October 2019 Screening Compliance Update

Federal Developments

Federal Drug and Alcohol Requirements for Commercial Drivers Begin January 6
Beginning January 6, motor carriers using drivers subject to the Federal Motor Carrier Safety Administration’s drug and alcohol rules will be required to submit testing results and other information to a new electronic Drug and Alcohol Clearinghouse. Motor carriers must submit positive drug or alcohol test results as well as refusals to test. Drivers with positive tests who complete the DOT return-to-duty process and follow-up testing will also have this information recorded in the clearinghouse. Clearinghouse information will not be available to the public. DOT carriers must apply for access authority. For new drivers, motor carriers must obtain consent to search the clearinghouse. Carriers will also be required to conduct limited annual searches for current drivers, again with advance consent. Motor carriers should review their Fair Credit Reporting Act (FCRA) or other applicant and employee background search consent forms to make sure they include consent to initial and ongoing clearinghouse reviews.
https://www.lexology.com/library/detail.aspx?g=f6f60a60-fc5a-46c0-8006-700e28ab4df5&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2019-10-07&utm_term=

Updated Guidance: Privacy Shield and the United Kingdom
The International Trade Administration’s Privacy Shield Team provided updated guidance on October 30, 2019 explaining how a Privacy Shield participant may rely on the EU-U.S. Privacy Shield Framework to receive personal data from the United Kingdom in light of the UK’s planned withdrawal from the EU.

The European Council and the United Kingdom (UK) have extended the period for withdrawal of the UK from the European Union (EU) until January 31, 2020. During the extension period, the UK will remain a Member State of the EU; as a Member State, EU law will remain applicable to and in the UK. Thereafter, more explanation can be found at https://www.privacyshield.gov/article?id=Privacy-Shield-and-the-UK-FAQs on what an organization will need to implement in order to be compliant.

 

State Developments

California Promotes AI in Employment Hiring
Legislatures across the country are racing to keep up with the ever-expanding uses of artificial intelligence (AI) in the workplace. While to date much of the focus has been on ethical uses of AI, disclosures requirements, and informed consent (e.g., the Illinois 2019 Artificial Intelligence Video Interview Act), the California legislature recently took the bold move of promoting AI as a tool to reduce bias and discrimination in hiring and employment. As part of this effort, the California assembly introduced California Assembly Concurrent Resolution 125, titled “Bias and discrimination in hiring reduction through new technology” (CACR 125). Current California (and federal) laws permit employers to utilize tests and other selection procedures for purposes of hiring or promotion (provided they are otherwise lawful). CACR 125 endorses adding AI and algorithm-based technologies to these recruitment tools. In passing CACR 125, the California legislature observed that there continue to be disparate rates of callbacks of diverse applicants as compared to non-diverse applicants with identical resumes. The California legislature cited a 2014 report finding that resumes were the worst predictor of job success of any of the employment selection tools studied. Various AI applications would allow employers to remove the traditional indicators of race, gender and even class from resumes, and/or to rely on tools other than resumes. Ironically, while the use of AI may provide a new frontier in bias-free recruitment and retention practices, employers embracing these evolving strategies may still need to be vigilant in guarding against the age-old risks inherent in any testing or data-collection tool-the risk of disparate impact or failure to protect privacy.
https://www.lexology.com/library/detail.aspx?g=4deb6215-ad0b-4b66-b57f-3715f5270086&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2019-10-10&utm_term=

Columbia, South Carolina passed an ordinance effective August 6, 2019, limiting employers’ use of criminal background checks and banning employers from inquiring about salary history on job applications
South Carolina’s capital city is the latest locality to pass such a measure, following several others that passed similar ordinances within the past year. The new “Conviction and Wage History Prohibition in City Employment and by City Contractors and City Vendors” provision of the city code places exhaustive limitations on private employers considering conviction history in employment decisions, and also prohibits employers from including questions about applicants’ wage histories on job applications. The ordinance contains additional prohibitions on employees of the City of Columbia inapplicable to private employers.

Criminal History Record Restrictions and Requirements
The conviction history measure places requirements on employers at almost every step of the background check process, including from the moment that an employer decides that a “background check” (which is not specifically defined in the ordinance) should be conducted. The ordinance prohibits employers from conducting “background checks” on applicants unless they have made a “good faith determination” that the position at issue “is of such sensitivity that a background check is warranted” or if a background check is required by law. Once an employer decides that a given position will require a background check, the ordinance then requires that job announcements and position descriptions provide the following statement: “This position is subject to a background check for any convictions directly related to its duties and responsibilities. Only job-related convictions will be considered and will not automatically disqualify the candidate.” The ordinance further prohibits job applications from containing questions about an applicant’s conviction history.

The ordinance prohibits any employer from conducting a “conviction history check” until after the applicant has received a written conditional offer letter, a document notifying the applicant of rights under the ordinance, and a request for authorization to conduct a background check. The ordinance further states that employers cannot use or access records of arrest not followed by a “valid” conviction; misdemeanor convictions where no jail sentence can be imposed; sealed, dismissed, or expunged convictions; and infractions.

In assessing an applicant’s conviction history, employers can only consider job-related convictions (unless a statute explicitly requires that certain convictions are automatic bars to employment) and cannot disqualify an applicant based even in part on convictions that are not job-related. If an employer determines that a conviction is job-related, the ordinance further requires the employer to consider the following:

  1. Whether the conviction is directly related to the duties and responsibilities of that employment position;
  2. Whether the position offers the opportunity for the same or a similar offense to occur;
  3. Whether circumstances leading to the conduct for which the person was convicted will recur in the position; and
  4. The length of time since the offense occurred.

