‚Litigation, remediation costs, increased costs for security measures, loss of revenue, damage to our reputation, and potential liability.” Many companies include similar theoretical risk factors in their public filings. In Yahoo’s case, however, this type of ‘potential breach’ language in its SEC filings became problematic, in the SEC’s view, once an actual material breach occurred because the language then suggested that a breach was a hypothetical possibility rather than an actual occurrence. The Yahoo action demonstrates the need to reevaluate these disclosures to consider specific disclosure of past material breaches or supplemented disclosure upon the occurrence of an actual breach in the future.
- Companies should be cognizant of the implications of false or misleading representations made in material agreements filed as exhibits to SEC filings. The SEC alleges that Yahoo made knowing misrepresentations as to a lack of material data breaches in the acquisition agreement it entered into in connection with the sale of its operating business to Verizon. The acquisition agreement was filed as an exhibit to an 8-K filing in July 2016. The 8-K filing contained typical disclaimers including that representations and warranties contained in the agreement are made solely for the benefit of the parties to the agreement, should not be taken as fact and merely reflect the allocation of risk between the parties. However, despite the disclaimers, the Order cites these knowing misrepresentations contained in the purchase agreement as a factor in its determination that Yahoo violated the securities laws. Companies must now be on alert that the SEC may give additional scrutiny to affirmative representations contained in filed transaction agreements in evaluating compliance with their obligations to make material disclosures to investors.
- Companies should include outside advisers, including outside counsel and auditors, early in the process when analyzing the disclosure implications of a cybersecurity incident. The Order specifically notes that, “Yahoo’s senior management and legal teams did not share information regarding the breach with Yahoo’s auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings.” This appears to have been an important factor in the SEC’s determination that Yahoo did not have adequate internal disclosure controls in place to properly evaluate the impact of the breach and the need for disclosure in the company’s public filings. Determining whether a data breach has occurred and whether notice to potentially affected individuals must or should be provided can be a difficult decision. Public companies also must take into account their obligation to disclose material information to investors in accordance with SEC and stock exchange rules. Involving outside advisors early in the process can help establish a track record of proper procedures in evaluating the implications of a breach and assessing whether an incident is material for purposes of SEC and stock exchange rules.
FTC Commissioner Publishes Statement
On May 14th, FTC Commissioner Rohit Chopra issued a statement regarding repeat offenders of consent orders. According to Chopra, companies violate consent orders because of “management dysfunction” and because the benefits of violating the order are worth the expected consequences. As a result, Chopra suggests that the FTC starts seeking “structural remedies” to help prevent companies from repeatedly violating consent orders, including:
- Completely banning companies from engaging in certain business practices;
- Dismissing senior executives and board directors;
- Dismissing third-party compliance consultants that fail to detect conduct violating a consent order; and
- Requiring executives to payback certain compensation packages and companies modifying executives’ compensation arrangements.
Drug Using Employee? Better Conduct An “Individualized Assessment” Before You Fire!
It seems that a child development center in South Carolina just settled an EEOC disability lawsuit for $5,000 (and other remedies) for hiring someone to be an afterschool teacher who had informed them of his prior opiate addiction and participation in a MAT program (“supervised medication-assisted treatment”) for which he was legally prescribed the drug Suboxone as part of his treatment. For more details on the case, see https://www.eeoc.gov/eeoc/newsroom/release/5-15-18.cfm.
After hiring, he was fired 30 minutes into his first day on the job. So what’s the beef? The Americans With Disabilities Act (“ADA”) prevents discrimination against people with disabilities and creates an affirmative duty on employers; as the EEOC said in this case, the employer had to “conduct an individualized assessment prior to terminating [him]. The assessment would have helped determine what effect, if any, the Suboxone had on [his] ability to perform his job duties.” The employer allegedly failed to conduct such an individualized assessment, and presumably had no idea if he could perform his job duties. So it was sued and settled.
So, what are the important takeaways?
First, one size does not fit all. Employers must not have a blanket policy on drugs and must assess each individual separately.
Second, $5,000 might not sound like a lot to settle a lawsuit—but a consent decree ordered by the Court can be quite onerous—and subject an employer to EEOC scrutiny for a long time. In this case the decree will last five years, and requires the employer to:
- amend its written drug use policy to include a clear and specific exclusion to the policy for individuals who use legally-obtained prescription medication in a lawfully-prescribed manner;
- create an ADA-compliant procedure for conducting an individualized assessment of an employee who is enrolled in any form of alcohol, drug, or illegal substance rehabilitation program in order to determine whether the individual can safely perform the essential functions of her/his position with or without reasonable accommodation;
- provide annual training on the requirements of the ADA and its prohibition against discrimination and retaliation in the workplace;
- report to the EEOC the identities of all applicants who were denied employment and employees who were terminated due to current or past alcohol, drug, or substance use.
As an EEOC attorney noted: “Employers should make employment decisions based on an applicant’s qualifications and an employee’s performance, not based on disability or participation in a medically-assisted treatment program.”
President Trump Signs S. 2155
On May 24th, President Trump signed S. 2155, the “Economic Growth, Regulatory Relief, and Consumer Protection Act.” The legislation amends various provisions of the Dodd-Frank Act and includes new consumer rights, including free credit freezes for consumers
PepsiCo Subsidiary Settles FCRA Class Action
On May 2nd, PepsiCo subsidiary, Bottling Group LLC, agreed to pay $1.2 million to settle alleged violations of the Fair Credit Reporting Act (FCRA) in the U.S. District Court for the Southern District of New York. Lead Plaintiff Altareek Grice filed the lawsuit in 2017 alleging that the Company violated the FCRA by failing to adequately inform him in a stand-alone disclosure that a consumer report would be obtained for employment-related purposes when he applied for a position in 2016. The case is Altareek Grice v. Pepsi Beverages Co., et al., Case No. 1:17-cv-08853, in the U.S. District Court for the Southern District of New York.
