December 7, 2018
FTC Gives Final Approval to Settlements with Four Companies Related to EU-U.S. Privacy Shield
The Federal Trade Commission has given final approval to settlements with four companies over allegations that they falsely claimed certification under the EU-U.S. Privacy Shield framework. In separate complaints, the FTC alleged that IDmission, LLC, mResource LLC (doing business as Loop Works, LLC), SmartStart Employment Screening, Inc., and VenPath, Inc. falsely claimed to be certified under the EU-U.S. Privacy Shield, which establishes a process to allow companies to transfer consumer data from European Union countries to the United States in compliance with EU law. The FTC alleged that IDmission applied for Privacy Shield certification but never took the necessary steps to complete its certification under the program. The company claimed on its website, however, that it complied with the EU-U.S. Privacy Shield framework. According to the FTC complaints, SmartStart, VenPath, and mResource each certified to the Privacy Shield in 2016 but allowed their certifications to lapse. Despite this, all three companies continued to claim that they participated in the Privacy Shield program. The FTC further alleges that VenPath and SmartStart failed to abide by the Privacy Shield requirement that companies that stop participation in the Privacy Shield affirm to the Department of Commerce that they will continue to apply the Privacy Shield protections to personal information collected while participating in the program.
As part of the proposed settlements with the FTC, all four companies are prohibited from misrepresenting the extent to which they participate in any privacy or data security program sponsored by the government or any self-regulatory or standard-setting organization and must comply with FTC reporting requirements. In addition, VenPath and SmartStart must continue to apply the Privacy Shield protections to personal information they collected while participating in the program, protect it by another means authorized by the Privacy Shield framework, or return or delete the information within 10 days of the order. After receiving no comments, the Commission voted 4-0-1 to give final approval to the settlements with the four companies.
New Orleans City Council Passes Ban the Box Ordinance
On October 18th, the New Orleans City Council passed a Ban the Box ordinance that prohibits the city and contractors from asking job applicants about their criminal history on initial job applications, which will take effect on March 1st, 2019. The city passed a similar ordinance in 2014 for classified and unclassified jobs in certain city positions, and the proposed ordinance extends this to “all entities with a city contract, grant, or cooperative endeavor agreement.” New Orleans still plans to “conduct criminal background checks on all candidates and make final hiring decisions for people with records in light of other relevant information, including experience, the seriousness of any past conviction, when the incident took place and what has occurred in the applicant’s life since then.” https://council.nola.gov/home/
N.C. – Duke’s Move to ‘Ban the Box’ Follows Trend Established by Other Universities, States
By “banning the box”—and therefore no longer requiring applicants to disclose their criminal records when initially applying—Duke follows a number of similar policies adopted at other colleges. The move came after other university systems such as the State University of New York system and the University of California system banned the box for all job applicants in September 2016 and July 2017, respectively. Louisiana and Maryland have also instituted statewide bans disallowing colleges from asking about crimes during the application process, and the Common Application is set to follow suit for next year’s college application season. The policy does not completely remove criminal records from being considered in the hiring process, said Philip Cook, ITT/Sanford professor of public policy. He explained that the “ban the box reform allows applicants with a [criminal] record to have a better chance of making it to the second round of the review process” where they may otherwise get routinely screened out. However, background checks will still be conducted at the offer stage for finalist job applicants at Duke. The city of Durham in 2011 and Durham County in 2012 banned the box for public employment and independent contractors. As of 2014, people with criminal records hired by the city of Durham had increased nearly sevenfold, and those hired by Durham County tripled. Since Duke is the leading employer in Durham County, Cook noted that this policy is a step in the right direction and would be an impactful move for local Durham residents who have a criminal record. As of 2018, more than 150 cities and counties and 33 states have adopted Ban the Box legislation, with 11 of the 33 states also removing the box from private employer applications, according to the National Employment Law Project. Although North Carolina has no statewide ban the box policy, several cities and counties including Asheville, Buncombe, Carrboro, Charlotte, Cumberland County, Durham, Durham County, Forsyth, Mecklenburg, Spring Lake, Wake County, Wilmington and Winston-Salem have banned the box for government and public employment applicants. “Employers are impacted by not only federal, but state and municipal requirements,” Cavanaugh wrote. “Several of our peers have been impacted by more local requirements.”