The ordinance may place additional requirements on employers for sending out pre-adverse action notices already required by the Fair Credit Reporting Act (FCRA). If an employer may disqualify an applicant based, even in part, on an applicant’s conviction history, the ordinance requires employers to send out the pre-adverse action notice that should also identify the conviction(s) that are the basis for the potential adverse action and to provide examples of mitigation or rehabilitation evidence that the applicant may voluntarily provide (examples of which are included in the ordinance).

After the employer issues the aforementioned notice, the applicant has 10 business days in which to provide information challenging the accuracy of the information, evidence of mitigation or rehabilitation, or anything else that may rebut the basis for the adverse action. The ordinance requires employers to hold the position open until they make the final employment decision. Once 10 business days have passed, the employer must conduct an individualized assessment to consider the applicant’s evidence of rehabilitation or mitigation and the applicant’s fitness to perform the duties of the position sought, as well as the factors the EEOC recommended in its 2012 Enforcement Guidance on the Consideration of Arrest and Conviction Records in Employment Decisions Under Title VII of the Civil Rights Act of 1964.

If the employer decides not to offer the applicant employment, the employer must provide final notice of that decision. The ordinance requires that notice to include a statement that the applicant may be eligible for other positions.

The ordinance also contains several other administrative requirements. First, the ordinance requires that background check information remain confidential and not be distributed to any other entity, except as required by law. Second, the ordinance requires employers to retain application forms, records of employment, and similar records for at least three years. It even requires employers to maintain a record of the number of positions requiring background checks and, for those positions, records of the number of applicants. An employer must also maintain records on the number of applicants who (a) were provided a conditional offer; (b) were provided a pre-adverse action notice; (c) provided evidence of mitigation or rehabilitation; (d) were provided a final adverse notice; and (e) were hired.

Salary History Requirements
The ordinance’s requirements as to salary history information are more limited than the criminal history protections. The ordinance essentially excludes private employers from inquiring about an applicant’s wage history on the job application. The ordinance’s other salary history measures apply only to employees of the City of Columbia.
https://www.lexology.com/library/detail.aspx?g=e0585ef7-535d-48c1-ace8-7e662c57198e&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2019-10-07&utm_term=

Implications of New York’s Expanded Data Security Law for Employers and the Broader Biometric Landscape
On October 23, 2019, the expanded data breach notification requirements of New York’s Stop Hacks and Improve Electronic Data Security (SHIELD) Act went into effect. The new law broadens the state’s existing breach notification law and imposes new security obligations on companies that do business in New York. The law has a far-reaching impact on businesses and employers across the country that have consumers and employees based in New York. The SHIELD Act substantially expands the scope and applicability of New York’s existing data breach and security laws. In the simplest terms, the SHIELD Act, broadens how the terms “data breach” and “private information” are defined under state law, to ensure that previously-excluded categories of information are now captured, to establish security requirements to safeguard that information, and to augment previous notification obligations in the event that information is breached. As a result, all businesses across the country that do business in New York may be subject to the law’s new requirements.

One particularly important aspect of the SHIELD Act is its enhanced breach notification requirements. Under New York’s previous breach notification law, the definition of “private information” subject to the law was fairly narrow and in line with other states’ breach notification laws. Specifically, New York’s data breach notification law previously required notification of a breach involving “any information concerning a natural person which, because of name, number, personal mark, or other identifier, can be used to identify such natural person,” in combination with data such as social security numbers or driver’s license/identification card numbers. Now, under the SHIELD Act and in addition to the previous categories, companies that suffer a breach of New York residents’…

  • financial account numbers that can be used to access an account without additional identifying information,
  • biometric information (e.g., fingerprint, voiceprint, retina, or iris image), or
  • usernames or email addresses, in combination with passwords or security question answers that would allow access to online accounts,

…must disclose such breach to the New York state attorney general; if a company determines that more than 500 New York residents’ private information was involved in the breach, then the notification must be made within 10 days of the company’s determination. This is just one of the many ways in which the SHIELD Act broadens the types of information and entities covered by New York’s data breach laws (in addition to the imposition of additional data security requirements under the SHIELD Act that become effective on March 21, 2020).

Biometric Data Under the Expanded Breach Notification Obligations of the SHIELD Act
As part of the expansion of privacy and security laws nationwide, many states have demonstrated increased attention on companies that handle biometric data (e.g., fingerprint, voiceprint, retina, facial, hand, or eye imaging). This growing trend in biometric legislation has resulted in laws that place proactive notice and consent obligations on biometric data collectors (like the inclusion of “biometric information” as part of the definition of “personal information” under the California Consumer Privacy Act), and some that include a private right of action, (like Illinois’ Biometric Information Privacy Act (BIPA)). BIPA has resulted in numerous class actions against companies that gather biometric data from consumers or employees.

The legislative trend toward expansive obligations has also resulted in states augmenting reactive requirements that companies face as a result of a data breach (for example, by expanding the types of personal information covered by their data breach notification laws). New York’s SHIELD Act, and California’s newly passed A.B. 1130 (signed into law on October 11), are prominent examples of this notable expansion of data breach laws to now include biometric information. Unlike Illinois’ BIPA, which has proactive notice and consent obligations as well as a private right of action for violations, many of these laws, including the SHIELD Act, focus on post-breach notification and do not confer a private right of action (but empower the state attorney general to enforce the law). In any case, both kinds of laws are indicative of continued focus on data gathering, sharing, and retention practices implemented by companies for their customers and employees that is only likely to increase.

The inclusion of biometric data in the definition of private information likely sweeps a large number of previously inapplicable practices into the scope of the law and will change how companies approach these practices. For example, companies that use fingerprinting for employee time-management or hand geometry for security-access controls will need to develop a formal understanding of how they collect and use such data and what to do in the event it is “breached,” a term for which the SHIELD Act also provides an expanded definition to include not only unauthorized acquisition but also unauthorized access. The combinative risk of enforcement of these security and notification obligations in states like New York under the SHIELD Act should encourage consumer-facing businesses and employers alike to carefully review, update, and implement comprehensive security measures, access controls, data breach response plans, and policies and procedures that adequately cover whether and how biometric data is collected, accessed, shared, and stored in order to keep pace.