Background Screening Company Defeats FCRA Claim with Standing and Effective Procedures Defenses
A district court in Ohio dismissed a plaintiff’s claims under the Fair Credit Reporting Act, 15 U.S.C. § 1681 et seq., because he could not show that the report caused him an injury or that the background screening company failed to maintain reasonable procedures to ensure accuracy. Plaintiff Thomas Black brought a putative class action against General Information Solutions (“GIS”) under the FCRA arising out of a background check in conjunction with an employment application. The employer hired GIS to perform a background check on Black, and GIS assigned this task to one of its vendors. The vendor, and subsequently GIS, reported a felony robbery conviction. However, the robbery charge had not resulted in a conviction and had been dismissed. Black originally faxed his dispute to the wrong number, so GIS never received it. When Black sent the dispute to the correct number, GIS immediately conducted an investigation and only seven days later deleted his entry and issued a corrected report. The employer was still filling positions and requested references from Black. However, Black never provided the verifiable references. The employer provided testimony that Black would have been considered if he had provided the references.
In considering GIS’ motion for summary judgment, the Court raised the issue of standing sua sponte. Because Black missed out on a job opportunity based on his own failure to provide the requested references, the Court found that it was “apparent that Mr. Black has provided no evidence to show that he suffered any such harm as a result of GIS’ alleged violation of the FCRA.” With no injury resulting from the report, he did not have standing to bring a suit. This lack of injury also prevented him from proving all of the elements of his claim under § 1681e(b), since a plaintiff must prove that a report caused an injury in order for them to recover. Importantly, the Court also determined that GIS was not liable for a willful violation under §1681e(b), despite an inaccurate report, because it had “very effective procedures in place to ensure the accuracy of the consumer reports.” Specifically, the Court looked at GIS’ and the vendor’s “remarkably low” dispute rates, the responsiveness to the dispute, and the lack of evidence of similar disputes. Moreover, GIS trained its employees on FCRA compliance and assessed the quality of its reports. Although the vendor’s researcher failed to follow the procedures in this instance, the “failure of one individual investigator to follow the established procedures . . . is not sufficient to create liability against the background check company.” This decision shows the importance for employers to maintain proper hiring procedures. Creating and implementing effective procedures can allow for a company to escape liability even if an individual employee fails to follow those procedures. It also highlights the Sixth Circuit’s standard requiring plaintiffs to suffer a real injury if they want to bring suit in federal court.
The Spokeo Chronicles: Another Tentative Background Check Win for Kroger Subsidiary
A magistrate judge in the U.S. District Court for the District of Oregon recently made findings and recommendations to dismiss a purported class action against Kroger subsidiary Fred Meyer. The suit alleges that the retailer’s background check process for prospective employees violates the Fair Credit Reporting Act by both failing to properly disclose that a report will be run and failing to comply with the statute’s procedural requirements before taking adverse action against an applicant. In his report, Magistrate Judge Youlee Yim You recommended dismissing both FCRA allegations for failure to state a claim. First, Walker contended that Fred Meyer’s presentation of an Offer Acceptance document at the same time as the background check Disclosure and Authorization forms was impermissibly confusing and duplicative, in violation of the FCRA’s “stand-alone” requirement, and that the Disclosure contained improper extraneous information. The judge rejected these arguments, finding: (1) the Offer Acceptance and Acknowledgement were separate documents, and presenting them at the same time does not run afoul of FCRA; and (2) the Disclosure satisfied FCRA’s stand-alone requirements. On the stand-alone issue, the judge found the Disclosure consisted of five paragraphs, and any additional information was not unlawful and was “limited to information that is ‘closely related to the FCRA disclosure.’” Second, the judge also rejected Walker’s contention that Fred Meyer’s pre-adverse action notice runs afoul of the FCRA by directing applicants to contact the third-party background check provider, rather than Fred Meyer directly, with concerns about consumer reports. Walker failed to state a claim because “FCRA does not require the employer to give the employee or applicant notice of a right to discuss the contents of the report directly with the employer.” Additionally, Judge You found that Walker lacked Article III standing to pursue his pre-adverse action claim. Walker argued he suffered an injury-in-fact because he lacked an “adequate opportunity to remedy issues contained in the consumer report,” because his pre-adverse action notice directed him to file a Dispute Form with the third-party background check vendor rather than directly with Fred Meyer. The judge’s report rejects this argument, too, finding Walker was afforded an opportunity to dispute inaccuracies in his report, but he declined to do so within the required timeframe. “[T]here is no statutory requirement that an employer must communicate directly with an employer” and therefore Walker “has not alleged any injury beyond the mere statutory violation and therefore lacks standing.”
If the magistrate’s report is adopted by the district court, the opinion will expand the precedent for more permissive interpretations of the Act’s disclosure requirements and represent another employer win on post-Spokeo Article III standing grounds.
On May 11th, Experian was hit with a class-action lawsuit in the U.S. District Court for the Central District of California for allegedly reporting consumers on a government watchlist of security threats and not helping customers rectify the errors, in violation of the Fair Credit Reporting Act and the California Credit Reporting Agencies Act. Plaintiff Sung Kang alleged that he was denied a car loan after Experian reported that he was on a watchlist of terrorists, drug traffickers, and money launderers on his consumer report. Kang alleged that Experian regularly reports errors because the Company fails to use all of a consumer’s information to eliminate mismatches. The case is Sung Kang et al v. Experian Information Solutions, Case No. 18-830, in the U.S. District Court for the Central District of California.
