CFPB And FTC Put Landlords On Notice Regarding Tenants’ Pandemic Protections
On May 3, 2021, Consumer Financial Protection Bureau’s (CFPB) Acting Director Dave Uejio and the Federal Trade Commission’s (FTC) Acting Chairwoman Rebecca Slaughter sent notification letters to the country’s largest landlords reminding them of the federal protections designed to prevent residential evictions during the pandemic. These include the Centers for Disease Control and Prevention (CDC) extension of its eviction moratorium until June 30, 2021 (see our separate alert here on the current status of the moratorium), and the CFPB’s interim final rule in support of the CDC moratorium establishing new notice requirements under the Fair Debt Collection Practices Act (FDCPA).
The CDC eviction moratorium generally prohibits landlords from evicting tenants for non-payment of rent if the tenant submits a written declaration that he or she cannot afford full rent payments and would likely become homeless or need to move into a shared living setting if evicted, increasing their vulnerability to COVID-19. This prohibition applies to residential landlords, as well as their agents or attorneys acting on their behalf.
The CFPB interim final rule (86 Fed. Reg. 21,163 (April 22, 2021)), which took effect on May 3, 2021, requires debt collectors to provide tenants who may have rights under the CDC moratorium with “clear and conspicuous” written notice of these rights and prohibits debt collectors from misrepresenting tenants’ ineligibility for protection from eviction under the CDC’s moratorium. The notice must be provided on the same date as the eviction notice, or, if no eviction notice is required by law, on the date that the eviction action is filed. If a landlord does not provide the required notice, the FDCPA provides a private right of action against debt collectors, and violators can be liable for actual and statutory damages, and attorney’s fees. On March 29, 2021 Acting Director Uejio and Acting Chairwoman Slaughter issued a joint statement aimed to stop illegal evictions (as discussed in our prior alert).
The CFPB and FTC’s May 3, 2021 notification letters ask landlords to ensure their practices comply with the CDC moratorium and the FTC Act. The letters also encourage landlords to notify FDCPA-covered debt collectors working on their behalf, which may include attorneys, of the CDC moratorium, other state and/or local moratoria, and the parties’ obligations under the FTC Act and FDCPA, which includes the CFPB’s final rule. Acting Director Uejio noted “Landlords should ensure that FDCPA-covered debt collectors working on their behalf, which may include attorneys, notify tenants of their rights under federal law…[and the CFPB] will hold accountable debt collectors who move forward with illegal evictions.”
Landlords of residential properties, debt collectors, and attorneys acting on their behalf, should take steps to address this guidance. Landlords and debt collectors should also consider carefully monitoring customer communications for concerns related to residential evictions
Federal Judge Strikes Down CDC’s Eviction Moratorium
A federal judge for the District of Columbia issued a decision on May 5 striking down the Centers for Disease Control and Prevention’s (CDC) nationwide eviction moratorium. The order issued in a lawsuit brought by a coalition of property owners and realtors late last year, Alabama Association of Realtors, et al. v. United States Department Of Health And Human Services, et al., U.S. District Court, District of Columbia No. 1:20-cv-03377-DLF.
The CDC moratorium, now voided nationwide, went into effect on September 4, 2020 and, earlier this year, the CDC extended its expiration date to June 30, 2021. The CDC moratorium declared “a landlord, owner of a residential property, or other person with a legal right to pursue eviction or possessory action shall not evict any covered person.”
To qualify for protection under the moratorium, a tenant was required to submit a declaration to their landlord affirming, among other things, they (1) expect to earn less than $99,000 in annual income and (2) are “unable to pay the full rent or make a full housing payment due to substantial loss of household income, loss of compensable hours of work or wages, a lay-off, or extraordinary out-of-pocket medical expenses.”
As noted by the district court—unlike the Coronavirus Aid, Relief, and Economic Security Act (CARES Act), which applied only to certain federally backed rental properties—the CDC moratorium applied to all residential properties nationwide. Violators of the moratorium faced potential criminal penalties, including a fine of up to $250,000, one year in jail, or both, and a maximum fine of $500,000 for organizations.
The district court concluded the Public Health Service Act, 42 U.S.C. § 264(a), does not grant the CDC the legal authority to impose a nationwide eviction moratorium. The court explained that the first clause of section 264(a) grants the CDC, with approval of the Secretary of the Department of Health and Human Services (HHS), authority to make and enforce regulations to prevent the interstate or international spread of disease. But the court interpreted this authority as being tethered to, and narrowed by, the second clause authorizing the CDC to regulate “sources of dangerous infection to human beings.”
While multiple courts have previously opined on this question (with courts ruling on both sides of the issue), Judge Friedrich is the first judge to reject the federal government’s request to narrow the ruling to apply only to the litigation parties and made clear her order’s reach would be nationwide.
The same day as the district court’s decision, the CDC filed a notice of appeal to the United States Court of Appeals for the District of Columbia Circuit.
With the CDC announcing it will seek a stay of the ruling pending appeal, landlords should not perceive the ruling as immediately authorizing evictions against tenants who have submitted declarations pursuant to the CDC’s guidelines. Nor does the ruling impact new notice requirements under Fair Debt Collection Practices Act (FDCPA), to be addressed in our upcoming alert.
Gov. Newsom Announces Plan To Pay Rental Housing Providers 100% Of Rent Owed
On May 10, 2021, Gov. Newsom announced his intent to pay rental housing providers 100% of rent that’s gone unpaid because of COVID-19.
“This is certainly welcome news, and we applaud Gov. Newsom for his commitment to making rental housing providers whole,” said Tom Bannon, chief executive officer of CAA. “Many of our members have provided housing for more than a year without compensation. We thank the governor for understanding the difficulties that both tenants and rental property owners have endured during the pandemic.”
In a press conference this morning, Newsom announced that California will receive an additional $2.6 billion in rental assistance from the federal government. That brings California’s total federal rental aid to $5.2 billion.
Newsom also announced his plan to spend $2 billion from the state general fund to pay past-owed water and utility bills.
The governor said he intends to use the new funds to pay rental housing providers all rental arrears attributable to the pandemic, both retroactively and going forward.
Until now, the governor and legislators committed to paying landlords 80% of what they were owed by COVID-19 impacted renters, although this has only covered back rent owed between April 2020 and March 2021.
Under prior legislation, owners have been required to forgive 20% of the rent owed to qualify for the assistance. Now, it appears owners will receive the 20% owed as well.
“CAA looks forward to working with the governor and legislature to make the assistance in today’s announcement a reality and distribute the additional funds as quickly as possible,” Bannon said. “It’s also vital that we find dollars to help COVID-19 impacted renters who do not qualify for aid under the current state rental assistance program.”
New York Extends Moratorium On Residential And Small Business Evictions And Foreclosures
On May 4, 2021, New York Governor Andrew Cuomo signed into law a bill passed by the New York State legislature extending to August 31, 2021 the existing eviction moratorium for residential tenants and independently owned small businesses with 50 or less employees affected by the COVID-19 pandemic. The law also extends the temporary stay on foreclosures of properties owned by residential homeowners and small landlords.
The eviction and foreclosure protections afforded by both the COVID-19 Emergency Eviction and Foreclosure Prevention Act of 2020 (which was signed into law on December 28, 2020) (“Residential Moratorium Law”) and the COVID-19 Emergency Protect Our Small Businesses Act of 2021 (which was signed into law on March 9, 2021) (“Commercial Moratorium Law” and, collectively with the Residential Moratorium Law, the “Laws”) originally expired on May 1, 2021 and have now been extended to August 31, 2021 (with retroactive effect to the original expiration date). The Residential Moratorium Law is intended to protect families suffering from pandemic-related hardship from being evicted from or foreclosed out of their homes during the pandemic, which could exacerbate the current public health emergency. The Commercial Moratorium Law is meant to provide eviction and foreclosure protection for small businesses so they can survive the pandemic, which has caused a steep reduction in business and drop in revenues for most small businesses in New York. Some of the material features of the Laws include:
- a temporary stay on most residential and small business tenant evictions for at least 60 days, as long as the tenant submits a form declaring financial hardship and/or job loss because of the pandemic;
- a stay on foreclosures for residential homeowners and landlords with 10 or fewer units if they submit a hardship declaration form;
- a stay of eviction proceedings already in process; and
- a stay of the execution of judgements for up to 60 days and a prohibition on filing new eviction proceedings or foreclosure proceedings until the moratorium expires without providing the tenant or mortgagor an opportunity to submit a hardship declaration that will stay the proceedings.
Groups representing landlords are expected to continue to attempt to challenge the Laws. The Laws do not, however, (a) require forgiveness of rent or mortgage payments and (b) do not stay eviction actions against tenants who cause safety concerns or unreasonably infringe on other tenants’ use and enjoyment of a building. According to Governor Cuomo, the purpose of the extension of the Laws is to “help to ensure that vulnerable New Yorkers and business owners who are facing eviction through no fault of their own are able to keep their homes and businesses as we continue on the road to recovery and begin to build back our economy better than it was before.”
Appeals Court Sides With DC To Authorize The City’s Ban On Eviction Filings
Tenants scored a victory in the D.C. Court of Appeals on Thursday. The court issued a stay pending appeal of a trial court’s decision that D.C.’s ban on eviction filing is unconstitutional—meaning the trial court’s decision will not go into effect as the appeals court reviews the case, and landlords will still be barred from filing eviction cases so long as D.C.’s moratorium on evictions remains in place.
The ruling comes as the D.C. Council prepares to vote on an extension of the city’s public health emergency and consider Chairman Phil Mendelson’s proposed changes to the current eviction ban, which some tenant advocates say will limit protections against evictions.