Medical Marijuana in Missouri: New Law Brings New Questions for Employers
Missouri voters approved Amendment 2 on Election Day 2018, one of the three medical marijuana measures appearing on the state’s ballot. Amendment 2 adds an article to the Missouri Constitution legalizing medical use of marijuana for qualifying patients and allowing people who qualify to grow their own plants. With a new law comes new questions about how this development will affect workplaces across the state.
What is Amendment 2?
Amendment 2 makes Missouri one of the 33 states in the country that have legalized marijuana to some degree. Amendment 2 does not change federal law, which continues to classify marijuana illegal under the Controlled Substances Act, even if it is used for medical reasons.
Under the new Missouri law, qualified patients who have approval from their physician will receive identification cards from the Missouri Department of Health and Senior Services that will allow them and their registered caregivers to grow up to six marijuana plants and purchase at least four ounces of cannabis from dispensaries on a monthly basis.
Do I have to let my employees work while high?
No. Missouri employers may continue to enforce their drug-free workplace policies prohibiting employees from working under the influence of marijuana even after the new law takes effect. In fact, employers will be pleased with the express language in Amendment 2 which provides a safety net for employers. The new law specifically prohibits employees from filing claims against Missouri businesses for wrongful discharge, discrimination, or similar causes of action based on the employer prohibiting the employee from being under the influence of marijuana while at work or disciplining the employee for working or attempting to work while under the influence of marijuana.
Can employees consume marijuana at work?
No. The express language of the amendment also prohibits public use of marijuana.
Can I still drug test applicants and employees?
Yes. The new law does not prevent you from drug testing potential or current employees. If you have a drug testing policy and practice, you should continue to follow that policy and enforce your disciplinary policies as you would no matter what kind of illegal drug shows up in the individual’s system.
If you employ individuals in safety-sensitive positions or other jobs that require drug testing under federal or state guidelines, you will almost certainly want to continue your current drug testing practices. In some cases, you may be required to do so under federal law, such as the Department of Transportation (DOT) regulations. In other cases, you will want to do so in order to avoid the risk of having one of your employees cause an accident involving members of the public, co-workers, or simply themselves, which could lead to devastating consequences and employer liability.
In fact, the Missouri law specifically states, “nothing in [the law] permits a person to operate, navigate, or be in actual physical control of any dangerous device or motor vehicle, aircraft or motorboat while under the influence of marijuana.”
Is medical marijuana use a reasonable accommodation in Missouri?
It’s too soon to tell. Amendment 2 does not address this issue and we cannot predict how a Missouri court would rule in cases involving reasonable accommodations for qualified patients using medical marijuana. Although the answer is left open to debate, employers will need to explore “what-if” scenarios.
When will the new law take effect?
The election results still need to be certified by the Secretary of State’s office before the law will become official, which is expected to take place on or around December 6. The Missouri Department of Health will then be tasked with developing regulations to implement the law, which needs to complete the process by June 2019. At that point, however, additional administrative requirements might mean that another six months might pass before the first prescriptions can be issued. In other words, you might not see your first applicant or employee with a valid medical marijuana card until late 2019 or even early 2020.
Chicago Park District Releases Report on Background Screening Policies
On November 15th, the Chicago Park District’s Inspector General released a report that found that the district failed to follow its background screening policies by failing to consistently screen volunteers. The report recommended that the park district “initiate a top-to-bottom evaluation of its volunteer program and enact policies that ensure the prompt and complete processing and tracking of all volunteers.” An average of 30 percent of active volunteers did not undergo a background check and many volunteers were never screened. The review also found that volunteers were only screened for criminal convictions in Illinois. As a result of the report, the Chicago Park District “is currently working on implementing automated volunteer management, instituting more comprehensive background checks and updating its policies and ability to track compliance.”
Immunity from Lawsuits Under the FCRA
On October 11th, the U.S. District Court for the District of Columbia ruled that states are immune from lawsuits under the Fair Credit Reporting Act (FCRA) in Pendergrass v. Washington Metropolitan Area Transit Authority (WMATA). Plaintiff Galen Pendergrass alleged that WMATA’s criminal background check policy was discriminatory after his job offer was rescinded following a background check that found a conviction for a nonviolent offense. Pendergrass claimed that WMATA’s policy had a “disparate impact” on African-American candidates due to their historically higher rate of criminal convictions. The case was dismissed because the court held that WMATA’s hiring policies are governmental decisions that are immune from lawsuits and decisions concerning the hiring of WMATA employees are “immune from judicial review.” The court also held that neither the governments that chartered WMATA nor Congress abrogated immunity to FCRA claims. The case is Pendergrass v. Washington Metropolitan Area Transit Authority, Civil Action No. 18-622, in the U.S. District Court for the District of Columbia.