The SHIELD Act’s Implications on Labor and Employment Practices
The SHIELD Act applies not only to consumer information but also to employee information. And because the SHIELD Act applies to any business that maintains the private information of New York applicants or employees and has at least one employee in New York State—regardless of size or whether the company is headquartered in New York—the SHIELD Act’s ramifications for Empire State employers are far-reaching.

The SHIELD Act also imposes additional data breach reporting requirements on “covered entities” under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). Now, complying with HIPAA data breach disclosure requirements will not exempt a company from notifying the New York state attorney general in addition to federal authorities.

Many common practices of human resources and employee relations departments—including the maintenance of personnel records, leave and benefits documentation, background and credit history checks, direct deposit and expense reimbursements, and use of biometric time clocks and security-access controls—now fall within the expansive purview of the SHIELD Act. As of October 23, 2019, New York State employers must safeguard the broadened range of private applicant and employee information contained in their employment records and will soon be required to maintain heightened data security standards relative to such information.
https://www.lexology.com/library/detail.aspx?g=a19e6431-fb08-4cef-8e0b-5abb22415adf&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2019-10-31&utm_term=

 

Court Cases

CDIA Files Suit Against Maine to Enforce Preemption of State Law by FCRA
The Consumer Data Industry Association (“CDIA”), a trade association whose members include the three largest consumer reporting agencies (“CRAs”), recently filed a lawsuit in Maine seeking a declaratory judgment that two recently passed credit reporting laws are preempted by the Fair Credit Reporting Act.

Earlier this year, the Maine legislature passed the two bills in question, L.D. 110 and L.D. 748, and the laws took effect in Maine on September 19, amending 10 M.R.S. § 1310-H in Section (4) and (2-A), respectively. Specifically, L.D. 110 prohibits a consumer reporting agency from reporting medical debt on a consumer’s credit report until 180 days have passed since the date of first delinquency. L.D. 110 further prohibits reporting of medical debt if the consumer and creditor have settled or paid the account and requires the CRA to remove the report of that medical debt on a consumer report. Under the law, if the consumer makes regular payments pursuant to an agreement with the medical provider, the CRA must report the debt in the same manner as debt from a consumer credit transaction. These provisions, the CDIA argues, prohibit CRAs from reporting accounts unless certain conditions exist and, by doing so, they would require the CRAs to review the status of every account, including payment history, or not report the account at all.

The second state law, L.D. 748, requires CRAs to reinvestigate any debt in which a consumer provides documentation to a CRA of “economic abuse.” If the CRA finds that the debt is the result of economic abuse, it then must remove any reference to the debt. “Economic abuse” means causing an individual to be financially dependent by maintaining control over the individual’s financial resources, including unauthorized or coerced use of credit or property. Me. Rev. Stat. tit. 19-A, § 4002(3-B). CRAs already have to investigate whether the information provided by furnishers is accurate under the FCRA. The CDIA argues that the new Maine statute goes a step further in also requiring CRAs to decide whether the account was the result of economic abuse of the consumer. The CDIA notes that “[w]hile prevention of economic abuse is a laudable goal,” CRAs are not in a position to adjudicate these claims and that they lack both the knowledge and the expertise to be able to do so.

The CDIA seeks a declaratory judgment that L.D. 110 and L.D. 748 are both preempted by the FCRA. It argues that compliance with the two laws will require CRAs to reject accurate credit information, impede their ability to report accurate data, and lead to increased cost, and decreased availability, of consumer credit. The CDIA asserts that the FCRA specifically prohibits states from attempting to regulate the contents of consumer credit reports and that the Maine statutes attempt to exclude information from being included in consumer reports where the FCRA expressly contemplates the inclusion of that information. The CDIA argues that this means that pursuant to § 1681(t) of the FCRA, the Maine statutes are preempted.

This case has the potential to inform whether and how other states may regulate content that is contained in consumer credit reports.
https://www.lexology.com/library/detail.aspx?g=fba8dc94-8e2a-4cfc-a595-8b010a20e338&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2019-10-09&utm_term=

Trade Groups Seek to Have Nevada Law Declared Preempted by FCRA and ECOA
Three industry organizations filed suit against the Nevada Attorney General and the Commissioner of the Nevada Financial Institutions Division, claiming that a newly enacted Nevada law conflicts with and is preempted by federal law, including the Fair Credit Reporting Act (FCRA) and the Equal Credit Opportunity Act (ECOA). They are seeking an injunction preventing Nevada officials from enforcing the law. The bill in question, SB 311, would allow, under certain circumstances, for an applicant who has no credit history to request that the creditor deem the credit history of the applicant to be identical to the applicant’s spouse (or former spouse). According to the bill’s sponsor, the bill was meant to assist a person who “may not be able to obtain credit, even though the person contributed to the development of the couple’s credit history, because the credit history is entirely in the spouse’s name.” If a creditor violates the new law, the violation would be deemed discrimination based on marital status. The bill was enacted earlier this year and was set to take effect on October 1, 2019, the day this lawsuit was filed.