Portion of Philadelphia Salary History Ban Ruled Unconstitutional
In a ruling that could provide a roadmap for challenging salary history bans in other jurisdictions, a Philadelphia federal judge issued an opinion on April 30 invalidating a major element of the Philadelphia salary history ordinance enacted by the city in January 2017. Judge Mitchell S. Goldberg held that the portion of the ordinance prohibiting an employer from inquiring about a prospective employee’s wage history is unconstitutional because it violates the First Amendment’s free speech clause. However, Judge Goldberg also held that the portion of the law prohibiting employers from relying on wage history to determine a salary for an employee did not implicate constitutional concerns. Philadelphia employers now find themselves in a difficult position: They are permitted to ask about an applicant’s salary history but cannot rely on that information.
Over the past two years, numerous states and cities have enacted legislation prohibiting employers from inquiring about the salary histories of applicants for employment. The stated goal of these statutes is to combat systematic disparities in pay among employees of different genders, races and ethnicities, on the theory that pay inequities are perpetuated when current salary is based on salary history. In January 2017, Philadelphia became the first city in the nation to adopt a “salary history” ban. In addition to Philadelphia, similar bans have been enacted by California, Delaware, Massachusetts, New York, Oregon, San Francisco and New York City. These laws, including the Philadelphia ordinance, generally prevent employers from asking prospective employees questions about wage history or requiring prospective employees to disclose wage history as a condition of employment, and they prohibit employers from relying on a prospective employee’s wage history in determining the wages of the employee.
As succinctly described by Judge Goldberg, Philadelphia’s salary ordinance contains two primary parts: an “Inquiry Provision” that “prohibits an employer from inquiring about a prospective employee’s wage history” and a “Reliance Provision” that “makes it illegal for an employer to rely on wage history ‘at any stage in the employment process’ to determine a salary for an employee.” The ordinance provides that violators of the law could be liable for up to $2,000 in punitive damages per violation and up to 90 days’ imprisonment for repeat offenders.
Constitutional Challenge and the Court’s Opinion
Before the ordinance’s effective date, the Philadelphia Chamber of Commerce sued the City of Philadelphia and the Philadelphia Commission on Human Relations, seeking a preliminary injunction prohibiting the implementation of the city’s salary ban ordinance on the grounds that it violated the First Amendment’s free speech clause. The court ruled on the validity of the Chamber of Commerce’s arguments in its April 30 opinion. The court easily concluded that the Inquiry Provision implicated speech because “it forbids employers from asking questions on a specific topic.” In determining whether the ban violated the First Amendment, Judge Goldberg ruled that an employer’s salary history question to a potential employee is a form of “commercial speech.” Although protected by the First Amendment, commercial speech (defined by the Supreme Court as “expression related solely to the economic interests of the speaker and its audience”) is entitled to less protection than other types of speech, and courts typically apply a lower level of scrutiny to governmental limits on commercial speech. While the court found that the city “has a substantial interest in promoting wage equity and reducing discriminatory wage disparities,” and that a gender pay disparity does exist, the court noted that there is scant evidence that prohibiting employers from asking applicants about their wage history would actually do anything to reduce the wage disparity. According to the court, none of the testimony before the Philadelphia City Council “addressed why asking about wage history necessarily results in the perpetuation of an initial discriminatory wage” and no witness before City Council “cited to evidence that prior wage history inquiry contributes to a discriminatory wage gap.” Judge Goldberg ruled that, even under the relaxed “commercial speech” standard, there is “insufficient evidence to establish the alleged harm of discriminatory wages being perpetuated in subsequent wages such that they contribute to a discriminatory wage gap.” With regard to the Reliance Provision, however, the court determined that it does not implicate First Amendment concerns because it does not address “speech.” Rather, it addresses employers’ reliance on wage history.
Implications for Employers
It is likely that one or both of the parties will appeal Judge Goldberg’s ruling to the Third Circuit Court of Appeals, and it is even possible that this case eventually will make its way to the U.S. Supreme Court. In the meantime, even though Philadelphia employers are free to ask applicants about their salary history, we recommend that they strongly consider eliminating questions about salary history from their job application process. Since the part of the ordinance prohibiting employers from considering salary history at any point of the employment process still stands, employers that have obtained salary history will have a difficult time “unringing the bell” and defending a claim that, although they asked an applicant about his or her salary history, they did not consider that history during the job application process. Regardless of whether employers obtain salary history information, they will have to prove that any wage disparities between employees in differ
Ninth Circuit Unanimously Holds: Prior Salary Doesn’t Justify Wage Gap Under Equal Pay Act
In Rizo v. Yovino, 2018 U.S. App. LEXIS 8882 (9th Cir. April 9, 2018), the full court unanimously held that prior salary—whether alone or in combination with other factors—cannot justify a wage differential under the Equal Pay Act (EPA). This new opinion is contrary to the Ninth Circuit’s panel decision in the same case last year and overrules a long-standing precedent on this issue. In Rizo, the Fresno County employer paid a female math consultant (Rizo) less than her male counterparts. The pay differential was due to the county’s standard operating procedure for setting new hire compensation, which: (a) set the starting rate for new hires at an amount equal to their prior salary plus 5 percent and; (b) then placed each employee into a salary schedule (that would govern salary increases moving forward) based on that starting rate. Rizo sued, alleging unlawful discrimination and violation of the EPA, a federal statute that prohibits employers from discriminating between employees on the basis of sex with respect to compensation. In defending against Rizo’s EPA claim, the county argued the salary differential was lawful because it was based on prior salary—not sex. The question before the court was therefore: “Can an employer justify a wage differential between male and female employees by relying on prior salary?” This time, the Ninth Circuit answered with a definitive “no.” The court reasoned that employers should not be permitted “to capitalize on the persistence of the wage gap and perpetuate the gap ad infinitum…” and rejected the employer’s argument that consideration of prior salary fits within the Equal Pay Act’s four narrow affirmative defenses. The Rizo court limited the EPA’s “factor other than sex” defense to job-related factors such as experience, educational background, ability and prior job performance. In doing so, it explicitly overruled its 1982 decision in Kouba v. Allstate Insurance Co. Kouba held that using prior salary to set compensation was defensible under the EPA because the EPA permits employers to use any “factor other than sex” in setting pay—and prior salary is a “factor other than sex.” In other words, prior to Rizo, employers in the Ninth Circuit could use prior salary information as a legitimate business reason justifying wage differentials. Following Rizo, employers, especially those within the Ninth Circuit—Alaska, Arizona, California, Hawaii, Idaho, Montana, Nevada, Oregon, and Washington—should conduct a compensation audit of their pay polices so as to eliminate any systemic considerations of improper factors, identify any wage differentials between male and female employees in which they are performing the same work, and determine whether corrections need to be made.