D.C. landlords challenged the council’s moratorium on eviction filings last year, arguing that it violated their rights of access to the courts. Evictions would still be barred during the public health emergency, but the landlords fighting the city’s law wanted the ability to begin the legal process by filing writs of evictions in court.
The trial court ruled in favor of landlords last year, stating that the filing moratorium did violate the landlords’ right to court access. The D.C. Attorney General’s office then appealed the trial court’s decision, defending the city’s law and asking for stay pending appeal.
The appeals court’s ruling, issued Thursday, argues that the District made a “strong argument” that the filing moratorium didn’t restrict court access, and that there would be “irreparable harm” to tenants if the trial court’s ruling in favor of landlords was allowed to stand. Even though the trial court’s ruling didn’t allow landlords to evict their tenants, its decision could encourage a tenant to move anyway—out of fear, misunderstanding, or the knowledge that they can’t afford legal representation to fight the eviction, the appeals court ruled.
Meanwhile, Mendelson issued amendments on Thursday to the city’s eviction and utility moratoriums, which the council will consider next week when it convenes to vote on granting D.C Mayor Muriel Bowser the authority to extend the public health emergency through July 25. (The city’s moratorium and utility moratoriums are tied to the current public health emergency, which is set to end on May 20.)
Mendelson also wants to encourage tenants and landlords to enroll in the STAY DC program, a replacement for D.C.’s old COVID-19 Housing Assistance Program (CHAP), which helps renters and housing providers cover unpaid rental payments as well as utilities like water, gas, and electricity.
Per Mendelson’s proposal, a landlord could only file an eviction case after they had completed an application to receive funding from STAY DC to cover a tenant’s overdue rent. Then, a tenant would need to complete that application for STAY DC (or have a community organization complete it on their behalf) to receive the relief money, thus making an eviction unnecessary.
“The focus of these amendments is to protect low-income utility customers and renters, but encourage utilization of federal assistance,” reads Mendelson’s introduction of the measures. “The effect will be to increase utilization of the federal money—much of which will be taken back by the federal government if not obligated over the next four months. And, more importantly, the low-income households will come out of the pandemic with little or no debt to their landlords and the utility companies.”
While the appeals court ruling is a victory for tenants, Mellen is less thrilled about Mendelson’s proposal, given the technological barriers to tenants and the rollout of STAY DC so far. Mellen argues the website isn’t set up in a way that makes it easy for a landlord to initiate the STAY DC application process, and that for Mendelson’s proposal to work on behalf of tenants, the website would need an overhaul.
“It’s really important that the landlord application process works,” Mellen says. “The idea that we’re going to depend on this system for landlords to be able to apply and kind of protect tenants in that way, there’s a lot of concern from what we’re seeing so far.”
In its first 30 days, STAY DC has fielded over 10,000 applications, and Mellen says she is not aware of any payments being made to tenants. Only in the last few days did Legal Aid Society receive responses to the applications they filled out on behalf of tenants.
“It all needs to be fixed, we agree that these are the changes that need to be made,” Mellen says of shifting financial assistance opportunities to landlords. “The question is, are they going to be able to pivot, make these changes, and have it so landlords can do the applications and actually have the system work?”
Also of concern to Mellen is the possibility that Bowser may opt not to extend the public health emergency—and by extent, D.C.’s protections for renters—given her recent steps towards a full reopening and return to “normal.”
“She’s already talked about relaxing certain things in June. So what’s going to happen?” Mellen says.
The ruling in favor of tenants and Mendelson’s legislation changes come a little over a week after a federal judge threw out the Centers for Disease Control and Prevention’s eviction moratorium—the immediate impacts of which have yet to play out for local tenants. D.C. renters are protected under the city’s legislation, while Virginia requires landlords and tenants to work together to access rent relief before an eviction can proceed (much like Mendelson’s proposal). In Maryland, an executive order from Gov. Larry Hogan provides limited legal defense to residents facing eviction over missed rent during the pandemic.
Philadelphia Joins New York City And Nevada In Restricting Pre-Employment Marijuana Tests
On April 28, 2021, Philadelphia Mayor Jim Kenney signed Bill No. 200625 which, effective January 1, 2022, prohibits employers from requiring prospective employees to undergo testing for the presence of marijuana as a condition of employment. Currently, only New York City and Nevada have similar drug testing restrictions, but we expect this trend to continue. Nevada prohibits employers from taking adverse action against applicants who test positive for marijuana, with exceptions for, among other jobs, safety-sensitive positions and motor vehicle drivers who are subject to testing under state or federal law. New York City, with some similar exceptions, also bars employers from requiring applicants to submit to testing for marijuana.
There are exceptions to the new Philadelphia bill. Specifically, the prohibition does not apply to individuals applying to work in the following positions or professions:
- Police officer or other law enforcement positions;
- Any position requiring a commercial driver’s license;
- Any position requiring the supervision or care of children, medical patients, disabled or other vulnerable individuals;
- Any position in which the employee could significantly impact the health or safety of other employees or members of the public, as determined by the enforcement agency and set forth in regulations pursuant to the bill.
It also does not apply to drug testing required pursuant to:
- Any federal or state statute, regulation, or order that requires drug testing of prospective employees for purposes of safety or security;
- Any contract between the federal government and an employer or any grant of financial assistance from the federal government to an employer that requires drug testing of prospective employees as a condition of receiving the contract or grant; or
- Any applicants whose prospective employer is a party to a valid collective bargaining agreement that specifically addresses the pre-employment drug testing of such applicants.
The bill requires the agency tasked with enforcement responsibility to promulgate regulations for the implementation and administration of the new requirements.
In a time where marijuana legalization is rapidly expanding, all employers should reassess their workplace drug testing policies to be sure they are in compliance with existing and soon to be effective laws. This rapidly evolving legal landscape presents new challenges for employers, especially multi-state employers. Employers must balance complying with conflicting federal, state, and local laws, maintaining a safe work environment, and protecting applicants’ and employees’ privacy and other legal rights.
New York Amends Its Off-Duty Conduct Law To Account For Marijuana Use
New York’s off duty conduct law will now explicitly apply to an employee’s off-duty use of cannabis. The change in law came as a result of the recent passage of “The Marijuana Regulation and Taxation Act,” which generally legalized the sale and use of cannabis for individuals 21 and over, and presents real compliance challenges for employers, which we discuss further below.
New York’s Off Duty Conduct Law Prohibits Employers From Discriminating Against Employees for Their Lawful Off Duty Activities
As background, New York’s off duty conduct law (NY Labor Law §201-D) prohibits employers from discriminating against employees for engaging in certain lawful off-duty activities—including political activities, recreational activities and the legal use of consumable products—where those activities occur outside of working hours, off the employer’s premises, and without the use of the employer’s equipment or property. During the last election cycle, employers were mostly fixated on the “political activities” portion of the law, but with the legalization of cannabis, employers should also fix their sights on the recreational activities and legal consumable use provisions.
The off-duty conduct law provides some notable exceptions to its protections, including among others:
- Where the employee’s engagement in the lawful activity would create “a material conflict of interest related to the employer’s…business interest”;
- Where the employer believes that its actions were required by statute, regulation, ordinance or other government mandate;
- Where the employer believed its actions were permissible under an “an established substance abuse or alcohol program or workplace policy, professional contract or collective bargaining agreement.”
Where one of these exceptions applies, the employer can still refuse to hire or could terminate the individual on account of these otherwise lawful activities.
The law is generally enforced by the state attorney general, but an individual is permitted to commence an action “for equitable relief and damages.”
New York’s Off Duty Conduct Law Now Covers Cannabis Use
The prohibition against discrimination because of an individual’s legal use of consumable products or for an individual’s legal recreational activities now explicitly include “cannabis in accordance with state law.”
But the new law also adds a new provision (§4-a) to the “exceptions” provision, which states that employers do not violate the law where they take an “action related to the use of cannabis” based on the following:
- the employer’s actions were required by state or federal statute, regulation, ordinance, or other state or federal governmental mandate;
- the employee is impaired by the use of cannabis, meaning the employee manifests specific articulable symptoms while working that decrease or lessen the employee’s performance of the duties or tasks of the employee’s job position, or such specific articulable symptoms interfere with an employer’s obligation to provide a safe and healthy workplace, free from recognized hazards, as required by state and federal occupational safety and health law; or
- the employer’s actions would require such employer to commit any act that would cause the employer to be in violation of federal law or would result in the loss of a federal contract or federal funding.
These amendments are effective immediately.
Additional Thoughts and Next Steps for Employers
To be clear: the update to the law does nothing to prevent employers from implementing and administering drug-free workplace policies, which are still strongly recommended. But the administration of these policies just became more complicated given the wording of the amendments. An employer cannot discipline (e.g. terminate) an employee because they used cannabis before they started the workday but can do so if they are “impaired” by its use during working hours. Here, though, the law attempts to define “impairment” such that:
the employee manifests specific articulable symptoms while working that decrease or lessen the employee’s performance of the duties or tasks of the employee’s job position, or such specific articulable symptoms interfere with an employer’s obligation to provide a safe and healthy workplace, free from recognized hazards, as required by state and federal occupational safety and health law.
That’s a mouthful! And it begs for further clarification from the Department of Labor via regulations or other guidance (and, of course, will be subject to interpretation from the courts).
One can easily see the challenges it presents employers trying to assess impairment in real time and to ensure safety at their worksites at all times. And this becomes even more challenging as employers continue remote work arrangements and enter the world of the hybrid working environment—employers will have less visibility into their employee’s at-home performance, even though employers are still responsible for ensuring the safety conditions of remote work sites (such as homes).
