December 2022 SCREENING COMPLIANCE UPDATE

ClearStar is happy to share the below industry related articles written by subject matter experts and published on the internet in order to assist you in establishing and keeping a compliant background screening program.

FEDERAL DEVELOPMENTS

Motor Carrier Employers May Conduct Safety Performance History Investigations in FMCSA Clearinghouse as of January 6, 2023

Beginning January 6, 2023, motor carrier employers subject to the regulations of the Federal Motor Carrier Safety Administration (FMCSA) may conduct part of the safety performance history investigation that is required for all driver-applicants in the FMCSA Clearinghouse. Specifically, employers are required by 49 CFR § 391.23(e)(1) – (3) to obtain information about a driver-applicant’s drug and alcohol violations that occurred in the last three years. Previously, employers were required to contact directly all U.S. Department of Transportation (DOT)-regulated employers that employed the driver-applicant in the past three years to gather that information. Now that the FMCSA Clearinghouse has been in existence for three years as of January 6, 2023, employers may satisfy this requirement (as to prior FMCSA-regulated employers) by conducting searches in the FMCSA Clearinghouse on and after that date.

Employers should take note of the following important issues, however:

• The Clearinghouse contains only information reported by FMCSA-regulated employers. So, if an applicant previously worked for an employer that is regulated by another DOT agency, such as the Federal Railroad Administration, Federal Transit Administration, Federal Aviation Administration, etc., the employer still will need to contact each of those employers directly to obtain the required information.
• In addition, employers should be aware that they still will need to contact directly an applicant’s previous FMCSA-regulated employers for the past three years to obtain the accident history information required by 49 CFR § 391.23(d).

Motor carrier employers also are reminded to conduct the annual queries in the FMCSA Clearinghouse for each CDL driver they employ. Employers can log in to the Clearinghouse to see whether their annual queries are due.

Click Here for the Original Article

Employers May Accept Naturalization Receipts and Expired Green Cards for I-9 Purposes

This week, US Citizenship & Immigration Services (USCIS) announced a policy change that allows employers to accept a receipt notice for a naturalization application along with an expired Permanent Resident Card (a/k/a Green Card) as evidence of employment authorization and identity.

According to USCIS, “Presentation of the Form N-400 receipt notice along with the expired [Permanent Resident Card] is valid, unexpired evidence of LPR status, as well as identity and employment authorization under List A of Employment Eligibility Verification (Form I-9), if presented before the expiration of the 24-month extension period provided in the notice.” This policy change comes as a result of a listening session with its customers and furthers USCIS’ efforts to streamline immigration processing, and to encourage eligible Lawful Permanent Residents to naturalize.

Practically speaking, this policy change means that Lawful Permanent Residents who apply to naturalize do not need to replace an expiring Permanent Resident Card. Before this policy change, a naturalization applicant whose card expired was required to file an application and pay USCIS a filing fee to replace a card that he or she would simply surrender at a naturalization ceremony. Sometimes, USCIS would adjudicate the naturalization application before processing the application to replace the Permanent Resident Card. When this happened, the new US citizen never received a new card. Instead, he or she received a letter from USCIS denying the replacement application because the applicant is no longer a Lawful Permanent Resident.

USCIS will implement this policy by changing the language on the naturalization receipt notice to include language extending the validity of an expired Permanent Resident Card. However, please note that this policy applies to all naturalization applicants with expired Permanent Resident Cards. The naturalization receipt need not contain the extension language to benefit from this policy change.

Employers who encounter employees who present expired green cards and naturalization receipt notices as evidence of employment authorization should seek advice from competent counsel.

Click Here for the Original Article

STATE DEVELOPMENTS

City of Atlanta Adopts New Protections for Criminal History Status, Gender Expression

The Atlanta City Council has amended the City of Atlanta Anti-Discrimination Ordinance to extend protections to citizens on the basis of criminal history status and gender expression in employment, housing, and public accommodations. The City of Atlanta Anti-Discrimination Ordinance was initially enacted in December of 2000.

Criminal History Protection

The new criminal history protection makes it unlawful for Atlanta employers generally to disqualify applicants or single out employees based on their criminal conviction histories, without further individualized consideration.

The rationale for this protection is based on the theory that having a job can reduce an individual’s likelihood for recidivism, allowing the individual to get on with living a productive life. It is unclear how many Atlanta citizens are formerly incarcerated, but Georgia has an incarceration rate higher than the national average and persons of color are overrepresented in prisons and jails, according to the Prison Policy Initiative.