The Spokeo Chronicles: FCRA Pre-Adverse Action Claim Dismissed for Failure to Plead Injury-in-Fact
On April 23, 2018, the U.S. District Court for the Northern District of Illinois in Ratliff v. Celadon Trucking Servs., 1:17-cv-07163, dismissed a putative class action lawsuit alleging a violation of the pre-adverse action notice requirements in section 1681b(b)(3) of the Fair Credit Reporting Act (“FCRA”). Ratliff is significant in the body of background check precedent because it is a part of an emerging trend of § 1681b(b)(3) claims (as opposed to the more commonly challenged § 1681b(b)(2) Disclosure claims) challenged and dismissed for lack of Article III standing. In the opinion, Judge Manish S. Shah found plaintiff Ratliff could not show that he suffered an injury-in-fact after defendant Celadon allegedly did not properly provide him with an FCRA mandated notice before declining his employment due to the results of his criminal background check. Ratliff applied for a truck driver position with Celadon by submitting an application and electronically signing disclosure and release consent forms. Then, a recruiter at Celadon processed Ratliff’s application and initiated a request to obtain his background report from a credit reporting agency. Based on information obtained in the background report, Celadon decided not to hire Ratliff. But, Celadon allegedly did not follow the pre-adverse action notice requirements mandated by the statute. Ratliff asserted that Celadon willfully violated section b(b)(3) of the FCRA by failing to give him an opportunity to contest the results of his background check, which caused him an informational injury. Celadon moved to dismiss for lack of standing, arguing that the complaint did not allege that the report Celadon used contained harmful inaccuracies that he was unable to correct. The Court concluded Ratliff did not have Article III standing because his alleged injury “does not satisfy Article III’s injury-in-fact requirement.” In more detail, the Court explained: Congress designed the procedures in § 1681b(b)(3)(B) and other sections of the FCRA to prevent the dissemination of false consumer information. See Spokeo, 136 S.Ct. at 1550. Had Ratliff, for example, alleged that defendants’ violation of the FCRA prevented him from correcting misinformation in the report regarding his driving record, which affected defendants’ decision not to hire him, then this case would be analogous to Akins and Public Citizen because it would describe a concrete harm that the statute sought to prevent. Absent those or related allegations, Akins and Public Citizen do not support Ratliff’s assertion of an injury in fact. But for the procedural violation, Ratliff would not have a claim against defendants. Indeed, it is possible that the information in Ratliff’s report that motivated defendants’ hiring decision was accurate and that even if defendants had timely notified Ratliff of the report, defendants still would not have hired Ratliff. In that scenario, there would be no injury—abstract or concrete. “Congress’ judgment that there should be a legal remedy for the violation of a statute does not mean each statutory violation creates an Article III injury.” Meyers v. Nicolet Rest. of De Pere, LLC, 843 F.3d 724, 727 (7th Cir. 2016) (citing Diedrich v. Ocwen Loan Serv., LLC, 839 F.3d 583, 590–91 (7th Cir. 2016)). Defendants’ violation here is divorced from any concrete harm that the FCRA intended to prevent. Ratliff’s informational injury allegations do not satisfy Article III’s injury-in-fact requirement. Because the number of FCRA class actions alleging violations of the pre-adverse action notice requirements have steadily increased over the last several years, Ratliff is a valuable reminder that a defendant can have success in attacking pre-adverse action claims on standing grounds.
Google Privacy Case
The Supreme Court agreed to hear a Google privacy case addressing the fairness of an $8.5 million settlement in which consumers did not receive compensation (Reuters)
Seattle Sued Over Law Banning Landlords From Conducting Criminal Background Checks
In August 2017, Seattle made it illegal for landlords to decline potential tenants because of their criminal history, or even to perform a criminal background check on people looking to rent their property. Now a collection of landlords is suing, claiming the so-called Fair Chance Housing Ordinance is unconstitutional. On Tuesday, the Pacific Legal Foundation (PLF), a public interest law firm, filed suit on behalf of several small-time landlords who are concerned about the financial and personal safety risks of being unable to screen tenants for past wrongdoing. The PLF’s complaint claims that the Seattle law violates landlords’ due process rights under the 14th Amendment by imposing an “unreasonable, overbroad, and unduly burdensome” regulation. The complaint also says the law runs afoul of the First Amendment by denying landlords access to publicly available records.
Maryland Enacts New Legislation
On May 8th, Maryland enacted H.B. 848, which implements provisions related to security freezes and consumer reporting agencies (CRAs). Specifically, the legislation:
- Requires CRAs to register annually and file a bond or irrevocable letter of credit with the Commissioner of Financial Regulation, unless granted an exemption, among other licensing provisions;
- Requires CRAs to create a web portal for consumers to place, lift, and remove security freezes and expands the definition of “protected persons” to include persons at least 85 years old, servicemembers, and individuals in a state correctional facility;
- Provides the Commissioner of Financial Regulation with additional authority to conduct investigations and take depositions and increases the penalties that the Commissioner may collect for violations.