Other clarifications are also needed:
- Will the law’s “material conflict” exception apply when an employer seeks to discipline an employee who uses cannabis while off-duty because such use runs contrary to their “business interests”? We could envision myriad scenarios where that exception may apply.
- Whether the cannabis-related amendments to the law conflict with the Federal Controlled Substance Act, which makes the use of cannabis illegal? Courts have been split on this issue to date.
- Will service providers other than employees be able to take advantage of the law’s protections? The law, and in particular, the amendments, appear to be aimed at protected employees only, but we will keep a watchful eye on whether the law will be interpreted more broadly.
Although some uncertainty remains around legal interpretations and application, we recommend that employers still take the following steps to come into compliance:
- Review existing relevant policies to determine whether and to what extent modifications are needed, including modifications to drug-free workplace policies; drug testing policies (particularly with respect to the standard for reasonable suspicious and the use of random drug testing); and medical marijuana reasonable accommodations. (This is also a good time to remind employers operating in NYC, that NYC law also prohibits them from engaging in pre-employment marijuana testing (unless an exception applies)).
- Consider the law’s impact on any collective bargaining agreement, including with respect to drug testing and unionized safety-sensitive positions.
- Assess whether such a policy or practice could violate applicable law or cost the employer a federal contract or funding. For example, certain Federal contractors who receive federal grants may be subject to the Drug Free Workplace Act, which, in general, requires such contractors to prohibit their employees providing services in connection with the grant from, among other things, using a controlled substance, such as marijuana, in the workplace.
- Assess the roles which the employer considers “safety sensitive”, and therefore would allow the employer to prohibit the employee’s impairment in any way while performing job duties. As part of this, employers should pay close attention to potential guidance from New York State on what it considers a safety-sensitive role.
- Clearly communicate the employer’s expectations to employees regarding drug use in the workplace, including who it considers occupying a safety-sensitive role and by providing guidelines around impairment.
- Train supervisors and managers to ensure the proper implementation of new or revised conduct policies and expectations regarding a safe workplace.
Florida Privacy Bill Fails To Pass Before End Of Legislative Session
Florida lawmakers failed to pass an expansive privacy law before the legislative session adjourned last Friday. As with the 2019, 2020, and 2021 versions of the Washington Privacy Act, the Florida bill stalled because of disagreement over the proper enforcement mechanism.
On April 21, the Florida House overwhelmingly passed House Bill 969, a comprehensive bill that would grant consumers a private right of action to sue businesses for privacy law violations. The Florida Senate, however, revised the bill to give exclusive enforcement authority to the Florida Attorney General. When the amended HB 969 went back to the Florida House, the House refused to concede the private right of action and the amended bill died in committee.
While Florida’s legislative session has adjourned, businesses should remain vigilant as Florida’s lawmakers may consider another expansive privacy bill in the near future.
California And Los Angeles County Issue Guidance For Fully Vaccinated Employees In The Workplace
Effective May 3, 2021, the California Department of Public Health issued COVID-19 Public Health Recommendations for Fully Vaccinated People, applicable to non-health care settings, in response to the Interim Public Health Recommendations for Fully Vaccinated People, recently issued by the Centers for Disease Control and Prevention (“CDC”). The California Department of Industrial Relations (“DIR”) quickly followed suit, issuing several vaccine-related updates to its COVID-19 Emergency Temporary Standards Frequently Asked Questions, as did the Los Angeles County Department of Public Health, issuing a revised Reopening Safer at Work and in the Community for Control of COVID-19 order (“Los Angeles Order”), with similar updated guidance.
For the time being, however, there is only one change relevant to fully vaccinated employees in the workplace that is permissible under both State and Los Angeles County rules: Fully vaccinated workers do not need to quarantine following a workplace exposure, as provided in the COVID-19 Emergency Temporary Standards (“COVID-19 ETS”), if they remain asymptomatic. However, employers must continue to exclude fully vaccinated employees from the workplace if they (1) are COVID-19 cases (i.e., tested positive or were diagnosed with COVID-19) or (2) there has been a workplace exposure and they exhibit COVID-19 symptoms.
Face coverings must still be worn by fully vaccinated employees to the same extent as non-vaccinated employees. And physical distancing must be maintained.
The Los Angeles Order states that employees in a fully vaccinated workplace may forego physical distancing (while still wearing face coverings). Proof of vaccination is required. However, before employers begin mandating vaccinations and pushing desks back together, they should consider the following:
- First, California does yet not recognize this physical distancing exception, and employers must comply with the more restrictive rule. The DIR has stated that the COVID-19 ETS must still be followed for fully vaccinated employees with the sole exception for quarantine noted above. (See FAQ No. 1, under Vaccines, and Nos. 9 and 12 under Testing.) This includes maintaining physical distancing in office workspaces. So, following the relaxed physical distancing permitted by Los Angeles County would violate the State’s COVID-19 ETS.
- Second, the Los Angeles Order reflects that even if all employees are vaccinated, physical distancing must still be maintained for any employees who interact with visitors, such as delivery personnel, vendors, or customers.
- Finally, both the federal Equal Employment Opportunity Commission (“EEOC”) and the California Department of Fair Employment and Housing (“DFEH”) have issued guidance reflecting that exceptions to any mandatory vaccination policy may need to be made as reasonable accommodations for disability and religion (see the EEOC Guidance and DFEH Guidance). Additional exceptions may also merit consideration.
Accordingly, even if California updates its regulations to make an exception to physical distancing requirements for fully vaccinated employees, employers will want to consider whether this decision is right for their workplaces.
In light of Los Angeles County’s rules regarding proof of vaccination, for fully vaccinated employees who have shown proof of their vaccination against COVID-19, employers should create and keep written records documenting that each of these employees has shown them acceptable proof of full vaccination. According to Los Angeles County, employers need not keep a copy of the proof of full vaccination shown. However, because the State has not yet weighed in on this specific issue, it would be prudent to keep a copy of the documentation provided by employees confidential, as with any other medical record.
What California Employers Should Do Now
- Employers should consider their approach to COVID-19 vaccinations, including whether to (i) require vaccination for all or some employees, (ii) encourage vaccinations, or (iii) not take a position on this issue.
- Employers that do plan to require vaccinations should think through how exception requests will be considered and handled, and how medical privacy will be handled. Not only do vaccination records need to be kept private, but employees also have a right to privacy in their medical decisions, such as to accept or decline vaccination, and in their reasons for doing so.
New York City’s New Biometric Privacy Law Goes Into Effect July 9, 2021
New York City’s new biometric privacy ordinance creates a private right of action for individuals that could subject local businesses to potentially millions of dollars in liability. Employers who do business in New York City should carefully review this new ordinance as well as any technology they be using that has the potential to collect biometric information.
Overview of New York City’s Ordinance
The ordinance places new obligations on businesses to notify customers and potential customers if they collect biometric information. It holds that “[a]ny commercial establishment” that collects “biometric identifier information” from “customers” must disclose such collection “by placing a clear and conspicuous sign near all of the commercial establishment’s customer entrances notifying customers in plain, simple language” that customers’ biometric information is being collected. A “commercial establishment” is a place of entertainment, a retail store, or a food or drink establishment and a “customer” is a purchaser or lessee, or a prospective purchaser or lessee, of goods or services from a commercial establishment.
The ordinance further makes it “unlawful to sell, lease, trade, share in exchange for anything of value or otherwise profit from the transaction of biometric identifier information.”
The law provides that individuals “aggrieved by” a violation of the ordinance may file a private right of action but places some conditions on this right.
If the individual alleges the business collected their biometric information without making the required disclosures, the individual can only initiate a private action if they first provide written notice to the business of their intent to sue and provide the business 30 days to cure the violation by placing clear and conspicuous notice at their establishment. If the business does not cure within 30 days, the individual may sue and recover $500 for “each” violation.
If the individual alleges the business shared their biometric information in exchange for something of value or otherwise profited from the “transaction,” then the individual may sue without any prior notice to the business. The individual may recover $500 for “each” negligent violation of this section and may recover $5,000 for “each” intentional or reckless violation of this section.
Implications for Companies
While the ordinance appears to be straight forward, there are potential areas for expansive interpretation of the law. For starters, the ordinance’s “aggrieved by” language may permit civil actions over small, technical violations. Illinois’ Biometric Information Privacy Act (“BIPA”) also limits the private right of action to individuals “aggrieved by” a violation of that Act. Yet, the Illinois Supreme Court has held that even allegations of mere technical violations of BIPA are sufficient for an individual to be “aggrieved by” a violation.
Furthermore, while the ordinance provides businesses an opportunity to cure, this opportunity only applies if the individual limits their allegation to the improper collection of biometric information. If the individual alleges that the business also “shared” the biometric information for “anything of value,” then no notice is required before an individual can assert a claim. In Illinois, most (if not all) plaintiffs routinely allege both improper collection and improper dissemination as a matter of course. Accordingly, the opportunity to cure may not prevent many of these actions from ultimately being filed.
Alabama Legalizes Medical Marijuana While Allowing Employers Discretion As To Participating Workers
On May 17, 2021, Governor Kay Ivey signed Alabama’s new medical marijuana law, known as the Darren Wesley ‘Ato’ Hall Compassion Act, making Alabama the 37th state to legalize marijuana for medical purposes. The law identifies specific qualifying medical conditions, including but not limited to autism spectrum disorder (ASD); cancer-related cachexia, nausea or vomiting, weight loss, or chronic pain; Crohn’s disease; depression; epilepsy or a condition causing seizures; and HIV/AIDS-related nausea or weight loss. While the law grants individuals with these health conditions access to medical marijuana, it provides almost no employment protections for doing so, and imposes no new obligations on employers.