The plaintiffs—the American Financial Services Association, the Nevada Credit Union League, and the Nevada Bankers’ Association—are industry associations whose members include financial institutions and furnishers of credit reporting information. They argue that SB 311 would force creditors to violate the FCRA by requiring them to access and use the non-applicant spouse’s consumer report without a permissible purpose. They also contend that ECOA generally prohibits creditors from requesting information concerning the spouse of an applicant. In contrast, SB 311 would require creditors to obtain information about a spouse or ex-spouse. The industry organizations also assert the Nevada bill violates longstanding privacy and data security rules by requiring creditors to access credit information and disclose it to an applicant without the knowledge of the consumer (the spouse or ex-spouse). Finally, they claim the law is “hopelessly unworkable” from a practical standpoint as creditors have no way of obtaining a credit report associated with a particular period in time, such as during a marriage, so the credit report they would be required to obtain would not necessarily be an accurate reflection of an ex-spouse’s credit contributions.

This action is similar to recent litigation in Maine where the Consumer Data Industry Association is seeking for the court to declare that two newly enacted state statutes are preempted by the FCRA (see above). The two cases taken together show the tension between attempts by states to protect consumers and the financial services industry’s need for uniform applicability in a complex area of law.
https://www.lexology.com/library/detail.aspx?g=89254f44-949a-48dd-af44-901c7079bcf0&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2019-10-18&utm_term=

California District Court Certifies FCRA Class Action Against Experian After Servicer Went Out of Business
In a case originally filed in March 2016 and following the successful appeal of a grant of summary judgment in favor of Experian Information Solutions, Inc. (“Experian”), Judge Andrew Guilford of the United Stated District Court for the Central District of California certified a class of consumers whose reporting by Experian was allegedly “misleading” after a loan servicer went out of business.

Delbert Services Corporation (“Delbert”) was a servicer for internet loans issued by Western Sky Financial, LLC. In January 2015, Delbert went out of business and told Experian that it wanted to “discontinue use of any and all services provided by Experian.” Experian responded that it had deleted all Delbert loans from its database. In reality, however, Experian continued to report the loans until April 2016. In the Complaint, plaintiff Demeta Reyes alleged a single claim for relief under the Fair Credit Reporting Act of 1970 (“FCRA”), 15 U.S.C. § 1681 et seq. Specifically, she asserted that Experian willfully failed to “follow reasonable procedures to assure maximum possible accuracy of the information” contained in her credit report. See 15 U.S.C. §§ 1681e(b), 1681n(a).

Experian filed a motion for summary judgment, arguing that it was entitled to summary judgment because (1) its “reporting of [Plaintiff’s] loan was at all times indisputably accurate.”; and (2) even assuming a prima facie case of inaccuracy, there was no evidence of a “willful” violation. Judge Guilford agreed, finding that Experian’s reporting of plaintiff’s loan was “neither patently inaccurate nor unduly misleading.” He granted summary judgment on October 13, 2017. The Ninth Circuit, however, reversed Judge Guilford. In an unreported opinion, it found that plaintiff raised a genuine issue of material fact as to whether Experian’s continued reporting of plaintiff’s loan was “misleading in such a way and to such an extent that it can be expected to adversely affect credit decisions.” It found that when Experian was reporting an account from the defunct Delbert, it was reporting an account that was no longer verifiable and that plaintiff could not make current since Delbert was no longer in business. Also, Experian continued to report plaintiff’s past-due history, but had deleted her positive payment history. The Ninth Circuit found that a reasonable jury could conclude that Experian’s continued reporting of plaintiff’s account, “either on its own, or coupled with the deletion of portions of [plaintiff]’s positive payment history on the same loan, was materially misleading.” On remand, plaintiff requested certification of the following class, “All persons whose Experian consumer report contained an account from Delbert Services Corp. reflecting delinquency on a loan originated by Western Sky Financial, LLC after January 21, 2015…” Judge Guilford certified the class on October 3, 2019. The case is Demeta Reyes v. Experian Information Solutions Inc., case number 8:16-cv-00563, in the U.S. District Court for the Central District of California.
https://www.lexology.com/library/detail.aspx?g=3e384d21-155b-482f-a500-3f7acacadf80&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2019-10-08&utm_term=

Will the Eleventh Circuit fall in line with its sister circuits in interpreting Spokeo’s standing requirements in FACTA cases?
For more than a decade, printed credit card receipts have been the subject of considerable litigation all over the country. The Fair and Accurate Credit Transactions Act (“FACTA”), enacted in 2003, prohibits retailers from printing “more than the last 5 digits of the credit card number or the expiration date” on a consumer’s receipt. The potential penalty for a FACTA violation is harsh: the statute awards up to $1,000 damages per violation when the conduct is willful, making it an area ripe for class action lawsuits—with restaurants, grocery stores, and other food retailers being primary targets.

Post-Spokeo v. Robins, however, the question of a plaintiff’s standing to assert statutorily-based claims (like FACTA violations) has become the subject of considerable confusion and debate. See Spokeo, 136 S. Ct. 1540 (2016) (holding that a plaintiff does not “automatically satisf[y] the injury-in-fact requirement whenever a statute grants a person a statutory right and purports to authorize that person to sue to vindicate that right” and that a “bare procedural violation” of a statute “divorced from any concrete harm” is simply not enough).

Over the past several years a prevailing view has emerged that plaintiffs need to show something more than just a bare procedural violation (i.e. that the receipt was printed) to satisfy Spokeo. Indeed, the Second, Third, Seventh, and Ninth Circuits all have all upheld dismissals of FACTA claims for lack of standing.

For example, in Katz v. Donna Karan Co., LLC, 872 F.3d 114, 116 (2d Cir. 2017), the Second Circuit affirmed the district court’s holding that the plaintiff lacked standing because the first six digits of a credit or debit card “do not disclose any information about Plaintiff; but rather identify the institution that issued the card to the card holder,” and therefore, did not give rise to a concrete injury. See Katz, 872 F.3d at 118, 119.