Also see Montserrat Miller’s blog at: https://www.agg.com/SnapshotFiles/eb6efed9-5fe1-4e0a-b3f7-2ffe086df941/Subscriber.snapshot?clid=38228e40-b0c7-4635-9a36-4098035f6480&cid=d8ce77a3-d1a5-495d-b9e4-34ab0bfbc3b3&ce=bHNHiAllz%2fdBLBZCH0FgsItyaoQ5RmUsSrUaOQut2Z8%3d
Vermont Becomes First State to Regulate Data Brokers
Data brokers that sell personal information about residents of Vermont must register with the state, under a new law regulating the industry. The law (H-764)—which is the first state measure regulating data brokers—was enacted last week without the governor’s signature. In addition to the registration provision, the bill requires data brokers to notify people about security breaches, and to disclose whether they allow consumers to opt out of having their information collected, stored or sold. The measure also prohibits data brokers from charging customers to place a freeze on their accounts. “While data brokers offer many benefits, there are also risks associated with the widespread aggregation and sale of data about consumers, including risks related to consumers’ ability to know and control information held and sold about them and risks arising from the unauthorized or harmful acquisition and use of consumer information,” the law states.
The bill’s broad definition of data broker includes companies that “aggregate and sell the personal information of consumers with whom they do not have a direct relationship.” Companies that collect information firsthand—including retailers, social media sites and search engines—aren’t covered by the measure. “There are important differences between ‘data brokers’ and businesses with whom consumers have a direct relationship,” the bill states. “Consumers who have a direct relationship with traditional and e-commerce businesses may have some level of knowledge about and control over the collection of data by those businesses…By contrast, consumers may not be aware that data brokers exist, who the companies are, or what information they collect, and may not be aware of available recourse.” Ad industry groups, data brokers and Silicon Valley opposed the measure. The Association of National Advertisers recently said the measure “has an overly broad definition of “‘personal information,'” among other concerns. The type of personal information covered by the bill includes names, birthdates, addresses, biometric data (like fingerprints or retina scans), Social Security numbers and “other information that, alone or in combination with the other information sold or licensed, would allow a reasonable person to identify the consumer with reasonable certainty.” The definition excludes “publicly available information to the extent that it is related to a consumer’s business or profession.” “The definition of ‘brokered personal information’ includes innocuous, lone data elements, such as: name, names of relatives, and place of birth. Much of this information is already publicly available and would not pose a risk of harm to consumers if breached,” the groups wrote to Scott last week. The ANA and others also objected to defining personal information as information that can be combined with other data to piece together people’s identities. “While almost any piece of data could be linked to a consumer, it is appropriate to consider whether such a link is practical or likely in light of current technology,” they wrote.
Another Change to Massachusetts’ Ban-the-Box Law
Effective October 13, 2018, Massachusetts employers will no longer be permitted to inquire about certain misdemeanor convictions and sealed or expunged records for employment purposes. Almost ten years ago, Massachusetts became the second state, following Hawaii, to enact a “ban-the-box” law, so-called because they require employers to remove from job applications any question that asks a job applicant to self-disclose their criminal history. Instead, employers must wait until later in the hiring process to do so, unless the employer is prohibited by law from employing criminal offenders in the position at issue. Since that time, the ban-the-box wave has spread across the nation, with laws most recently enacted in Washington and California. In addition to the ban-the-box law, Massachusetts’ anti-discrimination law also contained provisions that restricted “what” employers may inquire about, including:
- Any arrest, detention or disposition that did not result in a conviction;
- A first offense for the following misdemeanors: disturbance of the peace; drunkenness; simple assault; affray; minor traffic violations; and speeding; and
- Any misdemeanor conviction where the date of the conviction, or the completion of any period of incarceration resulting from the conviction, occurred more than five years prior to the date of the employment application, unless the person was convicted of any crime during that same five-year period.
On April 13, 2018, Governor Charlie Baker signed a criminal justice reform bill, which changed existing law in several respects. Importantly, the amendment reduced the five-year period for inquiring about misdemeanors to three years, which means that employers now may not ask about (whether orally or in writing) any misdemeanor conviction where the date of the conviction, or the completion of any period of incarceration resulting from the conviction, occurred more than three years prior to the date of the employment application, unless the person was convicted of another crime within the three years preceding the inquiry. Moreover, in addition to being prohibited from asking about sealed records, employers may not ask about a criminal record that has been expunged. In addition, any form used by an employer that seeks information about an applicant’s criminal history must include the following statement about expunged records, in addition to the statement already required concerning sealed records:
“An applicant for employment with a record expunged pursuant to section 100F, section 100G, section 100H or section 100K of chapter 276 of the General Laws may answer ‘no record’ with respect to an inquiry herein relative to prior arrests, criminal court appearances or convictions. An applicant for employment with a record expunged pursuant to section 100F, section 100G, section 100H or section 100K of chapter 276 of the General Laws may answer ‘no record’ to an inquiry herein relative to prior arrests, criminal court appearances, juvenile court appearances, adjudications or convictions.” In addition, the criminal justice reform bill lowers the number of years before an individual can seek to have a criminal record sealed or expunged. Ultimately, this means that employers will have less access to criminal history information in making employment decisions. In response to employers’ concerns about being held liable for negligent hiring or retention based on criminal history to which they no longer had access, the legislature included a provision in the bill that incorporates presumptions based on employers’ more limited access to such information. Employers will be presumed not to have notice (or the ability to know) about (i) records that have been sealed or expunged, (ii) records about which employers may not inquire under the anti-discrimination law, or (iii) crimes that the Massachusetts Department of Criminal Justice Information Services cannot lawfully disclose to an employer.