No New Employment Protections
As more states have enacted medical marijuana programs, they have taken varying approaches on employment protections for participating individuals. Alabama’s new law makes it clear that, in the employment context, there are no new legal protections or recourse for individuals who use medical marijuana. To that end, one of the law’s stated purposes is to “balance the needs of employers to have a strong functioning workforce with the needs of employees who will genuinely benefit from using cannabis for a medical use in a manner that makes the employee a productive employee.”
The new Alabama law continues several key provisions making it clear that employers may continue to prohibit marijuana use as part of their drug-free workplace policies, including:
- Drug Testing and Drug-Free Workplace Policies. Alabama employers are still permitted to establish and enforce drug testing and drug-free workplace policies. Employers may refuse to hire, discharge, discipline, or otherwise take adverse action against individuals who use medical marijuana, regardless of whether the individual is under the influence from such use.
- Notification of Status as a Card Holder. Employers can require employees to notify the employer if the employee possesses a medical cannabis card.
- Accommodations for Medical Marijuana Users. Employers are not required to permit, accommodate, or allow the use of medical marijuana or modify job or working conditions for employees who use medical marijuana.
- Relationship to DOT and Other Federal Regulations. The law specifically states that it does not interfere with, impair or impede any federal restrictions on employment, including but not limited to those established pursuant to the United States Department of Transportation regulations.
- No Private Right of Action. The law expressly states that it does not establish a private right of action for individuals to pursue legal action against an employer related to any actions the employer takes due to an individual’s use of medical marijuana.
- Relationship to Workers’ Compensation and Unemployment Benefits. The law explicitly provides that employers can continue to receive workers’ compensation premium discounts for maintaining drug-free workplace policies pursuant to the Alabama workers’ compensation statute. Furthermore, employers may continue to deny or establish legal defenses to the payment of workers’ compensation benefits to an employee on the basis of a positive drug test or refusal to submit to or cooperate with a drug test. Finally, the law provides that an individual who is discharged from employment based on their use of medical marijuana, or refusal to submit to or cooperate with a drug test, will be “legally conclusively presumed to have been discharged for misconduct” for purposes of unemployment benefits if certain conditions are otherwise met.
Physicians Required to Notify Patients of Employment Risks
Alabama’s law requires physicians who certify individuals as having qualifying medical conditions to obtain the patients’ written consent to use medical cannabis. The physicians must use a standardized consent form that advises patients that “the use of medical cannabis could result in termination from employment without recourse and that costs may not be covered by insurance or government programs.”
Managing for Compliance
While the new law does not mandate specific changes, Alabama employers should review their internal policies and practices regarding applicants and employees who use medical marijuana.
California District Court Dismisses Disability Claims Based On Failed Preemployment Marijuana Screen
Recently, when dismissing a job-applicant’s disability discrimination claims brought under California state law, the U.S. District Court for the Central District of California issued two welcome reminders to employers. First, an employer can condition an offer of employment on the completion of a preemployment drug screen, including a test for marijuana. This is true even though California has legalized marijuana for both recreational and medical purposes. Second, an employer is not under any obligation to engage in the interactive process before an applicant passes a pre-employment drug screen.
In Espindola v. Wismettac Asian Foods, Inc., Case 2:20-cv-03702 (C.D. Cal. Apr. 28, 2021), Plaintiff applied for and was offered a position with the Company. Before Plaintiff started work, the Company contacted him to schedule a preemployment drug screen, which was required of all new-hires. In response, Plaintiff stated that he needed to take care of some personal issues and could not take the preemployment drug screen before his first scheduled workday. Thereafter, and before starting work, Plaintiff applied for a medical marijuana card in the state of Florida.
The day before Plaintiff was scheduled to start working, he completed a “personnel information sheet,” on which he indicated he was not “disabled.” The next day, he met with Human Resources. During the meeting, Plaintiff signed a drug testing consent form, and disclosed for the first time that he had “chronic back pain” and had been “prescribed” marijuana to treat his condition. Critically, Plaintiff did not provide any other details or documents—such as a doctor’s note or medical records—to substantiate the nature of his condition or explain any limitations on his ability to perform his job.
The next day, Plaintiff’s request for a medical marijuana card was granted, and he forwarded the approval to Human Resources. The HR team met with senior management, and all agreed that it was Company policy for everyone to submit to a preemployment drug screen. Plaintiff subsequently took the required drug screen and tested positive for marijuana metabolites. As a result, his employment was terminated for failure to pass the preemployment drug screen.
In response, Plaintiff filed suit, alleging, among other things, 1) wrongful termination based on a disability; 2) failure to accommodate a disabling condition; and 3) failure to engage in the interactive process, all in violation of the California Fair Employment and Housing Act (“FEHA”). The Company moved for summary judgment on all of Plaintiff’s claims, which the Court granted in its entirety.
Regarding Plaintiff’s discriminatory discharge claim, the Court held that it failed for several fundamental reasons. For starters, Plaintiff only disclosed that he purportedly suffered from “chronic back pain,” which was not sufficient to establish that he suffered from a disability as a matter of law. Rather, to make such a showing, Plaintiff was required to submit details regarding his specific condition or, more significantly, how his chronic back pain “limited a major life activity.” Plaintiff’s failure to provide these necessary details—along with his failure to submit any documentation to substantiate his purported condition—was fatal to his claim.
Yet even if Plaintiff could have established that he suffered from a disability, the Court held that his discharge claim still failed because the Company set out a legitimate nondiscriminatory reason for the termination of his employment—Plaintiff failed a preemployment drug screen—and Plaintiff could not show pretext. Indeed, Plaintiff received notice of the Company’s drug screening policy before his employment started, and the Company required all employees to submit to a preemployment drug screen. There was no evidence that Plaintiff was treated differently.
Moreover, the Court further explained that Plaintiff’s argument that the drug screen was “illegal” because it was administered after Plaintiff started working was simply wrong. Crucially, Plaintiff received notice of the drug screen before starting work, and the only reason he took the drug screen after starting work was because he requested that the test be delayed so he could take care of some personal issues. He was not immune from the results of the preemployment drug screen based on the fact that he asked for and was allowed to take it after his employment began.
Finally, Plaintiff’s claims for failure to accommodate and failure to engage in the interactive process also failed for similar fundamental reasons. Foremost, Plaintiff failed to establish that he was disabled. Setting this fatal issue aside, these claims also failed because the Company was not under any obligation to engage in the interactive process before Plaintiff passed the drug screen, which was an express condition of employment.
This decision comes as welcome news to California employers, and reaffirms that an employer may lawfully condition employment on the passage of a preemployment drug screen. When making an offer of employment, employers would do well to provide written notice to the offeree that their employment is conditioned on taking and passing a drug screen and should get the offeree’s agreement in writing.
California Courts (Again) Provide Guidance On What Qualifies As A “Standalone Disclosure” For FCRA Purposes
A recent case out of the Northern District of California serves as a reminder to employers and background screening vendors that the disclosure form required by the Fair Credit Reporting Act (“FCRA”) to be presented to job applicants prior to conducting a background check for employment purposes cannot contain any “extraneous information.”
In Arnold, et al. v. DMG Mori USA, Inc., the plaintiffs, former employees of DMG Mori USA, Inc. (“DMG”), filed a class action claiming that in the course of obtaining background reports about them, DMG presented them with a disclosure form that violated the FCRA. Under the FCRA, a disclosure for employment screening purposes must (i) be “clear and conspicuous,” and (ii) “in a document that consists solely of the disclosure.” This second requirement is referred to as the “standalone disclosure requirement.”
The District Court in Arnold concluded that DMG’s disclosure form did not meet the FCRA requirements because (i) it included a description of consumer rights under California, Maine, Minnesota, New York, Oklahoma, Oregon, and Washington state consumer reporting laws; and (ii) even after the form was revised to omit the references to state law, it still violated the standalone disclosure requirement because it contained information about applicants’ right to request whether a consumer report has been run about them and to request a copy of their report.
In Arnold, the court granted summary judgment for the plaintiffs, and further, and most problematically, it found that DMG’s violations were “willful.” The court referred the parties to schedule a settlement conference, the outcome of which will include damages ranging from $100 to $1,000 per class member. The decision is not clear as to the precise number of class members, but it appears there are between 668 and 1,138 members.
Comparison to Other FCRA Cases from the Ninth Circuit
Arnold relies heavily on Ninth Circuit precedent, Gilberg and Walker. Gilberg held that when “a disclosure form does not consist solely of the FCRA disclosure, it does not satisfy the standalone document requirement.” Just like the disclosure forms provided by DMG, the disclosure forms at issue in Gilberg contained state law disclosures which rendered them in violation of the FCRA standalone disclosure requirement.
In Walker, the employer’s disclosure form included the following statement to the consumer:
“You may inspect [our background screening vendor’s] files about you (in person, by mail, or by phone) by providing identification [to our background screening vendor]. If you do, [they] will provide you help to understand the files, including communication with trained personnel and an explanation of any codes. Another person may accompany you by providing identification. If [our background screening vendor] obtains any information by interview, you have the right to obtain a complete and accurate disclosure of the scope and nature of the investigation performed.”
The Walker court held that such language, while likely included in good faith to provide useful information to the consumer, violates the FCRA standalone disclosure requirement. Similarly, DMG’s disclosure form included the following statement to the consumer:
“[You have] the right, upon written request made within a reasonable time, to request whether a consumer report has been run about you and to request a copy of your report.”