The new Atlanta ordinance provides, however, that employers may consider criminal conviction histories to the extent the criminal history is “related to the position’s responsibilities,” as determined by the evaluation of the following factors:

1. Whether the person committed the offense (g.,a dispositive conviction as opposed to simply an arrest or accusation);
2. The nature and gravity of the offense;
3. The amount of time since the offense; and
4. The nature of the job.

In addition, the Atlanta ordinance expressly provides that employers can follow state or federal mandates that, in effect, create automatic disqualifier for individuals with certain criminal convictions from holding certain positions, e.g., law enforcement. For instance, Georgia law disqualifies persons convicted of a felony consisting of murder, child abuse or neglect, crime against children, spousal abuse, crime involving rape or sexual assault, kidnapping, arson, physical assault, or a drug-related offense in the preceding five years from serving children as child-care providers.

This new ordinance follows the guidance the Equal Employment Opportunity Commission issued a decade ago concerning consideration of criminal records in employment.

The amended Atlanta ordinance adds the new protections to existing provisions on publication of notices or ads indicating a prohibited employment preference, limitation, specification, or discrimination in employment. The only permissible exception is when such a preference, limitation, or specification is a bona fide occupational qualification for employment. This ordinance also expressly provides that employers may still follow state or federal laws that prohibit employment of persons with certain criminal convictions in particularly sensitive positions. Thus, an adverse employment decision based on criminal history status is not considered a per se violation of the law. Since there is no explicit direction, however, on how a job posting might be construed as potential evidence of a violation of the ordinance if it specifically addresses “criminal conviction history,” employers should consult with counsel.

With fair chance initiatives like this growing around the country (e.g., Los Angeles and New York City), multi-state employers need to consider the patchwork of progressive protection given to job postings.

Gender Expression Protection

The Atlanta ordinance protection based on gender expression is in line with recent national developments. In particular, it follows the U.S. Supreme Court holding in Bostock v. Clayton County, 590 U.S. ___, 140 S.Ct. 1731 (2020) (discrimination based on sexual orientation or gender identity constitutes discrimination “because of … sex” in violation of Title VII of the Civil Rights Act), a case which originated in Clayton County, Georgia (considered part of the metro-Atlanta area).

This gender expression protection also shadow’s the January 2021 Executive Order 13988 on Preventing and Combating Discrimination on the Basis of Gender Identity or Sexual Orientation, reaffirming and applying these protections. There is a distinction between sex, assigned at birth based on biological characteristics and documented on a person’s birth certificate, and gender that the World Health Organization defines as “socially constructed roles, behaviors, activities, and attributes that a given society considers appropriate” based on sex.

Implications for Employers

The City of Atlanta non-discrimination laws are in Atlanta’s Charter and Code of Ordinances. Many of the protected classes identified are protected by federal law, but the latest City Council amendments offer broader protection and unlimited potential for recovery for aggrieved individuals. In Atlanta, discrimination is prohibited on the basis of sexual orientation, gender identity, race, color, creed, religion, sex, marital status, parental status, familial status, national origin, age (much broader than the federal protections for persons aged 40 and over), disability (including the use of a trained guide dog by a blind, deaf or otherwise physically disabled person), and, now, criminal history and gender expression.

These non-discrimination laws apply in the workplace to employment decisions made by private employers located in Atlanta with at least 10 employees, as well as contractors doing business with the City of Atlanta as to employment, subcontracting, and union membership decisions and actions. The ordinance does not specify whether application is limited only to employers with a physical presence in the City of Atlanta or whether it also applies to employers physically based outside of Atlanta but who do business within City limits.

There is no administrative prerequisite to filing an action at any time within two years of the occurrence of the alleged act of discrimination or unlawful practice. Private citizens can file a lawsuit in any court of competent jurisdiction to address perceived violations of these protections. Alternatively, an aggrieved citizen may file a complaint with the City’s Human Relations Commission (HRC), which has broad investigative powers to address illegal discrimination in private employment, public accommodations, and housing, including subpoena powers. The HRC has the authority to order an employer to pay for the costs of an investigation, including payment of attorney’s fees. The HRC also can revoke a company’s city licenses.