Ban the Box Set to Begin in Kansas City, Missouri on June 9
In 2013, Kansas City, Missouri adopted an ordinance that eliminated any obligation of applicants for City positions to disclose criminal history and that required the City Manager to remove such questions from applications. That ordinance concluded by urging (but not requiring) “private employers to adopt fair hiring practices that encourage the rehabilitation of people with criminal records.” Hundreds of cities, including Kansas City, Kansas and St. Louis, Missouri, and more than 30 states have adopted similar restrictions for public employers. On February 1, 2018, Kansas City, Missouri went one step further and passed Ordinance No. 180034, which places employment restrictions on private employers’ locations in the City. This makes it the second city in Missouri (after Columbia in 2014) to “Ban the Box,” in which an applicant who had prior convictions was required to check the “box” in question. Eleven states, including Illinois, have similar limits on private employers. Effective June 9, 2018, employers with locations in Kansas City may not inquire about an applicant’s criminal history until after it has been determined that the individual is qualified for the position, and only after the applicant has been interviewed. At that point, an employer may screen “all applicants who are within the final selection pool of candidates.” The ordinance applies to private employers that employ six or more employees, though it excludes local, state, and federal governmental entities. Additionally, employers may not base “hiring or promotional decisions” on criminal history, unless the employer can demonstrate that the decision was based on “all information available including consideration of the frequency, recentness, and severity of a criminal record and that the record was reasonably related to the duties and responsibilities of the position.” As a result, other than positions “where employers are required to exclude applicants with certain criminal convictions from employment due to local, state or federal law or regulation,” employers cannot maintain a policy that automatically rejects an applicant based upon criminal history. Allegations of violations of the ordinance may be filed with the Kansas City Human Relations Department. Should probable cause of discrimination be found, a “conciliation” process would be initiated, aimed at removing current and future discriminatory practices. Should this fail, a hearing would follow, and employers could be liable for back pay and reinstatement, fines of up to $500.00, and possible imprisonment. Additionally, a business could have its license suspended for up to 30 days, with permanent revocation for three or more violations within a five-year period.
Wilmington, NC Approves “Ban the Box” Law for City Employees
On May 1, the city council of Wilmington, North Carolina unanimously approved a new “ban the box” ordinance for city employees. The ordinance mandates that candidates for employment will not be asked about their criminal history nor have a criminal background check conducted until a decision has been made to offer the candidate employment. According to Wilmington officials, the new ordinance will ensure people with criminal arrest or conviction records will not be unduly denied employment or discouraged from being employed by the city. The ordinance also enacted seven-year lookback periods on misdemeanor assault, all sexual offenses, homicide, and financial crimes as automatic disqualifiers. It also added language allowing applicants to provide evidence of mitigation of any misdemeanor or felony (other than sexual) that has been fully disposed of for more than seven years to proceed in the application process. Wilmington is now one of more than 150 cities and counties in the United States to enact a “ban the box” ordinance.
York City Council (PA) Adopts Fair Chance Hiring Policy
York City Council adopted a new hiring policy Wednesday. The goal is to give people who have served their time an equal opportunity to get jobs. Council president Henry Nixon says some positions, like seasonal jobs in landscaping, don’t require background checks. “A good example would be somebody that was caught with a small amount of marijuana in college,” he said. “Yes, they do have a record. That does not necessarily preclude someone from almost any position in city government.” Other jobs, like those involving security, would still involve background checks. The council president says it will be up to human resources to decide which criminal histories can affect which jobs. “If you work in the finance department and you have embezzled money, then obviously we’re going to find that out,” Nixon said.
While the policy only applies to city jobs, the council says it encourages all businesses in York to ban the box, too. The mayor still has to sign the ordinance. If he does, it would go into effect in 20 days.
Medical Marijuana in the Ohio Workplace: Are Zero Tolerance Drug Policies Going Up In Smoke?
The Ohio medical marijuana law is set to be fully operational in September 2018. Ohio employers may soon face scenarios like this one: Employee Jane Doe is a shipping/receiving clerk. The Company depends upon her work to be timely, accurate and efficient. Jane also suffers from post-traumatic stress and has just obtained a medical marijuana user license as part of her treatment. She is selected for a random drug test, and tests positive for marijuana. But, she has a legal right under Ohio law to possess and use marijuana for her medical condition. Must the employer accommodate her usage as you would a disability under state and federal law? Must the employer tolerate Jane being under the influence in the workplace? Must the employer make an exception to its zero-tolerance drug and alcohol policy?
Unlike other states with medical marijuana laws, Ohio’s law does have some clear rules in this case. Under Ohio law, nothing prevents an employer in Ohio from “establishing and enforcing” a zero-tolerance policy to employees with medical marijuana licenses. An employee may be disciplined or terminated upon testing positive for medical marijuana in the workplace. Unlike some states, Ohio law doesn’t distinguish between those in safety sensitive positions and those who are not. Nor does the law distinguish between those who exhibit outward signs of impairment, and those who don’t. Zero tolerance can really mean zero tolerance. But the Ohio law seems to go even further than that. Ohio’s law expressly permits an employer to refuse to hire or terminate an employee who possesses a license, solely because they possess a license—whether or not they have ever had marijuana in their system while at work. Even more, the law seems to allow similar action against someone who merely possesses a “caregiver” license. That means someone who has the legal right merely to possess (but not use) limited quantities in connection with the care of another. A caregiver may apparently be fired from their job for that reason alone. The law permits this action even if the caregiver has never brought the substance into the workplace. The Ohio law also provides a kind of legal immunity to employers who take adverse action on account of medical marijuana. Ohio employers will have to decide how far to enforce their anti-drug policies in light of this new reality. It may be that some will choose to treat medical marijuana like they currently treat prescription medication with potential mind-altering properties. Perhaps, some will choose to limit their prohibitions to medical marijuana users in sensitive positions. In the end, the law seems designed to give employers the widest possible discretion.