In concluding that this language violates the FCRA standalone disclosure requirement, the court in Arnold cited to Walker stating, “[o]ur circuit has concluded that substantially similar language, even if presented “in good faith,” is inconsistent with the standalone document requirement.”
Key takeaways for employers:
- The responsibility to provide a legally sufficient disclosure and authorization under the FCRA falls on the user of the background check report. In this case, on the employer who is requesting the background check from their background screening vendor. While background screening vendors may provide template forms for use, any template should be reviewed by counsel for legal sufficiency.
- The requirement to provide a legally sufficient disclosure and authorization under the FCRA is heavily litigated and such forms should be reviewed at least annually by legal counsel versed in the FCRA. Since 2019, there have been a number of important decisions from the Ninth Circuit alone providing guidance on what constitutes a legally sufficient disclosure and authorization, and what the courts consider extraneous language, including Gilberg, Walker, and now Arnold.
- The key with the disclosure and authorization form is brevity.
Plaintiff’s Second Bite At The Apple Fails: Court Dismisses FCRA litigation
Another day, another data privacy litigation dismissed. In this instance, the Eastern District of Louisiana rejected a plaintiff’s second attempt at pleading violations of the Fair Credit Reporting Act (“FCRA”) in Hanberry v. Chrysler Capital, No. 21-397, 2021 U.S. Dist. LEXIS 77478 at *1-*2 (E.D. La. Apr. 22, 2021). Read on to learn more.
The plaintiff in Hanberry held a vehicle loan through Chrysler Capital. After multiple attempts to amend her claims in a previous lawsuit, the plaintiff filed this new case, alleging identical FCRA claims against the defendant. In the complaint, the plaintiff alleged that Chrysler Capital violated the FCRA, 15 U.S.C. § 1681s-2, by “reporting to unspecified credit reporting agencies inaccurate and incomplete information regarding [plaintiff’s] account.” 2021 U.S. Dist. LEXIS 77478 at *1-*2. The plaintiff also alleged she sent a letter to Chrysler Capital seeking a reinvestigation into her account. Id. at *2.
The FCRA requires furnishers of credit information to (i) provide accurate information on consumers to credit reporting agencies under section 1681s-2(a), and (ii) comply with certain obligations upon notice by a credit reporting agency of a dispute under section 1681s-2(b). However, the FTC, or other authorized governmental agency, has the sole power to enforce § 1681s-2(a). To put it otherwise, there is no private right of action under the subsection of the FCRA upon which plaintiff’s claim was based. The court concluded that the plaintiff’s allegation stating, “she notified the credit reporting agencies of a dispute and then also notified Chrysler Capital herself,” was insufficient to satisfy Rule 12(b)(6) for purposes of stating a claim under the FCRA. Accordingly the court dismissed the complaint for failure to state a claim under either Section 1681s-2(a) or 2(b).
Eleventh Circuit Reverses Summary Judgment In Favor Of Experian In FCRA Claim
The Eleventh Circuit Court of Appeals recently reversed summary judgment entered in favor of Experian Information Solutions, Inc. (“Experian”) in a Fair Credit Reporting Act claim brought by Henry Losch (“Losch”) finding not only that Losch had standing to bring the claims but also that Experian’s investigation of Losch’s credit reporting dispute was not “reasonable as a matter of law.” Losch v. Nationstar Mortgage LLC d.b.a. Mr. Cooper, — F. 3d. –, 2021 WL 1653016, *1 (11th Cir. April 28, 2021).
Losch disputed the reporting of a mortgage loan he obtained in 2012. Losch initially reaffirmed the mortgage in bankruptcy, but after the secured property was sold by the bankruptcy trustee, Losch rescinded the reaffirmation with the bankruptcy court’s approval. Although, Losch no longer owed the mortgage debt, after the conclusion of his bankruptcy case, Losch discovered that the debt was still reported on his Experian credit report and was noted as past-due. Losch disputed the reporting with Experian and offered an explanation of the bankruptcy history, including the rescission of his reaffirmation. Experian sent Losch’s dispute to the mortgage servicer, Nationstar, which confirmed the loan balance and past-due status. After notifying Losch of Nationstar’s response, Experian took no further action to verify the debt and continued reporting it as past due. Experian did not correct the reporting until after the lawsuit had been filed.
Losch filed suit in the U.S. District Court for the Middle District of Florida against Experian and Nationstar alleging willful and negligent noncompliance with FCRA for failing to conduct a reasonable investigation of his dispute. The District Court entered summary judgment in favor of Experian, finding that its reliance on the furnisher’s response was reasonable as a matter of law. Losch appealed.
The Eleventh Circuit, sua sponte, addressed the issue of Article III standing and concluded that Losch had shown concrete injury by demonstrating that Experian supplied his credit report at least 26 times to third parties who had performed soft inquiries in connection with prescreened offers. 2021 WL 1653016 at *3. The Eleventh Circuit separately found that Losch had demonstrated concrete injury in emotional distress and time spent disputing the inaccurate reporting. Id. at *2-4.
On the merits of the FCRA claim, the Eleventh Circuit quickly dispensed with Experian’s defense that the information reported was factually accurate. In so holding, the Eleventh Circuit recognized that “[a]lthough a bankruptcy discharge doesn’t expunge a debt,” Experian’s reporting of the existence of the debt and the balance of the debt as past due, “was still factually inaccurate.” 2021 WL 1653016 at *4. Following the discharge, “Losch was no longer liable for the balance nor was he ‘past due’ on any amounts…” Id.
In concluding that Experian’s investigation could not be deemed “reasonable as a matter of law,” the Eleventh Circuit noted that Experian did nothing other than transmit the automated consumer data verification (“ACDV”) form to the furnisher. “[I]t easily could have done something with the information Losch provided…On those facts—where Experian didn’t even check the bankruptcy docket—a jury could find that it was negligent in discharging its obligations to conduct a reasonable investigation and reinvestigation into the disputed information.” Id. As such, the Eleventh Circuit concluded that Experian was not entitled to summary judgment on the issue of whether it negligently failed to comply with FCRA.
The Eleventh Circuit, however, upheld the District Court’s entry of summary judgment on the willful claims finding that Experian’s interpretation of its duty under FCRA “could reasonably have found support in the courts.” 2021 WL 1653016 at *8.
Lessons Learned: While the Eleventh Circuit’s holding is narrow, furnishers and credit reporting agencies should consider reviewing public records when investigating consumer disputes, particularly when the disputes reference bankruptcy or other court actions.
Facebook Loses Last-Ditch Attempt To Derail DPC Decision On Its EU-US Data Flows
Facebook has failed in its bid to prevent its lead EU data protection regulator from pushing ahead with a decision on whether to order suspension of its EU-U.S. data flows.
The Irish High Court has just issued a ruling dismissing the company’s challenge to the Irish Data Protection Commission’s (DPC) procedures.
The case has huge potential operational significance for Facebook, which may be forced to store European users’ data locally if it’s ordered to stop taking their information to the U.S. for processing.
Last September the Irish data watchdog made a preliminary order warning Facebook it may have to suspend EU-U.S. data flows. Facebook responded by filing for a judicial review and obtaining a stay on the DPC’s procedure. That block is now being unblocked.
We understand the involved parties have been given a few days to read the High Court judgement ahead of another hearing on Thursday—when the court is expected to formally lift Facebook’s stay on the DPC’s investigation (and settle the matter of case costs).
The DPC declined to comment on today’s ruling in any detail—or on the timeline for making a decision on Facebook’s EU-U.S. data flows—but deputy commissioner Graham Doyle told us it “welcomes today’s judgment”.
Its preliminary suspension order last fall followed a landmark judgement by Europe’s top court in the summer—when the CJEU struck down a flagship transatlantic agreement on data flows, on the grounds that U.S. mass surveillance is incompatible with the EU’s data protection regime.
The fall-out from the CJEU’s invalidation of Privacy Shield (as well as an earlier ruling striking down its predecessor Safe Harbor) has been ongoing for years—as companies that rely on shifting EU users’ data to the U.S. for processing have had to scramble to find valid legal alternatives.
While the CJEU did not outright ban data transfers out of the EU, it made it crystal clear that data protection agencies must step in and suspend international data flows if they suspect EU data is at risk. And EU to U.S. data flows were signaled as at clear risk given the court simultaneously struck down Privacy Shield.
The problem for some businesses is therefore that there may simply not be a valid legal alternative. And that’s where things look particularly sticky for Facebook, since its service falls under NSA surveillance via Section 702 of the FISA (which is used to authorize mass surveillance programs like Prism).
So what happens now for Facebook, following the Irish High Court ruling?
As ever in this complex legal saga—which has been going on in various forms since an original 2013 complaint made by European privacy campaigner Max Schrems—there’s still some track left to run.
After this unblocking the DPC will have two enquiries in train: Both the original one, related to Schrems’ complaint, and an own volition enquiry it decided to open last year—when it said it was pausing investigation of Schrems’ original complaint.
Schrems, via his privacy not-for-profit noyb, filed for his own judicial review of the DPC’s proceedings. And the DPC quickly agreed to settle—agreeing in January that it would “swiftly” finalize Schrems’ original complaint. So things were already moving.
The tl;dr of all that is this: The last of the bungs which have been used to delay regulatory action in Ireland over Facebook’s EU-U.S. data flows are finally being extracted—and the DPC must decide on the complaint.
Or, to put it another way, the clock is ticking for Facebook’s EU-U.S. data flows. So expect another wordy blog post from Nick Clegg very soon.
Schrems previously told TechCrunch he expects the DPC to issue a suspension order against Facebook within months—perhaps as soon as this summer (and failing that by fall).