Click Here for the Original Article

Missouri Legalizes Marijuana: How Amendment 3 Could Change the Workplace

On Election Day 2022, Missouri voters passed Constitutional Amendment 3, which, among other things, decriminalizes the purchase, possession, and use of marijuana for recreational and personal purposes. The measure goes into effect December 8 and contains important provisions employers must immediately grapple with:

• Employers may not discriminate against a person in hiring, firing, or other employment actions (including decisions on promotions) for having a medical marijuana card, lawfully using recreational marijuana during off-duty hours, or testing positive for marijuana.
• Employers may still enforce drug-free workplace rules, and they may discipline or terminate employees for using, possessing, or being under the influence of marijuana while at work. However, employers would be advised to review and revise their employee handbooks to reflect (except for certain classes of employees) that hiring, discipline, and termination decisions may not be made on the basis of legal marijuana use.
• In areas which have not enacted “Ban the Box” ordinances, employers should evaluate the use of background checks of applicants. The Amendment provides for expungement of certain non-violent marijuana convictions and relieves applicants of the obligation to disclose the convictions, once expunged.
• Certain regulated industries will be largely unaffected. Where a federal regulation prohibits the use of illegal drugs, such as in certain medical and transportation fields, employers should continue to defer to the applicable federal regulations.

There remain many unanswered questions about how legal recreational marijuana will impact the workplace. The most critical concern is no doubt the safety of employees and others. Guidance from the EEOC and Job Accommodation Network regarding legal and illegal drug use will no doubt prove instructive in addressing workplace concerns. Employers should keep in mind a few important principles in addressing testing for marijuana:

• Drug testing and drug-free workplace rules must be applied in a non-discriminatory manner with regard to age, race, sex, disability, or any other protected class.
• Medical use of marijuana will continue to fall under the Americans with Disabilities Act, and so reasonable accommodations may include waiving a positive test result. Keep in mind that certain mental or physical conditions (such as traumatic brain injury, diabetes, effects of a stroke) may be similar to the signs of marijuana impairment.
• Testing for THC levels is notoriously difficult, as habitual users build up a higher “baseline” level of THC. A person may have THC, even in high levels, in their system and not be “impaired.”

The ADA regulates drug testing generally – both for legal and illegal drugs. For example, traditionally under the ADA, an employer could not drug test an employee unless the employee’s objective, observable actions demonstrate a direct threat of harm to the employee or her co-workers. If that threat cannot be removed by implementing a reasonable accommodation, then appropriate job action should be taken.

The construction industry is in a particularly difficult spot. Most laborers will not be subject to federal DOT regulations. Yet, laborers are often in safety-sensitive positions. Contractors have a non-delegable duty to maintain a safe workplace, and on its face, marijuana intoxication seems incompatible with maintaining a safe workplace. What are employers to do when testing for THC is so elusive and ensuring workplace safety is of such critical importance? The answer again may lie in the ADA.

While workers’ compensation is generally the exclusive remedy for workplace injuries, employers may be liable if an employee engaged in affirmative negligent acts that purposefully and dangerously caused or increased the risk of injury. Will courts or juries find that marijuana use on a construction site is such an act? That remains to be seen. However, it does not take much imagination to envision a finding that the willful ingestion of marijuana prior to operating heavy machinery purposefully and dangerously increased the risk of injury.

With regard to injuries to non-employee third parties, the Amendment probably reduces the risk of a negligent hiring claim for habitual marijuana users, as employers are prohibited from discriminating in hiring. However, the Amendment may create a substantial risk of claims for negligent supervision and retention. That is, employers may not be able to simply turn a blind-eye to on-duty marijuana impairment. Furthermore, employers may be on the hook for not training managers on signs of marijuana impairment. Unfortunately, this Amendment provides no safe harbor or immunity, so employers should probably monitor employees for signs of impairment, subject to the guidelines in the ADA.

Finally, the biggest open question is an employer’s potential liability for discrimination based on marijuana use. The Amendment states that: “an employer may not discriminate against a person in hiring, termination or any term or condition of employment or otherwise penalize a person, if the discrimination is based upon” off-duty use, holding a medical marijuana card, or testing positive for marijuana (unless they were caught using or possessing while on duty). The Amendment does not provide for a private right of action or create a statutory framework for lawsuits similar to the Missouri Human Rights Act. Whether the Amendment will provide an exception to at-will employment, providing a cause of action for wrongful termination, remains to be seen. The language in the Amendment, which will be part of Article XIV of the Missouri Constitution, may rise to the level of being a “clearly mandated” public policy in the state, paving the way for potential wrongful termination claims.