Similarly, in Noble v. Nevada Checker Cab Corp., 726 Fed. App’x 582, 584 (9th Cir. 2018), the Ninth Circuit held that disclosure of first digit of card number was not “the sort of revelation of information that Congress determined could lead to identity theft” because a card network/brand could be printed without violating FACTA. See also Bassett v. ABM Parking Servs., 883 F.3d 776, 777-78 (9th Cir. 2018) (affirming dismissal of FACTA claim based on disclosure of expiration date where “private information was not disclosed to anyone but [the plaintiff]”); Meyers v. Nicolet Rest. Of De Pere, LLC, 843 F.3d 724, 727-28 (7th Cir. 2016) (affirming dismissal of claim alleging violation of FACTA based on printing of an expiration date for lack of standing where plaintiff failed to allege that he either suffered concrete harm because of the violation, or that the violation created “any appreciable risk of harm” where no one else saw the receipt); Kamal v. J. Crew Grp., Inc., 918 F.3d 102, 115-19 (3d Cir. 2019) (affirming dismissal of FACTA complaint based on printing of first six digits and last four digits of card number and holding claimed injury of heightened risk of identity theft was bare procedural violation that did not confer standing).

In April of this year, the Eleventh Circuit issued its holding in Muransky v. Godiva Chocolatier, Inc., 922 F.3d 1175 (11th Cir. 2019), a case that has been viewed as an outlier on the issue of FACTA standing.

While the District of Columbia Circuit issued an opinion in July of this year in Jeffries v. Volume Servs. Am., Inc., 928 F.3d 1059, 1062 (D.C. Cir. 2019) recognizing the plaintiff’s standing in a particularly egregious FACTA fact pattern (the receipt disclosed all sixteen digits of the credit card number, the expiration date, and the name of the plaintiff’s card provider), Muransky represents the only Circuit decision to hold that the disclosure the first six digits on a receipt—digits that correspond exclusively to bank issuer information and not cardholder information—is sufficient to confer standing absent a plaintiff’s showing of tangible injury.

The holding in Muransky was limited: it was expressly predicated on a facial challenge levied by the defendant, which, as the Eleventh Circuit noted, required the Court to accept as true Plaintiff’s allegation that the printing of the first six and last four digits of his credit card exposed him to a “heightened risk of identity theft.” Muransky, 922 F.3d at 1190. Indeed, the Eleventh Circuit distinguished Muransky from the Katz case, where the defendant provided the district court with evidence that the first six digits of a credit card number “simply identify the card issuer and provide no personally identifying information about the plaintiff.” Katz, 872 F.3d at 116.

Nevertheless, not surprisingly, since Muransky was issued earlier this year, FACTA class action cases have been filed in the Eleventh Circuit with increasing frequency. And because a petition for rehearing en banc was submitted in Muransky (along with several amicus briefs), many district court cases within the circuit have been in limbo, awaiting the appellate court’s decision on the petition.

On Friday, a new development emerged: the Eleventh Circuit entered an order granting the petition to rehear the case en banc and vacating the panel’s prior opinion. See Muransky v. Godiva Chocolatier, Inc., No. 16-16486 (11th Cir. Oct. 4, 2019). The Court has not yet indicated when the case will be heard, but given the stakes for FACTA litigation, it is one to watch over the coming months.
https://www.lexology.com/library/detail.aspx?g=c6ce9a3b-c2e3-45c3-9740-7001a52533ed&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2019-10-16&utm_term=

Federal Appeals Court Holds Test for Illegal Drugs is not an Impermissible Medical Examination, Even if Test May Reveal Lawful Drug Use
A federal appeals court upheld the termination of an employee who tested positive for amphetamines on a random drug test—despite his claim that the result was due to over-the-counter drug use—and rejected his arguments that the random drug test was an impermissible medical examination and that the Medical Review Officer’s questions constituted an impermissible disability-related inquiry. Turner v. Phillips 66 Co., Case No. 19-5030 (10th Cir. Oct. 16, 2019).

Phillips 66 Co., the employer, conducted a random drug test on its employee, Richard Turner. Three days later, Mr. Turner was involved in a workplace accident and submitted to a post-accident drug test. On the day of the post-accident test, the employer learned that Mr. Turner had tested positive for amphetamines on the random drug test. Mr. Turner advised the Medical Review Officer (MRO) that the positive random drug test was due to his use of over-the-counter Sudafed, which his treating physician confirmed in writing. Phillips 66 terminated Mr. Turner’s employment under its policy providing that if an employee tests positive for drugs, his or her employment will be terminated. Mr. Turner appealed the termination decision pursuant to the Company’s policy. He submitted to a hair test at an independent laboratory and that test was negative. In addition, the results of his post-accident test also were negative. A confirmatory re-test of Mr. Turner’s original random urine specimen, however, confirmed that that test result was positive for amphetamines. Phillips 66 denied Mr. Turner’s appeal and upheld the termination. Thereafter, Mr. Turner filed a discrimination charge with the Equal Employment Opportunity Commission, alleging disability discrimination in violation of the Americans With Disabilities Act (ADA). The EEOC dismissed the charge. Mr. Turner then filed a complaint alleging that: (1) he was subjected to an impermissible medical examination and disability-related inquiry; (2) he was terminated due to a disability (allergies); (3) he was “regarded as” disabled; (4) the drug testing violated the Oklahoma drug testing law. The district court granted summary judgment to Phillips 66 on each of Mr. Turner’s ADA claims. Mr. Turner appealed.

The Tenth Circuit Court of Appeals affirmed the district court’s grant of summary judgment to Phillips 66.