In a statement reacting to the Court ruling today he reiterated that position, saying: “After eight years, the DPC is now required to stop Facebook’s EU-US data transfers, likely before summer. Now we simply have two procedures instead of one.”
When Ireland (finally) decides it won’t mark the end of the regulatory procedures, though.
A decision by the DPC on Facebook’s transfers would need to go to the other EU DPAs for review—and if there’s disagreement there (as seems highly likely, given what’s happened with draft DPC GDPR decisions) it will trigger a further delay (weeks to months) as the European Data Protection Board seeks consensus.
If a majority of EU DPAs can’t agree the Board may itself have to cast a deciding vote. So that could extend the timeline around any suspension order. But an end to the process is, at long last, in sight
And, well, if a critical mass of domestic pressure is ever going to build for pro-privacy reform of U.S. surveillance laws now looks like a really good time…
“We now expect the DPC to issue a decision to stop Facebook’s data transfers before summer,” added Schrems. “This would require Facebook to store most data from Europe locally, to ensure that Facebook USA does not have access to European data. The other option would be for the U.S. to change its surveillance laws.”
Facebook has been contacted for comment on the Irish High Court ruling.
Update: The company has now sent us this statement:
Today’s ruling was about the process the IDPC followed. The larger issue of how data can move around the world remains of significant importance to thousands of European and American businesses that connect customers, friends, family and employees across the Atlantic. Like other companies, we have followed European rules and rely on Standard Contractual Clauses, and appropriate data safeguards, to provide a global service and connect people, businesses and charities. We look forward to defending our compliance to the IDPC, as their preliminary decision could be damaging not only to Facebook, but also to users and other businesses.
Canada – A “Step Back Overall” For Privacy
Federal Privacy Commissioner Calls for Stronger Privacy Protections in Bill C-11
In November 2020, the federal government tabled Bill C-11, the proposed new private-sector privacy law that would replace the current regime under the Personal Information Protection and Electronic Documents Act (PIPEDA).We reported on Bill C-11 in Understanding the Draft Consumer Privacy Protection Act: A Summary of the Key Changes Proposed.
At the request of the House of Commons Standing Committee on Access to Information, Privacy and Ethics, the federal Privacy Commissioner shared his submission on Bill C-11. Calling Bill C-11 as “a step back overall” for privacy, the Commissioner’s submission sets out in excess of 60 recommendations, including the following concerns:
- The Privacy Commissioner asserts that Bill C-11 does not include a requirement that individuals understand the consequence of what they are consenting to in order for consent to be meaningful. He argues that the language in Bill C-11 which provides that “[c]onsent must be expressly obtained, unless the organization establishes that it is appropriate to rely on an individual’s [implied] consent” should be revised to remove the wording permitting the organization to determine that implied consent is appropriate.
- The Privacy Commissioner also criticizes the exceptions to consent in Bill C-11 which provide that an organization does not have to obtain consent where it is impractical to do so.
- Flexibility without accountability
- The Privacy Commissioner asserts that Bill C-11 weakens the accountability provisions by leaving organizations to self-regulate. He asserts that organizations should be required to undertake privacy impact assessments for new, higher-risk activities, and should be subjected to proactive audits by his office.
- Responsible innovation
- The Privacy Commissioner asserts that the exceptions to the requirement of obtaining consent for the collection, use or disclosure of information are too broad or ill-defined to promote responsible innovation.
- A rights-based foundation
- The Privacy Commissioner asserts that Bill C-11 prioritizes commercial interests over the privacy concerns of individuals and seeks the entrenchment of privacy as a human right in the legislation.
- Access to quick and effective remedies
- The Privacy Commissioner asserts that the list of violations that could lead to administrative penalties is too narrow, as it does not include obligations related to the form or validity of consent, the exceptions to consent, or violations of the accountability provisions.
- The Privacy Commissioner further asserts that the creation of a Tribunal (to review his exercise of power and consider his recommendations for penalties) adds an unnecessary layer to the process. He recommends that he be empowered to impose the penalties directly, rather than making a recommendation to the Tribunal.
- Cross-border transfers
- The Privacy Commissioner has made 14 recommendations specifically with respect to trans-border data flows, including a recommendation that the Commissioner: (i) “…may request an organization to demonstrate the effectiveness of any safeguards put in place to govern data transfers”; and (ii) be ” empowered to prohibit, suspend, or place conditions on, offshore transfers of data where substantially similar protection is not in place”.
The Privacy Commissioner’s submission to the Standing Committee might be a signal that significant changes could be made to the current draft of Bill C-11. Organizations should actively monitor developments in this area to ensure their compliance efforts are aligned with upcoming changes to the legal regime.
At A Glance: Data Protection And Management Of Health Data In Brazil
Definition of `health data’
What constitutes ‘health data’? Is there a definition of ‘anonymized’ health data?
Brazilian legislation does not provide a specific definition on what constitutes health data. Nevertheless, the Brazilian General Data Protection Law (LGPD) determines that ‘personal data’ is any piece of information referring to an identified or identifiable natural person. Further, when establishing what types of personal information constitute sensitive personal data, the law broadly refers to ‘health data’, not specifying what this concept includes.
Similarly, the LGPD determines that anonymized personal data is all personal information not linked to the data subject to whom it belongs through the use of adequate technical and technological measures available at the moment of processing.
Data protection law
What legal protection is afforded to health data in your jurisdiction? Is the level of protection greater than that afforded to other personal data?
Health data is protected when it relates to an identified or identifiable natural person, thus constituting personal data and falling within the scope of the LGPD. The LGPD establishes in article 5(II) that health personal data, including personal data on sex life as well as genetic and biometric data, constitutes sensitive personal data. As a consequence, this type of personal data is subjected to a higher degree of protection.
The legal bases to undertake a lawful processing of sensitive personal data are limited to eight:
- compliance with legal obligations;
- implementation of public policies;
- research by authorized institutions;
- lawful exercise of rights;
- protection of life or physical integrity;
- health protection by health professionals; and
- fraud prevention.
Regarding specifically health data, the LGPD prohibits its sharing for economic purposes. Exceptions to this rule include data sharing in order to provide health services, medical or pharmaceutical assistance or to allow data portability or financial transactions. Nevertheless, the use of health data by health insurance companies for the practice of health scoring is generally seen as forbidden by the law.
The LGPD also determines that personal data used in public health studies, which normally include health data, should be processed exclusively for the studies’ purposes in secure and controlled online and offline environments. If possible, the data should be anonymized during the study, but if not, the data must necessarily be anonymized prior to the disclosure of its findings.
Lastly, the National Data Protection Authority (ANPD) may impose higher standards relating to technical and administrative security measures for the processing and storage of sensitive data, which would necessarily include health data.
Other sectoral laws might also be available to guide in this realm.
Anonymized health data
Is anonymized health data subject to specific regulations or guidelines?
The LGPD is applicable only to data that identifies or allows for the identification of an individual.
Under the LGPD, there are two main criteria to determine whether the anonymization process is proper or not:
- an objective criterion by which the cost and time to revert the anonymization process in light of available technology is considered; and
- a subjective criterion that considers whether the anonymization process can be reverted by the processing agent own means.
ANPD may issue more specific regulations or guidelines regarding anonymization techniques.
How are the data protection laws in your jurisdiction enforced in relation to health data? Have there been any notable regulatory or private enforcement actions in relation to digital healthcare technologies?
The LGPD came into force in September 2020 and the enforcement scenario is still uncertain as ANPD, which will be the most important body responsible for overseeing such enforcement, is yet to start its activities.
What cybersecurity laws and best practices are relevant for digital health offerings?
Within the legal framework governing cybersecurity in Brazil, there are rules for the government itself to follow. Normative Instruction GSI/PR No. 1 and Decree No. 9,637/18 regulate security of information and communications from the federal public administration. However, regarding the adequate levels of cybersecurity that should be adopted by private actors, there are broad provisions established by the Brazilian Internet Law and respective Decree, where the adequate security of web services is recognized as a principle for internet use in Brazil. The law determines that the levels of security must be in accordance with recognized good practice and international standards, which include ISO/IED 27001:2013, ISO/IEC 27002:2013, ISO/IEC 27005:2011 and ISO/IEC 31000.
The LGPD establishes that in cases of security breaches leading to the exposure of personal data, fines may be as high as 50 million reais.
Best practices and practical tips
What best practices and practical tips would you recommend to effectively manage the ownership, use and sharing of users’ raw and anonymized data, as well as the output of digital health solutions?
Ongoing review of anonymization processes. Besides, data must be stored in systems with adequate levels of security and with access restrictions, ensuring that the only people able to access it are those who need to use it. Similarly, data should only be shared through safe systems and deleted once no longer necessary for the purposes of the processing. In any case, transparency as to processing activities to data subjects is always key.
Can Employers Dismiss An Employee To Avoid Reputational Damage?
In the internet age, businesses of all sizes are aware of the reputational fallout which they can suffer because of their employee’s actions. There is no shortage of stories in the press about those who are fired for acts of wrongdoing (both online and “in real life”) which create a PR storm.
More vigilant employers might be tempted to consider dismissing an employee even on a mere unproven suspicion of wrongdoing.
However, the Employment Appeal Tribunal has recently re-emphasized the need for sufficient evidence of wrongdoing for a fair dismissal in in K v L (UKEATS/0014/18/JW), a case decided last year.
In this article we cover:
- The decision in K v L
- Relevant factors in dismissals for reputational concerns
- Key points for HR
1. The decision in K v L
The claimant was employed as a schoolteacher in Scotland. He had a long and unblemished record during his time in the profession.