In the short term, the enactment of Amendment 3 without a regulatory framework for dealing with employment issues will no doubt cause headaches for employers across the state. In the absence of legislation or administrative regulations, employers will have to wait and see, subject to the vagaries of the court system. In the meantime, Baker Sterchi attorneys will be closely monitoring the impact of legal recreational marijuana on employment.

Click Here for the Original Article

The California Privacy Rights Act Brings New Data Requirements for Employers in 2023

With the holidays upon us, companies are assessing year-end to-do’s and considering what 2023 will bring. For companies employing California residents, compliance with the new California Privacy Rights Act (CPRA) should be at the top of their list. Indeed, to date, companies that employed California residents had a reprieve from the consumer-facing rules and requirements of the California Consumer Privacy Act (CCPA). The CCPA, which is, essentially, a data privacy “bill of rights” for Californians, even impacted many companies based outside of California but only as to their consumer-side relationships.

However, as of January 1, 2023, this exemption for your disclosures and extending of rights to your California employees will disappear, with the enactment of the CPRA, which amends the CCPA. As of the first of next year, the broad definition of “personal information” that has applied to “consumers” will now include employees, job applicants, officers, directors, and independent contractors.

This means California employers will need to provide these “consumers” with a privacy notice explaining the type of data collected and the purposes behind the collection. This translates into an update of your California privacy notice (if you had one for other consumers) or a new disclosure to provide California employees with not only an explanation of the type of data collected and the reason for the collection, but also a description of how employees can submit requests under their privacy rights.

Specifically, employers of Californians will need to make available to their employees, applicants and independent contractors:

1. a right to knowabout the information collected about them;
2. a right to deletepersonal information collected from them (subject to exceptions);
3. a right to opt-out of sale or sharingof that data;
4. a right to opt-out of automated decision-making technology(if applicable);
5. a right to correct inaccurate personal information; and,
6. a right to limitthe use and disclosure of sensitive personal information, a right that also comes with some limitations.

These rights are not a blanket set of rights to be exercised by employees. For instance, under CPRA, employees have the right to know about the personal information collected about them; but many employers already had certain processes in place under the California Labor Code, whereby employees had the right to know about certain information that an employer has collected, such as payroll records (Cal. Labor Code § 226), signed documents (Labor Code § 432), and personnel files (Labor Code § 1198.5). And, with a “right to delete,” employers will need to assess federal, state, and local retention requirements when responding since a deletion request may be properly refused given the retention requirements of the Americans with Disabilities Act, Family Medical Leave Act, Age Discrimination in Employment Act, and Fair Labor Standards Act.

Notably, the CPRA creates two new rights: a right to correct personal information that is inaccurate and a right to limit use and disclosure of “sensitive personal information.” Sensitive Personal Information includes (1) precise geolocation data, (2) racial or ethnic origin, (3) union membership, (4) the contents of certain employee email and text messages, and (5) biometric information. However, this right to limit the use and disclosure only applies to use of Sensitive Personal Information other than what would be “reasonably expected by an average” consumer/employee. So, collection of certain information by an employer, such as racial or ethnic origin, for diversity and inclusion purposes may therefore be excepted.

There are also timing requirements on responding to these requests and exercising of rights, and there needs to be specific ways in which the employee can make these requests. With the dawning of this new set of rights for California employees, companies subject to the CPRA should review the employee and applicant personal information collected to ensure an accurate and complete description of the categories of personal information collected, used, and disclosed. In addition, under CPRA companies have specific requirements for their representations and warranties in their contracts with third-parties.

CPRA requirements may be confusing and challenging, especially for companies that, to date, have enjoyed the exemption for disclosures and rights extended to employees (under the CCPA). However, getting this policy and practice in place can be a doable task with just some straightforward questions, data mapping and updating of disclosures. A trusted data privacy advisor can help ensure your policy and practice complies.

Click Here for the Original Article

California Releases Guidance on Pay Scale Disclosures

Seyfarth Synopsis: As we blogged about previously, California passed a landmark pay transparency law in September 2022. As promised, the Labor Commissioner’s office has issued FAQs addressing big employer questions regarding who is covered, information required to be disclosed, and details on remote job postings.

On December 27, 2022, the California Labor Commissioner’s office released eagerly anticipated Frequently Asked Questions (“FAQs”) on the state’s new pay scale disclosure requirements under the Equal Pay Act, which are effective on January 1, 2023.