Stanford University Facing New FCRA Class Action
Stanford University is facing a new FCRA class action with, potentially, over a thousand class members. And it’s not the first time Stanford has faced these claims. According to the class action complaint in Richards v. Leland Stanford Junior University et al., Theresa Richard applied and was hired to work as a dining hall worker at Stanford University. During the application process, Ms. Richard completed Stanford’s standard application form, which permitted Stanford to obtain a consumer report on the Ms. Richard’s background. The clause in question provided:
I authorize a thorough investigation of my prior employment, education background, criminal record and, where applicable to a position, credit check and/or driving record. I agree to cooperate in such an investigation, to execute any consent forms required in connection with those investigations, and release form [sic] all liability and responsibility all persons or entities requesting or supplying such information. I understand that employment is conditional based on investigation results.
Ms. Richard’s class action complaint alleges that Stanford both failed to make a proper disclosure and failed to get proper authorization under the Fair Credit Reporting Act. Specifically, Ms. Richard cites to 15 U.S.C. § 1681b(b)(2)(A)(i) and (ii), which provides:
Except as provided in subparagraph (B), a person may not procure a consumer report, or cause a consumer report to be procured, for employment purposes with respect to any consumer, unless—
15 U.S.C. § 1681b(b)(2)(A)(i). The complaint seeks statutory damages of up to $1,000 per violation, punitive damages, attorney’s fees and costs. Stanford’s exposure here may be significant: Ms. Richard’s claims assert potentially thousands of violations of the Fair Credit Reporting Act and more than one thousand class members.
Notably, this isn’t the first time that Stanford has faced FCRA claims for the disclosures in their application forms. In 2015, Stanford faced precisely the same claims from another employee.
In Lagos v. Leland Stanford Junior Univ., the plaintiff brought a class action complaint, asserting the same FCRA claims as Ms. Richards. Lagos survived a motion to dismiss in that case. No. 5:15-CV-04524-PSG, 2015 WL 7878129, at *2 (N.D. Cal. Dec. 4, 2015).
Court Grants Final Approval of $1.2M FCRA Class Action Settlement Against Petco
On November 16, the United States District Court for the Southern District of California granted final approval of a $1.2 million Fair Credit Reporting Act class action settlement against Petco Animal Supplies, Inc. A putative class action was filed against Petco in June 2016, challenging the company’s form of disclosure for employment background checks. The complaint alleged that the background check disclosure was “hidden” among other pages of “fine print” and did not constitute the “stand alone” disclosure required by law. After more than two years of litigation, including discovery and motions practice, the parties reached a class settlement.
The key terms of the settlement are as follows:
New Data Breach Reporting Requirements Under PIPEDA Come into Force This Week
Businesses have new obligations under breach of security safeguards rules coming into force this week, says the Canadian Federal Privacy Commissioner. Changes to Canada’s federal private sector privacy law will require organizations to report certain breaches of security safeguards to the Commissioner’s office and to notify those affected. The Office of the Privacy Commissioner of Canada has published guidance to help businesses comply with the new requirements as well as a new reporting form.
Under the new regulations for organizations subject to the Personal Information Protection and Electronic Documents Act, which come into force November 1, organizations must:
Privacy International Files GDPR Complaints Against Companies
Privacy International (“PI”) has filed complaints against seven companies including Experian, Equifax and Oracle for alleged contravention of the GDPR. The rights group is hoping to highlight what it believes is illegal use of customer data, particularly for profiling purposes. It’s part of a wider campaign designed to make it easier for consumers to demand companies delete their data under the new legislation. The complaints—based on 50 Data Subject Access Requests and information gathered from the companies’ privacy policies and marketing material—also target data broker Acxiom, and ad-tech firms Criteo, Quantcast and Tapad. According to PI, the company’s practices have breached the GDPR principles of transparency, fairness, lawfulness, purpose limitation, data minimization, and accuracy. The firms also allegedly have no legal basis for using data in the way they do, a key requirement of the GDPR. PI claims that neither consent nor legitimate interest are applicable in these cases, and there’s no basis for processing sensitive data. Specifically, PI claimed that they failed to demonstrate consent was “freely given, specific, informed, and unambiguous,” and in the case of legitimate interest they have twisted the meaning to fit their own interests without considering the impact on individuals’ rights, PI. The GDPR sets clear limits on the abuse of personal data. PI’s complaints set out why they consider these companies’ practices are failing to meet the standard.