However, in late 2016 he was subject to an investigation after his personal computer was seized on a charge of possession of indecent images of children. The police had searched his home after receiving intelligence that indecent images had been downloaded to an IP address associated with the claimant’s home, where he lived with his son. Following a brief investigation, the Crown Office (the public prosecutions authority in Scotland) decided not to prosecute the claimant due to insufficient evidence. It nevertheless sent a letter to the claimant reserving the right to bring a prosecution in the future.
The respondent school, which employed the claimant, received a limited summary of the evidence against the claimant from the Crown. The summary gave no view on whether the claimant was a risk to children.
The claimant was invited to a disciplinary hearing. There was no mention of reputational damage in the letter as a potential reason for his dismissal and, though it was referred to in the disciplinary hearing, it was not discussed in any depth. During that hearing, the claimant said he could not explain how the images came to be on his computer, but it could have been that his son’s friends, who had had access to the computer, were responsible.
After the hearing, the school decided to dismiss the claimant. Although it admitted that there was not enough evidence to conclude that the claimant had in fact downloaded the indecent images, it stated that it could not rule out the possibility. Since the school was responsible for child protection, it explained that it could suffer “serious reputational damage” if it continued to employ the claimant.
The claimant brought proceedings in the employment tribunal but was unsuccessful. He appealed the decision to the EAT.
The EAT found that the claimant had been unfairly dismissed. This was largely due to the following factors:
- The respondent tried to rely on “reputational damage” as a ground for dismissal. However, the EAT found that this prospect had been absent from the letter inviting the claimant to the disciplinary hearing and only mentioned in passing in the hearing itself. The employee had therefore not been given sufficient notice that the employer would rely on this ground.
- The school could not conclude, on the balance of probabilities, that the employee was guilty of the offence in question and therefore could not dismiss fairly on the ground of misconduct.
- Even if the school had been able to rely on potential reputational damage as a ground for dismissal, the evidence in the case was insufficient and the school had not analyzed it in deciding to dismiss.
The key lesson for employers is that they need to properly weigh the evidence against the employee and, if they cannot prove the alleged wrongdoing on the employee’s part, they must make it clear from the outset of the disciplinary process that reputational concerns will be an important factor to be discussed and considered. Only then can the employee have a fair opportunity to make his or her own case for why a dismissal would be disproportionate.
The courts have long recognized that misconduct outside of work can justify a lawful dismissal where it gives rise to reputational risk for the employer, even where that misconduct is disputed by the employee. This was the case in Leach v The Office of Communications. In Leach the claimant was deemed to have been fairly dismissed by the Office of Communications after allegations of child sex offences were made against him. Though the allegations were not proven at the time of the dismissal, the risk of reputational loss in Leach was considered by the Court of Appeal to be a fair “substantial reason” for dismissal.
The EAT’s decision in K v L shows that there is a limit to an employer’s “no smoke without fire” approach, even in sectors such as education where child safety concerns may justify such an approach. Here, however, that end did not justify the means.
2. Relevant factors in dismissals for reputational concerns
These two cases demonstrate that there is a very difficult balancing act for employers (and tribunals hearing these cases). The issue was succinctly put by the High Court in the Leach case, later approved in the Court of Appeal:
It sticks in the throat that an employee may lose his job, or perhaps in practice any chance of obtaining further employment, on the basis of allegations which he has had no opportunity to challenge in any court of law—or may indeed have successfully challenged.
On the other hand, it has to be recognized that there are cases where it is necessary for employers to be warned of facts which indicate that an employee (or potential employee) is a risk to children, even in the absence of any conviction.
How should employers balance the needs of the business and its customers (or, in the case of schools, its pupils) with the rights of the accused but acquitted employee?
The EAT compared the circumstances in K v L with those in Leach to explain the factors that will be relevant in a dismissal based on potential reputational damage. These include:
The evidence of misconduct
The amount of information and evidence that an employer has about alleged misconduct will be highly relevant. In Leach the police had given Ofcom detailed information about the alleged behavior, whereas in K v L the respondent school had very little evidence to go on, and there were innocent explanations for how the images could have appeared on the employee’s computer.
In fact, in K v L the employer had itself admitted on dismissing the employee that there was insufficient material on which to make any conclusion that the employee had been culpable for the possession of the indecent images (as had the prosecuting authorities in Scotland when they decided not to charge the employee). The employer also said, however, that it could also not exclude the possibility that the employee was responsible for the images. The EAT recognized the difficulty the employee had in seeking to prove a negative.
The actual risk of reputational loss
The EAT placed weight on the fact that there was no existing press interest in the K v L case and no indication that there would be a prosecution.
On the other hand, in Leach there was already press interest in the story. The risk of adverse coverage had been considered by the PR team and deemed to be a real one.
Employers cannot rely on merely fanciful prospects of reputational fallout: they would need to show that the continued employment of the employee would create a real risk to the business.
The conduct of the employee
Outside of the alleged offences, the employee in Leach had concealed the court case from his employer, misled the press and used his work email to protest proceedings against him in Cambodia. This was significant; it indicated a breach of trust and confidence that was not present in K v L. These will of course be relevant factors for a tribunal considering whether the dismissal was fair, either on the grounds of conduct or “some other substantial reason”.
3. Key points for HR
When considering dismissal based on potential reputational damage, an employer should ask itself the following questions:
- Is there reliable and sufficient evidence available? Where an offence is not proven, evidence should not be blindly accepted without question, even where it is provided in police reports.
- Is there a genuine risk of reputational damage? You cannot presume that the press or public will discover the information and/or react in a certain way. Consider the press interest and the likelihood that the story will reach the press or social media.
- Have we given sufficient notice to the employee of all the potential grounds for dismissal, including dismissals justified in the interests of the business’s reputation? Tribunals will not look favorably if this prospect is brought up at the last minute when all other allegations of misconduct are found to be untenable. The risks to reputation, if the allegations are unproven but turn out to be true, should be cited as a relevant consideration from the outset, and referenced in the letter inviting the employee to a disciplinary hearing, in the hearing itself and in the notice for dismissal.
- Can we rely on other misconduct which is not based on disputed facts? Where the employee has sought to conceal important evidence or is otherwise not sufficiently cooperative with a disciplinary process, this may add justification to the dismissal. However, adding these to the conduct relied upon could open up employers to allegations that they are shifting the goalposts or seeking to justify a pre-ordained decision, so care should be taken to rely on substantial breaches only.
U.S. State Privacy Law Check-In
The Virginia Consumer Data Protection Act (“CDPA”) was signed into law on March 2, 2021, making Virginia the second U.S. state after California to pass a comprehensive data privacy law. Those familiar with the European Union General Data Protection Regulation (“GDPR”) will recognize terminology throughout the CDPA, mimicking many GDPR-defined terms, such as “controller”, “processor” and “personal data.” While not quite as expansive as the GDPR in every respect, the CDPA is a broad-based privacy law that is on par with the California Consumer Privacy Act (“CCPA”). For our summary of the CDPA, please see our overview of the Virginia Consumer Data Protection Act. The CDPA becomes effective on January 1, 2023.
While much narrower in scope than other new and pending privacy legislation, Utah’s Cybersecurity Affirmative Defense Act was signed into law on March 11, 2021. The law creates an affirmative defense (“safe harbor”) for companies in Utah’s data breach notification if they have a written information security program that meets certain requirements as specified in the law.
Florida’s proposed privacy law, House Bill 969, shows promise of making it to law and contains some potentially game-changing provisions. HB969 is sweeping privacy legislation that shares many similarities with the CCPA, imposing a broad set of requirements on businesses, and providing a number of rights to consumers with respect to their personal information. Additionally, similar to the CCPA, the bill also contains a private right of action in the event of certain data breaches. The bill overwhelmingly passed the Florida House of Representative 118 votes to 1 and has now moved to the Florida Senate. HB969 also has the support of Florida Governor Ron DeSantis. We note that the Florida Senate is considering its own privacy legislation—Senate Bill 1734—which is still pending and has undergone several amendments. The 2021 Florida Legislative Session ends on April 30, 2021, and we will update on the status of this important development following the close of the session. If passed, organizations will have only eight months to prepare, as the bill would become effective on January 1, 2022.
Senate Bill 893 is a comprehensive privacy law similar to the CCPA that would require transparency from companies with respect to their data collection and use and would provide consumers with a variety of privacy rights. SB893 continues to move through the Connecticut legislature and was referred by the Connecticut Senate to the Committee on Judiciary on April 28.
Dead for Now
Most notably, The Washington Privacy Act of 2021 (SB 5062) failed to pass for a third year in a row. The Washington Privacy Act was a comprehensive privacy bill similar to the GDPR, giving consumers broad privacy rights with respect to their personal data. As with years past, contention over the bill primarily focused on whether the bill should include a private right of action to allow residents to directly bring claims for violation of the law. While the bill showed promise this year when it passed in the Senate, the House version (which contained a private right of action), did not advance by the April 25 close of the legislative session.
Although it did not garner the level of national attention that the Washington Privacy Act generated, the Oklahoma Computer Data Privacy Act (HB1602) was also a comprehensive privacy bill that borrowed many concepts from the CCPA and included a private right of action. If passed, HB1602 would have been a trendsetter in U.S. privacy law—requiring that consumers opt-in prior to collection of their personal information (something we have not seen before in U.S. privacy law). The bill had bipartisan support, passed in the Oklahoma House, but failed to advance out of the Oklahoma Senate Judiciary Committee before the April 8 deadline. Much of the opposition to the bill focused on the opt-in requirement, and there was a strong lobbying push from industry to oppose it.