First, the court rejected Mr. Turner’s argument that his drug test and discussion with the MRO about his medications violated the ADA. Mr. Turner argued that, because he tested positive for amphetamines due to taking an over-the-counter medication, the employer’s drug test “was not for illegal use of drugs as permitted by [the ADA], but went beyond that to legal and appropriate use.” Mr. Turner further argued that the drug test was a medical examination that required Phillips 66 to show that it was “job-related and consistent with business necessity” under the ADA. The court disagreed, holding that a drug test does not become a medical examination simply because the drug test revealed the potential use of legal drugs. The court similarly rejected Mr. Turner’s argument that the MRO’s discussion with him about his use of medications violated the ADA as being an impermissible disability-related inquiry.

Second, the court rejected Mr. Turner’s argument that the district court erred in granting summary judgment to Phillips 66 on his “traditional” and “regarded as” ADA disability discrimination claims. The court affirmed the district court’s determination that Phillips 66 had set forth a legitimate, non-discriminatory reason for Mr. Turner’s termination—that is, his positive drug test—and that Mr. Turner had failed to show pretext. While Mr. Turner attempted to argue that he did not need to show pretext as his evidence was direct, the court rejected that argument, finding that it did not meet the requirement that direct evidence must show, without inference, that the employment action was taken as a result of the employee’s disability. Because Mr. Turner failed to articulate or even argue pretext, the court held that his disability discrimination claims under the ADA failed.
https://www.lexology.com/library/detail.aspx?g=c8986a4e-98d9-4a37-ae86-ed1d96f0415c&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2019-10-23&utm_term=

 

International Developments

European Court Ruling Spells End of Pre-Ticked Cookie Consent Forms Under GDPR
The Court of Justice of the European Union (Curia) has made a ruling with far-reaching consequences for digital advertisers and media owners: pre-ticked forms for cookies on websites have been ruled incapable of legally gathering consent to track consumers. Weeks after a tense Dmexco conference, where the consent framework was questioned alongside the broader legality of programmatic advertising’s real-time bidding, this issue boiled over during a legal case against lottery site Planet 49, which requests players to consent to pre-ticked cookies to access its game. Its pre-ticked cookie boxes (favored by countless websites after the introduction of GDPR) did not legally gather consent, found the court. Instead users must actively opt-in to have each company (sometimes in their hundreds) follow them across the web. The German Federation of Consumer Organizations challenged the lottery. German courts then bumped the ruling up to the Court of Justice to interpret EU law. The judgement passed Monday (1 October) in a case that has lasted more than a year. It read: “The court decides that the consent which a website user must give to the storage of and access to cookies on his or her equipment is not validly constituted by way of a pre-checked checkbox which that user must deselect to refuse his or her consent.

“That decision is unaffected by whether or not the information stored or accessed on the user’s equipment is personal data. EU law aims to protect the user from any interference with his or her private life, in particular, from the risk that hidden identifiers and other similar devices enter those users’ terminal equipment without their knowledge.” The user interface did not allow clear access to analyze cookie partners, nor did it inform users that third party cookies may have access (or for how long). And finally, consent was manufactured to provide access to a gambling game that births ethical if not legal concerns about how advertisers could manufacture consent in the future.

Rowly Bourne, founder of Rezonence, home of the FreeWall solution, helping publishers monetize audience data, said; “If you can no longer auto-opt people in, then adtech is going to have a real problem, because consumers do not have a clue who 99% of the 7,040 adtech vendors are. After all, most people think Adobe makes PDFs. So no one will actively opt-in to companies they not heard of. And this will end up shining a light on how consent is achieved in the app-industry. “This is only going to give further ammunition to the ICO, who already highlighted their concerns regarding consent in their ‘Update report into adtech and real time bidding’.” Bourne sees a “good opportunity for publishers, as consumers know who they are, and will opt-in”. There’s also an opportunity for companies like Rezonence “who believed explicit consumer consent was going to be the conclusion from the GDPR are now well placed”.

The Next Web reported the decision even rendered the Curia press release ruling page as illegal with pre-ticked consent boxes. It appears that the web user experience will be further eroded in the name of user privacy with more strident cookie checks being implemented. On the other hand, web users may have been dissuaded from opting out of cookies previously due to the sheer length of time it takes to un-tick pre-selected boxes.
https://www.thedrum.com/news/2019/10/02/european-court-ruling-spells-end-pre-ticked-cookie-consent-forms-under-gdpr

What U.S. Investors Need to Know About Mexican Labor Law
If you are a human resources manager or an in-house labor lawyer for a U.S. company that is doing business or contemplating doing business in Mexico, you do need to be aware of key differences between U.S. and Mexican labor laws. First, and foremost, there is a presumption under Mexican law that all employment contracts are permanent and employees can only be terminated for just cause. An employee who is discharged without cause is entitled to three months’ salary, back wages, plus 20 days’ pay for each year of service, and any accrued salary and bonuses. Employees are also entitled to severance payments equal to 12 days’ salary for each year of service. The 2012 reforms to Mexico’s labor laws, however, did introduce additional hiring options for employers, such as trial employment periods and initial training periods. These reforms have added some flexibility for employers, especially foreign investors who sometimes need to hire large numbers of employees in a short amount of time. U.S. investors also need to be careful about using employees of contractors. Under the Mexican Labor Code, outsourced employees of a service provider (1) may not perform all activities carried out in the contracting party’s workplace; (2) must perform a specialized type of service; and (3) may not perform tasks equal or similar to those being carried out by the rest of the contracting party’s employees. As for dealing with Mexican labor unions, investors need to understand that Mexican labor law is currently undergoing a dramatic transformation. While historically, unions were often co-opted by either the governing political party or Mexico’s business class, under Mexico’s new labor law, employees are supposed to have real collective bargaining rights and a bargaining representative of their choice. In fact, earlier this week, Lopez Obrador met with a delegation of Democrats from the United States House of Representatives and vowed to enforce the new labor laws. There have been some concerns that the new law could create scenarios—at least initially—where multiple unions compete (hopefully peacefully) to represent employees in the same workplace.
https://www.lexology.com/library/detail.aspx?g=99a8c596-73a0-434f-9aa1-01b5ab849d38&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2019-10-16&utm_term=

Identification, Analysis, and Prevention of Psychosocial Risks in the Workplace in Mexico
Federal Workplace Safety and Health Regulations, in force since February 2015, require employers to identify psychosocial risk factors, which are those that may cause non-organic anxiety and serious stress or adaptation problems, resulting from the nature of the work, the type of shift and exposure to severe traumatic events or acts of workplace violence.