Georgia Targets Elder Abuse with Tough New Long-Term Care Background Check Law
A new Georgia law will require nursing home and other long-term care workers to submit to extensive background checks. The “Georgia Long-Term Care Background Check Program” will take effect on October 1, 2019. Georgia joins the majority of other states mandating enhanced satisfactory background check for care workers. The new law, signed by Governor Nathan Deal on May 7, 2018, is intended to promote public safety for a growing and vulnerable aging population. Reports of elder abuse have been on the rise in recent years as the elderly population grows. Investigations into abuse of elders and adults with disabilities by the Georgia Bureau of Investigation have increased 145 percent in the last five years, according to the agency. The new law, codified at O.C.G.A. Section 31-7-150, et seq., will require care workers with “direct access” to seniors in long-term care facilities to pass a national background check. A new fingerprinting requirement is expected to go into effect in January 2021, allowing employers time to conduct more extensive background checks on current employees. The new law applies to owners, applicants for employment, and employees providing care or owning a personal care home, assisted living community, private home care provider, home health agency, hospice care, nursing home, skilled nursing facility, or adult day-care. Currently, Georgia caretakers must only submit to a name-based background check that is limited to crimes committed in Georgia. This offers limited protection at best; information about an individual from another state with a criminal history or who is using an assumed name would not be uncovered. The enhanced background check requirement would more comprehensively incorporate reviews of the FBI database, state and national databases of criminal records, the nurse aide registry, and state sexual offender and other registries.
Under the new law, “direct access” means having, or expecting to have, duties that involve routine personal contact with a patient, resident, or client. Direct access include face-to-face contact, hands-on physical assistance, verbal cuing, reminding, standing by or monitoring activities that require the person to be routinely alone with the patient’s, resident’s, or client’s property or access to such property or financial information, such as the patient’s, resident’s, or client’s checkbook, debit and credit cards, resident trust funds, banking records, stock accounts, or brokerage accounts.
Further, “employee” is defined as any individual who has direct access and who is hired by a facility through employment, or through a contract with such facility, including, but not limited to, housekeepers, maintenance personnel, dieticians, and any volunteer who has duties that are equivalent to the duties of an employee providing such services. Expressly excluded from this definition are physicians, dentists, nurses, and pharmacists who are licensed by the state. Also excluded from the mandatory background check are individuals who contract with a facility, personally or through a company, to provide utility, construction, communications, accounting, quality assurance, human resource management, information technology, legal, or other services that are not directly related to providing services to a patient, resident or client of the facility. Families (i.e., a spouse, parent, sibling, or grandparent) and guardians of elderly persons (age 65+) seeking personal care services will have the same access to a central state caregiver registry for care-worker employment determinations as licensed facilities. Penalties for violations can range from monetary penalties to license revocation. Failure to comply with the new law subjects the facility to liability for civil monetary penalties of $500 for each day that a violation occurs (up to $10,000).
The exposure for a facility begins from the time the facility knew or should have known that it employed an individual with a criminal record until the date such an individual’s employment is terminated.
Covered Georgia employers in the care-taking industry should comply with the new law and ensure that:
- Each application form provided by a covered facility to an applicant conspicuously state: “FOR THIS TYPE OF EMPLOYMENT, STATE LAW REQUIRES A NATIONAL AND STATE BACKGROUND CHECK AS A CONDITION OF EMPLOYMENT”; and
- Personnel records for covered entities include evidence of each employee’s satisfactory determination, registry check, and licensure check, as applicable.
Vermont Enacts Salary History Inquiry Law
Vermont has become the latest jurisdiction to enact a law that will prohibit employers from inquiring about, seeking, or requiring salary history information from prospective employees. The law will take effect on July 1, 2018. Under the law, employers and their agents will be prohibited from:
- inquiring about or seeking information regarding a prospective employee’s current or past compensation from either the prospective employee or his or her current or former employer;
- requiring that a prospective employee’s current or past compensation satisfy minimum or maximum criteria; and
- determining whether to interview a prospective employee based on his or her current or past compensation.
If, however, a prospective employee voluntarily discloses information about his or her current or past compensation, an employer may, after making an offer of employment with compensation to the prospective employee, seek to confirm (or request that the prospective employee confirm) the compensation information provided.
The law further provides that employers may inquire about a prospective employee’s salary expectations or requirements and/or provide information to the candidate about the compensation and benefits offered in relation to the position in question.
For purposes of the law, “compensation” is defined broadly to include “wages, salary, bonuses, benefits, fringe benefits, and equity-based compensation.”
Maryland Employers Must Prepare for New Sexual Harassment Disclosure Obligations
With momentum from the #MeToo movement, the Maryland General Assembly overwhelmingly passed the Disclosing Sexual Harassment in the Workplace Act of 2018, which was signed into law by the Governor on May 15, 2018. The law, which will go into effect on October 1, 2018, will affect employers by prohibiting certain terms in employment agreements and by imposing reporting requirements for sexual harassment allegations. First, the bill prohibits employers from asking employees to waive any substantive or procedural rights in an employment agreement stemming from sexual harassment or retaliation claims that arise during their employment. Employers are further prohibited from taking any adverse action against an employee who refuses to sign an agreement that contains any of the above limitations on their rights and remedies for sexual harassment claims. Employers who attempt to enforce the prohibited types of terms and conditions in an employment agreement can be required to pay the employee’s attorney’s fees and costs. Second, and of more significance, the bill imposes a reporting requirement to the Maryland Commission on Civil Rights of an employer’s history of sexual harassment claims. Specifically, employers with 50 employees or more must report to the Commission on:
- The number of settlements the employer has made after an allegation of sexual harassment by an employee;
- The number of times the employer has paid a settlement to resolve a sexual harassment allegation against the same employee over the past 10 years of employment; and
- The number of settlements made after an allegation of sexual harassment that included a provision requiring the parties to keep the terms of the settlement confidential.
The Commission will conduct these surveys twice-in December 2020 and again in December 2022. The Commission will make the information gathered from the surveys publicly available but will keep private the names of the employees. The survey portion of the law contains a sunset provision, meaning there will be no additional surveys after 2022 unless ordered by a new law.