Back To Normal For The Fully Vaccinated? What The CDC’s Latest Guidance Means For Employers
Just over two weeks after it relaxed its protocols for fully-vaccinated individuals, the Centers for Disease Control and Prevention (CDC) has now issued revised guidance essentially permitting those individuals to resume their pre-pandemic lifestyle, subject to any applicable and differing state and local mandates. Consistent with prior iterations of this guidance, the CDC asserts that “You will still need to follow guidance at your workplace.” So what can employers do now?
Newest Version of the Rules. The CDC now says that fully vaccinated individuals (meaning at least two weeks after the second/only required shot for the vaccine in question) may:
- Resume activities that they did prior to the pandemic without wearing a mask or staying 6 feet apart from others (apparently whether vaccinated or not), except where required by federal, state, local, tribal, or territorial laws, rules, and regulations, including local business and workplace guidance.
- Refrain from testing before or after domestic travel or self-quarantine afterwards.
- Refrain from testing before leaving the United States for international travel (unless required by the destination) and refrain from self-quarantine after arriving back in the U.S. Testing or documentation of recovery from COVID-19 before returning to the U.S. is still required and is recommended 3-5 days after returning from travel.
- Refrain from quarantine or testing following a known exposure if asymptomatic.
- Refrain from routine screening testing if asymptomatic and feasible
Continuing Rules. In addition to following individual employer guidance, the CDC says that fully vaccinated individuals should continue to:
- Take precautions when traveling. This includes wearing a mask on public transportation and in transportation hubs such as bus stations, train stations, and airports. And when travelling internationally, comply with the pre-return testing requirement and consider post-return testing, as mentioned above.
- Quarantine and get tested if experiencing COVID-19 symptoms.
- Those with health conditions or weakened immune systems should continue taking precautions, such as masking indoors and outdoors, social distancing, avoiding crowds, and refraining from travel.
What Changes Employers Could Make. With regard to that employer guidance, we offer some revised thoughts, but please remember that state and local jurisdictions may still impose restrictions beyond what the CDC is allowing. Thus, it is critically important to check whether and what those state/local mandates may be before taking any of the actions set forth below.
- Workspace generally: Most workplaces will have a mix of vaccinated and unvaccinated individuals. It appears that vaccinated employees need not wear masks or observe social distancing protocols (or even wash their hands!). However, the CDC still says that unvaccinated employees should continue to maintain all COVID-19 protocols generally, including masking and distancing. If all employees in a particular enclosed workspace are vaccinated, those employees need not wear masks or stay at least six feet apart—unless there is a state or local masking mandate that still applies to the workplace (or indoor spaces, more generally). Vaccinated vendors, clients or other visitors to the workplace also need not wear a mask, while unvaccinated ones should continue to do so.
- Small group meetings: Just as before, if all participants in a meeting have been vaccinated, they need not wear masks or stay at least 6 feet apart during the meeting. Although the CDC guidance permits vaccinated individuals to be within 6 feet of unmasked, unvaccinated ones, the guidance for unvaccinated individuals continues to emphasize the need for a mask and distancing, apparently even from vaccinated individuals. (Yes, this is confusing). The best practice would be to require unvaccinated employees to continue to wear a mask when meeting with their vaccinated, mask-free colleagues.
- Outdoor work: Based on the new guidance, fully vaccinated employees working outdoors need not wear masks or socially distance from other employees, regardless of how many people are around. Again, unvaccinated employees should continue to mask, socially distance (where possible) and avoid large groups.
- Lunchrooms: If fully vaccinated employees wish to eat together, they can be permitted to do so. Arguably, unvaccinated colleagues could join them, although, as noted above, the CDC guidance for those individuals is to continue to observe measures such as masking and social distancing.
- Business travel: Employers can allow fully-vaccinated employees to resume business travel, both domestic and international. Domestic travelers need not test before or after travel, while international travelers must be tested before returning to the U.S., with testing recommended 3-5 days following return. Both domestic and international travelers need not quarantine following travel. Be aware that there may be additional testing and quarantine requirements imposed by the travel destination or local/state mandates, however. Employers should continue to try to minimize any required travel for unvaccinated employees. Moreover, employers should be thoughtful in responding to employee concerns about required travel—particularly for older employees or those with underlying health conditions, even if they have been fully vaccinated.
- Exposure to COVID-19: The CDC states that if it’s been more than two weeks since the employee was fully vaccinated, they need not quarantine (for unvaccinated individuals, the quarantine period is at least 7 and up to 14 days). Exposed, vaccinated employees should still monitor for symptoms. And those in high-density or non-healthcare congregate settings (e.g. meat and poultry processing or manufacturing plants, correctional and detention facilities, or group homes) should still undergo appropriate testing through workplace screening programs.
- Symptomatic employees and those testing positive: Of course, if a vaccinated employee develops symptoms of COVID-19 following exposure, they should isolate in accordance with the CDC’s guidelines, seek a medical evaluation, and possibly be tested. Those testing positive should isolate. Because remember, the vaccine is not 100%—meaning some vaccinated employees will still get COVID-19. Employees with symptoms or who have tested positive may be able to work remotely or may need leave. If sick leave is available or mandated by state or local law—or FFCRA leave is available and allowed by the employer (through September 30, 2021)—they will be entitled to take such leave during the isolation period.
- Reasonable accommodations: Vaccinations do not eliminate the need to provide reasonable accommodations if the employee has a disability. Thus, for example, employers should not be quick to assume that an employee with a condition that put them at higher risk of serious illness from COVID-19 no longer needs to telework following vaccination. Reasonable accommodations should always be considered on a case-by-case basis, and a disabled employee may still need to telework following vaccination, if the medical provider supports that requirement.
Factors to Consider Before Loosening Workplace Protocols. It is worth noting that OSHA is expected to issue—any day now—its COVID-19 Temporary Emergency Standard, which may or may not be consistent with the CDC’s general recommendations and our observations based solely on the CDC guidance, as set forth above. So further modifications may be expected shortly.
In the meantime, as discussed in an earlier blog post, What to Do About Workplace Masking in the “Open” States, employers may implement and maintain current COVID-19 protocols that exceed what the CDC is recommending or that OSHA may shortly mandate. The CDC had previously noted that there may be higher risk—and consequently employers may wish to implement more stringent safety measures—with the following: higher community transmission rates; settings with more unvaccinated people; indoor settings with poor ventilation; inability to maintain social distancing; and activities that including shouting, physical exertion or heavy breathing, and the inability to wear a mask, among other things. (This particular observation is no longer part of the CDC guidance, but actually continues to be a useful part of the analysis for an employer assessing infection risk in the workplace).
In addition, employers should realize that there may be resistance to stricter protocols from some employees, managers, and visitors, and be prepared to address that. Clear and specific communication about what the protocols are and why they are required is helpful. And an employer can usually discipline employees for failing to comply with stricter employer-mandated protocols.
To Mask Or Not To Mask? Interpreting The CDC’s New Guidance For Fully Vaccinated Individuals
On May 13, 2021, the Centers for Disease Control and Prevention issued updated guidance stating that fully vaccinated people no longer need to wear a mask or physically distance, including if indoors. Fully vaccinated individuals are those who are two weeks out from either their single shot in a one-dose vaccination regimen, or their second shot in a two-dose regimen. The new guidance also said that fully vaccinated individuals need not be tested for COVID-19 infection following known exposure to the virus unless they are residents or employees of correctional facilities or homeless shelters.
While this news was greeted with enthusiasm, as many prepared to toss their well-worn masks, both the substantial carve-outs in the CDC guidelines and ongoing restrictions still in place under state and local authorities mean that the fully vaccinated still have not been given carte blanche to go maskless. As a threshold matter, the new CDC guidance specifically states that employees should continue to follow any workplace restrictions regarding COVID safety. Thus, employers still have the freedom to enforce more stringent mask requirements regardless of the CDC’s current position. In fact, certain employers may actually be required to enforce mask-wearing, as many jurisdictions still impose heightened safety protocols despite rising vaccination levels.
For example, on May 4, 2021, the Oregon Occupational Health and Safety Division converted its temporary rule addressing COVID safety in the workplace to a permanent rule, promising that it would be repealed sometime in the future. That rule requires employers in Oregon to enforce physical distancing and the wearing of face coverings in the workplace. Similarly, California’s Department of Public Health issued updated guidance on May 5, 2021, approving largely unrestricted activity for fully vaccinated people—but not at work. Instead, California employers must continue to follow the emergency temporary standards of California’s state OSHA division, which requires the use of masks. Conversely, Texas, as early as March, lifted a statewide mask mandate by executive order and restored all business and facilities to 100% capacity. In turn, Illinois lies in the middle of the spectrum, as its governor stated that Illinois would follow the new CDC guidance for fully vaccinated people. Otherwise, prior mask-related restrictions remain in place. Therefore, it is imperative for employers—and, particularly, multi-state employers—to keep abreast of rapidly evolving state and local requirements, in addition to the CDC’s guidance regarding best practices.
Furthermore, the Occupational Health and Safety Administration (OHSA) has yet to weigh in on workplace mask-wearing. As of May 17, 2021, OSHA announced that it was continuing to review the CDC guidance. Because the CDC has carved out workplace rules from its newly relaxed mask guidelines, a contrary directive from OSHA—which specifically regulates the workplace—would likely control. We do not, however, expect that OSHA will issue more stringent guidance absent some marked changes in the number of COVID cases.
For now, employers should focus on complying with any state and local regulations that govern mask-wearing requirements in the workplace and consider whether their workplaces are ready for the kind of relaxation of protocols that the CDC has said is permissible.