Employer Obligations
Employers have the following specific obligations in the area of psychosocial risk factors:

  • Identify and analyze activities that may generate risks due to the nature of the work performed or the type of labor shift;
  • Identify employees that have been subject to severe traumatic events or acts of workplace violence and evaluate them clinically;
  • Adopt pertinent preventive measures to mitigate risk factors;
  • Carry out clinical exams or evaluations on personnel that has been exposed to psychosocial risk factors as required;
  • Inform employees of possible alterations to their health due to exposure to psychosocial risk factors and
  • Keep registries on preventive measures adopted and on results of clinical exams or evaluations.

Among the aspects that must be considered within psychosocial risk factors, are hazardous or unsafe work conditions, work that demands high responsibility or work that requires intense concentration and attention for prolonged periods of time.

NOM-035
Mexican Official Standard NOM-035-STPS-2018 (“NOM-035”) establishes guidelines for identifying and analyzing psychosocial risk factors in the workplace. It will become effective on October 23, 2019 and establishes different obligations for employers, taking into account the number of employees in a workplace. In all workplaces, employers are required to establish in writing as well as implement, maintain and divulge a policy to prevent psychosocial risk factors. The policy should contemplate (a) prevention of psychosocial risk factors, (b) prevention of labor violence and (c) promotion of a favorable organizational environment.

Workplaces having 50 employees or more, require employers to analyze psychosocial risk factors applying the guides established by NOM-035. Representative samplings may be carried out. The following elements must be taken into account to identify and analyze psychosocial risk factors:

  • Workplace conditions;
  • Workloads;
  • Lack of control over the work;
  • Work shifts and rotation if these exceed those established by the Federal Labor Law;
  • Interference in the work-family relationship;
  • Negative leadership and negative work relations;
  • Labor violence (harassment, bullying and other negative practices);
  • Evaluation of a favorable work environment;

Once psychosocial risk factors have been analyzed and identified, employers must adopt the preventive and control actions established by NOM-035.

Possible Penalties for Lack of Compliance
According to the Federal Labor Law, if an employer fails to comply with legal obligations in the area of safety, health and risk prevention, a workplace may be fined for every article or provision that is breached as well as for each employee affected in his or health or safety. Fines may be for very large amounts and this is why it is important for companies to develop plans to comply with their obligations in the area of safety and health in the workplace.
https://www.lexology.com/library/detail.aspx?g=e8581a6a-4fb6-42ff-a498-2f0cb3d41cf0&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2019-10-30&utm_term=

Peterborough is the First Council to Roll Out Fingerprint Drug Testing for Family Safeguarding
Peterborough City Council has become the first local authority in the UK to fully adopt fingerprint-based drug testing as part of its family safeguarding social care policy. The Intelligent Fingerprinting portable drug testing system detects drug use through fingerprint sweat analysis. The council adopted the system to encourage service users to abstain from drug use and to adhere to family court custody conditions or social care child protection arrangements. Peterborough’s safeguarding teams work with locals who have a history of drug abuse that may impair their ability to look after children in their care. The council said that that people who use the service have been “very positive” about the test because of its non-invasive nature and that it was “good for building trust and transparency”. The test features a small, tamper-evident drug screening cartridge onto which 10 fingerprint sweat samples are collected, in a process which takes less than a minute. The Intelligent Fingerprinting portable analysis unit then reads the cartridge and provides a positive or negative result on-screen for all drugs in the test in 10 minutes.

Previously, clients were required to visit a special clinic for drug testing—introducing delays and discouraging some people from engaging with the Family Safeguarding teams, the council said.

Better Meetings
Jo Foster, head of service for family safeguarding at the council, said: “With sample collection in seconds and results in 10 minutes, the immediacy of the fingerprint-based drug testing approach certainly makes for much more informed and engaged client meetings. “There is also a significant efficiency saving across the process, as results can be shared more quickly with third party agencies as required—enabling a much more collaborative working process between the council, social workers and representatives of the family court. “We’re finding that being able to complete tests and share results during meetings really helps in terms of building trust, while removing the requirement to conduct traditional urine, blood or saliva tests separately also makes the process much more transparent.” Harrow Council, in London, has also conducted trials of the technology, which is expected to be adopted by more local authorities next year.
https://inews.co.uk/news/health/peterborough-city-council-fingerprint-drug-testing-social-care-815245

Employee Data Protection in Belgium
The protection of personal data concerning employees is regulated by, among others, the GDPR.

The GDPR lays down certain conditions that have to be met when an employer wants to collect or process personal data. The processing of data is only allowed for legitimate purposes, like the good execution of the employment contract, internal communication or the processing of data in connection with recruitment practices. The processing of data is also allowed with the voluntary authorization of the employee. The employer will have to keep a register of processing operations, which will include the following information on personal data: the purpose of processing the data; what data is being processed and the person to whom it belongs; who receives the data, including those outside the European Union; how long the employer keeps the data; and how the employer protects the data. The employer must, in certain cases, also appoint a data protection officer, who will supervise compliance with the GDPR. There are also means for the employees to control the processed data and, if necessary, ask the correction of incorrect data.