Maryland and Georgia Prohibit Security Freeze Fees
On May 15, the Maryland governor signed SB 202, which prohibits consumer reporting agencies from charging consumers, or protected consumers’ representatives, a fee for the placement, removal, or temporary lift of a security freeze. Previously, Maryland allowed for a fee, in most circumstances, of up to $5.00 for each placement, temporary lift, or removal. The law takes effect October 1.
On May 3, the Georgia governor signed SB 376, which amends Georgia law to prohibit consumer reporting agencies from charging a fee for placing or removing a security freeze on a consumer’s account. Previously, Georgia law allowed for a fee of no more than $3.00 for each security freeze placement, removal, or temporary lift, unless the consumer was a victim of identity theft or over 65 years old. Under SB 376, consumer reporting agencies may not charge a fee to any consumer at any time for the placement or removal of a security freeze. This law takes effect July 1.
Connecticut’s New Pay Equity Bill Prohibits Questions Regarding Prospective Employees’ Wage and Salary History
Connecticut Governor Dannel P. Malloy signed Public Act No. 18-8, “An Act Concerning Pay Equity,” into law on May 22, 2018, making Connecticut the sixth state to prohibit employers from asking applicants about salary history. California, Delaware, Massachusetts, Oregon and Vermont had previously adopted similar bans. The new Connecticut law will permit applicants to file lawsuits for damages and other remedies. The new law is intended to help remedy the pay gap between men and women. “Income inequity is perpetuated by the practice of asking for salary history before an offer is made, which can disproportionately assure that women are underpaid at their first job and continue to be underpaid throughout their careers, creating a cycle of poverty,” Malloy said. Effective January 1, 2019, Connecticut will afford job applicants these new protections:
- Prospective employees may not be asked about past wages and compensation histories at any point during the hiring process, although they may choose to volunteer such information.
- Prospective employees may be asked generally whether the previous employer had stock options or other equity incentives but may not be asked to specify the value of such benefits.
These protections for applicants will be codified in the Connecticut General Statutes with protections about salary information that the state already provides to employees. Under the existing law it is unlawful for a Connecticut employer:
- To prohibit an employee from inquiring about the wages of another employee.
- To prohibit employees from voluntarily discussing their wages with other employees.
- To require employees to sign a waiver that denies them the right to voluntarily disclose the amount of their wages or the wages of another employee.
- To require employees to sign a waiver (or other document) that denies them their right to inquire about the wages of another employee.
- To discharge, discipline, discriminate, retaliate or otherwise penalize employees who disclose the amount of their wages to another employee.
- To discharge, discipline, discriminate, retaliate or otherwise penalize employees who inquire about the wages of another employee (neither the employee nor the employer is required to disclose the amount of wages paid to any employee).
Private Right of Action
The new act will add prospective employees to those who are entitled to sue employers who violate any of these legal protections. Employees and prospective employees (whether hired or not) will be authorized to sue within two years after any alleged violation of prohibitions about salary information and salary history. Employers found liable for violations may be required to pay compensatory damages, attorney’s fees and costs and punitive damages, and may also be subject to other legal and equitable relief that the court determines to be just and proper.
Takeaways for Employers
Although the Act might still be subject to legal challenge,1 employers should begin preparing to comply with it as of January 1. Preparations may include reviewing application materials (online and hard copy) and onboarding practices, and training hiring managers and anyone who conducts interviews on their obligations under the new law.
Bill 113, Police Record Checks Reform Act, 2015 will change the way criminal record checks are delivered in Ontario, Canada
Be advised that effective November 1, 2018, Bill 113, Police Record Checks Reform Act, 2015 will change the way criminal record checks are delivered in Ontario, Canada. The text of the bill and the regulations can be found at https://www.ontario.ca/laws/statute/15p30. Note that there are some Exemptions, which may impact some end users. Significantly, the Act requires a second consent be obtained from an applicant before a criminal record result is provided about them to an end user. Consent is still required before a record check can be run and with this change, a second consent must be obtained before the results of the background check can be given to the end user/client. This Act is being interpreted to apply broadly including background screeners located in Ontario, as well as background screens that use a police service delivering records in Ontario and background screens of any applicant whose report includes a criminal records check in Ontario. Simply, if you operate in Ontario or screen for clients in Ontario your business is impacted by these changes. Given that Ontario is the most populous province, contains the most police service partners and most of our end users, the applicability of this Act is widespread. It is imperative that all members understand and comply with these guidelines as failure to do so may have a detrimental effect on our industry overall and could potentially significantly jeopardize our collective access to criminal records products. Additionally, we may see other provinces may also follow this approach. Given that the writ has now been dropped, we are in a caretaking mode for the next six weeks until the election is complete. At that time, we will reengage with the Ministry of the day and continue to work to impact the implementation timelines and requirements for our industry. We will also work to make connections with the Conservative Party, who are recently favored to form the new government. There is an appetite to accelerate implementation because of the negative media attention on the release of non-conviction and other noncriminal information, however we have sought and will continue to seek a delayed implementation to allow time for impacted entities to come into compliance. This however does not look promising. Since many processes for conducting these checks are highly automated, the need to update and develop technology will be great and that takes time. We urge you to prepare for the November transition. The Ministry has committed to follow-up communication regarding implementation direction and monitoring the impact of implementation.
Privacy Activist Claims Google and Facebook Violated GDPR
On May 25th, privacy activist Max Schrems filed a lawsuit against Google and Facebook for allegedly violating the EU’s General Data Protection Regulation. The lawsuit alleges that the companies coerced users into accepting their data collection policies. Three complaints worth €3.9 billion were filed with regulators in Austria, Belgium, and Hamburg against Facebook and its subsidiaries WhatsApp and Instagram. Another complaint was filed against Google.