The U.S. Virgin Islands Joins the Ban the Box Movement
On November 10, 2018, the U.S. Virgin Islands joined the “ban-the-box” movement by enacting legislation regulating employers’ use of the criminal records of applicants and employees. Currently, 32 states and over 150 localities have enacted such laws for public employers; approximately 12 states and 17 localities have extended such laws to private-sector employers, and some jurisdictions have extended such laws to government contractors. The Virgin Islands law, Act No. 8134:
The law applies to public and private employers of all sizes, except if:
In addition to these general exceptions, the law does not prohibit an employer at a health facility, as that term is elsewhere defined under Virgin Islands law, from asking applicants for positions with regular access to patients or with access to drugs and medications to disclose arrests for violations of certain territorial laws. The law also does not cover individuals seeking employment or employed as peace officers, or applicants for positions in the Virgin Islands Department of Justice or other criminal justice agencies.
Comparison With Other State and Federal Laws
The Virgin Islands prohibition relating to arrest records is generally consistent with U.S. Equal Employment Opportunity Commission (EEOC) Enforcement Guidance No. 915.002, which adopts the position that an arrest record, by itself, is not job related and consistent with business necessity. However, whereas the EEOC Guidance provides that an employer may inquire into the conduct underlying the arrest to determine an applicant’s fitness for a particular position, the Virgin Islands law prohibits employers from inquiring into “information concerning” an arrest, which appears to include the conduct underlying the arrest. In this respect, the Virgin Islands law seemingly is stricter than the federal guidance. The Virgin Islands law is also more restrictive than ban-the-box laws in many jurisdictions because it extends beyond the hiring process and includes promotions, selections for training programs, and decisions that affect any other conditions of employment. On the other hand, unlike the laws in other states and localities that regulate the timing of employer inquiries about convictions, the Virgin Islands law does not prohibit or otherwise regulate inquiries about convictions that have not been ordered sealed or judicially dismissed. Therefore, in accordance with federal law and guidance, employers in the U.S. Virgin Islands may inquire about criminal convictions of record when such inquiries are job related and consistent with business necessity, taking into account the nature and gravity of the offense, the time passed since the offense, and the nature of the job held or sought. Thereafter, and before taking adverse action, the EEOC guidance advises employers that rely upon such targeted screening inquiries to provide an opportunity for an individualized assessment by notifying the applicant or employee that the employer is considering taking adverse action, providing the individual an opportunity to demonstrate that the conviction should not be disqualifying and then considering whether any additional information supplied justifies an exception to the employer’s policy.
Privacy & What is Reasonable? OPC Inappropriate Data Practices Guidelines are Now Being Applied
In May, the Office of the Privacy Commissioner of Canada (the “OPC”) introduced Guidance on inappropriate data practices: Interpretation and application of subsection 5(3) (the “Inappropriate Data Practices Guidelines”). The Guidelines interpret Subsection 5(3) of PIPEDA:
An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.
Applying this subsection requires a balancing of interests between the individual and the organization, and this analysis should be viewed through the eyes of a reasonable person. The OPC is of the opinion that the following purposes for collection, use or disclosure of personal information would generally be considered “inappropriate” by a reasonable person and therefore are currently considered to be offside PIPEDA.
It is important that businesses be familiar with the Guidelines, as the OPC began applying them in July.
If a company in the United States uses a service provider that is located in Europe, does it risk subjecting itself to the GDPR?
The European Union’s General Data Protection Regulation (“GDPR”) is arguably the most comprehensive—and complex—data privacy regulation in the world. Although the GDPR went into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR. The GDPR applies to companies that process data “in the context of the activities of an establishment…in the Union.” Although the regulation does not offer a precise definition of what it means to be an “establishment,” the recitals to the regulation state that an establishment “implies the effective and real exercise of activity through stable arrangements.” This language has led many American companies to be concerned that using a service provider in Europe might be viewed as a “stable arrangement” that brings American companies, inadvertently, within the jurisdiction of the GDPR. The European Data Protection Board has addressed this concern by stating that it “deems that a processor in the EU should not be considered to be an establishment of a data controller…merely by virtue of its status as processor.” As a result, an American company “will not become subject to the GDPR simply because it chooses to use a processor in the [European] Union.” Although American companies are not infected with the GDPR simply because they send their data to European processors, it is important to note that European service providers are, themselves, subject to the GDPR when handling the American data. The net result is that while an American company may not need to comply with the GDPR, its European provider is independently “required to comply with the obligations imposed on processors by the GDPR.”