Biological tests, medical examinations or other reasons for gathering medical information (orally) regarding the state of health or that of an employee or a job candidate (or of their family) may only be performed for reasons relating to the actual state of health of an employee with regard to the specific requirements of the job. Predictive genetic examinations and AIDS/HIV tests are prohibited. It is forbidden to gather data that could indicate racial or ethnic origin, political opinions, religious or philosophical convictions, membership of trade unions, or information concerning the sex life of citizens in general. The same applies to employees. The processing of sensitive personal data is allowed if it is necessary for specific reasons, such as public interest, legal claims, labor law and social security.
https://www.lexology.com/library/detail.aspx?g=9df07916-73af-4d1a-a17e-098008349920&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2019-10-30&utm_term=

Ireland – €150,000 Fine for Employer Relying on Consent as Basis for Processing Personal Data
The Hellenic Data Protection Authority (HDPA) recently fined an employer €150,000 and ordered the company to take corrective actions following an investigation that uncovered breaches by the company of Article 5 of the GDPR.
http://campaign.r20.constantcontact.com/render?m=1101484724288&ca=a9f4a4a0-4f01-479c-854b-7cfdf7a58fd7
Full Article: https://www.littler.com/publication-press/publication/littler-global-guide-ireland-q3-2019

Sweden’s First GDPR Fine Sets Regulatory Tone
Sweden has seen its first fine issued under the General Data Protection Regulation (GDPR), which was imposed on an upper secondary school, according to the country’s Data Protection Authority (DPA).

Some fear that the fine, of about SEK200,000 (£16,000), could make organizations more cautious about implementing digital technologies, but there has been support for the DPA’s stance.
http://campaign.r20.constantcontact.com/render?m=1101484724288&ca=a9f4a4a0-4f01-479c-854b-7cfdf7a58fd7
Full Article: https://www.computerweekly.com/news/252472366/Swedens-first-GDPR-fine-sets-regulatory-tone-tine

 

Miscellaneous

CFPB Issues Report – Highlights Regulatory Interest in Background Screening Accuracy
Showing its continuing regular focus on the background screening industry, on October 3, 2019, the Consumer Financial Protection Bureau (CFPB) published a report, entitled Market Snapshot: Background Screening Reports. The report highlights the increased demand for background screenings by employers as well as consumer challenges that may arise from their use given the vast array of data sources and consumer reporting agencies. The report follows an announcement by the Federal Trade Commission (FTC) and CFPB of a joint workshop to be held in December 2019 on issues affecting the accuracy of both traditional credit reports and employment and tenant background screening reports. The workshop will include industry representatives, consumer advocates, and regulators. While the CFPB report does not explicitly indicate future regulatory action, it underscores regulators’ interest in oversight of the background screening industry.

Summary of the Report
The report details common reporting challenges that can result in adverse outcomes for consumers, especially as it pertains to reporting criminal records. Challenges highlighted include:

  • Inconsistent systems for information collection across sources. For example, court systems’ access to public records, including criminal records, may vary among jurisdictions. Courts also may use varying terminology to describe the same public record.
  • The lack of unique identifying information which can result in improperly affiliating consumers with someone else’s information. In other words, some courts impose policies relating to redacting personal identifying information on public records, which makes it more difficult to match a particular consumer to a record and thus can lead to false matches.
  • Duplicative reporting of criminal records, which results in multiple listings of the same convictions or arrests, leaving the impression a consumer has multiple offenses.
  • Out of date, expunged, or sealed criminal information. For example, expunged records pose a particular problem because it is typically difficult to determine based on court records which cases have been expunged.
  • The inability of consumers to review reports or the underlying information prior to the information being received by employers. Given that there are several thousand background screening firms that employers may use, consumers likely cannot identify the specific firm that a particular employer may use. Even if the background screening firm can be identified, the firm may not have information on the consumer or may not be able to provide the same information to the consumer as provided to the employer.
  • Delays in updating information possessed by consumer reporting agencies. If, for example, an error exists in a court record itself, the process for the consumer to resolve the error varies by court and can be difficult and time-consuming.

In the report, the CFPB also touches on three recent developments in consumer reporting accuracy. First, the report highlights how background screening firms are utilizing technology involving machine learning and greater access to consumer data to verify identities and match criminal records. According to the report, companies may use staff or algorithmically driven database searches to determine whether there is a “hit” in the database.

Second, the report references new and expanded state expungement laws, which expand criminal records eligible for expungement. It notes a recent Pennsylvania law that requires that certain offenses be automatically sealed from public view after 10 years. Further, it references the adoption by Minnesota and Pennsylvania of the “lifecycle file”—an agreement by subscribers of those states’ contracts for bulk data purchases to update files on a near real-time basis with court records that reflect expungement and other events. Subscribers are also subject to court audits of their data.

Finally, the report states that as of early 2019, 35 states, the District of Columbia, and over 150 cities and counties, have adopted a “Ban-the-Box” or similar law that prohibits prospective employers from inquiring about an applicant’s criminal history until after an initial offer has been made. According to the report, the background screening industry has expressed concern regarding inconsistent variations of policy on the state and local level.

Key Takeaways From the Report and Proposed Workshop
The report provides a general overview of consumer report accuracy issues. While it does not provide any specific CFPB guidance, it does highlight the agency’s interest and concerns with respect to accuracy in consumer reports. Background screening companies should carefully review the challenges highlighted by the CFPB as they could be the subject of future regulatory action.
https://www.lexology.com/library/detail.aspx?g=393e8553-2555-43bc-92f9-dbe4d1badaed&utm_source=Lexology+Daily+Newsfeed&utm_medium=HTML+email+-+Body+-+General+section&utm_campaign=ACC+Newsstand+subscriber+daily+feed&utm_content=Lexology+Daily+Newsfeed+2019-10-09&utm_term=

Let’s start a conversation

contact Contact