Draft GDPR Territorial Scope Guidelines Released
The European Data Protection Board (EDPB) has released draft Guidelines 3/2018 on the territorial scope of the GDPR (Article 3)for public consultation and is welcoming comments until January 18, 2019. These guidelines have been long awaited by Canadian-based companies that, while having no physical presence in the EU, have been struggling to determine whether they are subject to the GDPR anyway by virtue of Article 3(2), which extends the application of the GDPR to controllers and processors not established in the Union but that (a) offer goods or services to EU data subjects or (b) monitor their behavior which takes place in the EU. In relation to Article 3(2), the guidelines recommend a two-fold approach:
Data Subjects in the EU
In determining whether data subjects are in the EU, the guidelines highlight the following:
Offering of Goods or Services to EU Data Subjects
In determining whether goods and services are being offered to EU data subjects, the guidelines list factors that could inter alia be taken into consideration, possibly in combination with one another:
The guidelines go on to state that “[s]everal of the elements listed above, if taken alone may not amount to a clear indication of the intention of a data controller to offer goods or services to data subjects in the Union, however, they should each be taken into account in any in concreto analysis in order to determine whether the combination of factors relating to the data controller’s commercial activities can together be considered as an offer of goods or services directed at data subjects in the Union.” Finally, in relation to the offering of goods or services to EU data subjects, the guidelines emphasize that: “It is however important to recall that Recital 23 confirms that the mere accessibility of the controller’s, processor’s or an intermediary’s website in the Union, the mention on the website of its e-mail or geographical address, or of its telephone number without an international code, does not, of itself, provide sufficient evidence to demonstrate the controller or processor’s intention to offer goods or a services to a data subject located in the Union.”
Monitoring of EU Data Subjects’ Behavior
As for monitoring the behavior of EU data subjects that takes place in the EU, the guidelines state that: “The EDPB does not consider that any online collection or analysis of personal data of individuals in the EU would automatically count as “monitoring”. It will be necessary to consider the controller’s purpose for processing the data and, in particular, any subsequent behavioral analysis or profiling techniques involving that data.” The guidelines identify the following activities as examples of “monitoring”:
In addition to clarifying the scope of application of Article 3(2), the guidelines also describe the meaning of the “establishment” criterion within the meaning of Article 3(1) and offer further clarity on situations where a controller is not established in the EU but is in a place where Member State law applies by virtue of public international law, and therefore is subject to GDPR by virtue of Article 3(3).
No Double-Dipping Under FCRA
In an oldie but goodie, an FTC blog from February 2017 warns employers who rely on credit checks not to double-dip. In other words, if an employer requests a consumer report for one purpose, the employer should not then use the report for another purpose. The FTC explains that, when an employer receives a consumer report from a CRA, it must certify to the CRA the purpose for which the report will be used, and the report should only be used for that purpose. The FTC provides two examples: “if you get a report for a membership determination, you can’t then use it to make a credit decision. Or if you get a report to determine eligibility for a government benefit, you can’t then give it to a different government agency to make another eligibility determination.” The importance, according to the FTC? Transparency. Consumers cannot accurately track how their credit information is being used when a single credit report is used for multiple purposes.
Port Authority Won’t Ask About Criminal History in Initial Job Applications
Port Authority has joined many government agencies across the country that have quit asking potential hires, on their initial application, whether they have a criminal record. Port Authority spokesman Adam Brandolph said the agency eliminated the box about a criminal record from its standard job application Nov. 14. The agency has about 2,600 employees and fills about 250 positions each year. Pittsburgh and Allegheny County took the question off their job applications more than four years ago. Port Authority also eliminated a question about an applicant’s previous salary, Mr. Brandolph said. The agency often used that information as a base, offering a candidate 5 percent more than the listed salary if the person was someone the authority wanted to hire. Mr. Brandolph said that question was eliminated because the agency thought that some groups, such as women, had previously been discriminated against and unfairly received lower salaries, meaning such discrimination would be perpetuated with just a 5 percent raise. Now, the agency sets a salary for the job regardless of an applicant’s salary history.