This guidance clarifies some of the major outstanding questions on compliance with the requirements introduced in SB 1162.

The FAQs clarify which employers will be subject to the pay disclosure requirements and the content of the mandatory disclosures. Of note, the FAQs do not clarify whether the requirements only apply to postings made on or after January 1, 2023, or if it will apply to all postings that remain active as of January 1, 2023.

Who Must Comply?

Under Labor Code 432.3, “an employer with 15 or more employees must include the pay scale for a position in any job posting.” The FAQs explain that the Labor Commissioner will count employees using the same methodology applied for Supplemental Paid Sick Leave as explained in a previous FAQ (which in turn leans on the FAQs related to California’s state minimum wage requirements)—i.e. using the definition from Labor Code 1182.12, the disclosure requirements apply if an employer has at least one employee located in California, so long as it employs “directly or indirectly, or through an agent or any other person” 15 or more people.

Does This Apply to Remote Postings?

If a position can be filled in California, either remotely or in person, then the pay scale must be included in job postings.

What Must Be Disclosed?

Pay Scale Definition

The FAQs confirm that a pay scale is limited to the “salary or hourly wage range the employer reasonably expects to pay for a position.” A set hourly rate or set piece rate may be included in place of a pay scale if an employer “intends to pay a set hourly amount or a set piece rate amount, and not a pay range.”

Bonuses, tips, and other benefits are not required to be included in the pay scale. Employers may voluntarily provide information on “compensation or tangible benefits provided in addition to a salary or hourly wage.” However, employers should take note that the Labor Commissioner reminds employers that “other forms of compensation may be considered for equal pay purposes.”

Mandatory Disclosure of Piece Rate and Commission Compensation

In a relatively unique Cal-peculiarity, where a person’s hourly or salary wages is based on a piece rate or commission, then the employer must include the piece rate or commission range the employer reasonably expects to pay for the position.

How Can Employers Make Disclosures?

In a key departure from some of the other jurisdictions that have enacted pay scale disclosure requirements, employers cannot link to the salary range in an electronic posting or include a QR code in a paper posting. The pay scale must be included on the posting itself.

Reminder of New Record Retention Requirement

In addition to the new pay scale disclosure requirements, an employer must keep records of a job title and wage rate history for each employee for the duration of the employment plus three years after the end of the employment. These records must be open to inspection by the Labor Commissioner, which the Labor Commissioner will then use to determine whether there is a pattern of wage discrepancy.

What Should You Do to Prepare?

Employers should ensure that all job postings posted on or after January 1, 2023, contain the required pay scale information. In particular, employers who previously intended to provide links to the pay scale should instead include the pay scale directly in the job postings.

It is imperative to carefully review postings before they are created, as employers who fail to comply can be subject to penalties ranging from $100 and no more than $10,000 per violation.

Click Here for the Original Article

NYC Delays Enforcement of Automated Employment Decision Tools Law to April 15, 2023

On December 12, 2022, the New York City Department of Consumer and Worker Protection (“DCWP”) announced that it would delay the date of its enforcement of the New York City Automated Employment Decision Tools Law (“AEDTL”) from January 1, 2023, to April 15, 2023. The change is due to the high volume of public comments the DCWP received in connection with its proposed regulations implementing the AEDTL, along with the DCWP’s plans to hold a second public hearing before finalizing those regulations.

By way of background, the AEDTL restricts employers’ ability to use “automated employment decision tools” in hiring and promotion decisions within New York City. The AEDTL defines “automated employment decision tool” as “any computational process, derived from machine learning, statistical modeling, data analytics, or artificial intelligence, that issues simplified output, including a score, classification, or recommendation, that is used to substantially assist or replace discretionary decision making for making employment decisions that impact natural persons.” The term does not encompass “a tool that does not automate, support, substantially assist or replace discretionary decision-making process and that does not materially impact natural persons,” such as junk email filters, databases, or spreadsheets.

Employers are prohibited from using automated employment decision tools in connection with hiring and promotion decisions within New York City unless: (i) the tool has been the subject of a bias audit conducted within the previous year; and (ii) the employer has published a summary of the results of the tool’s most recent bias audit, as well as the distribution date of the tool to which such audit applies, on its publicly-available website. A “bias audit” is defined as an “impartial evaluation by an independent auditor” that must test whether application of the tool’s criteria results in a disparate impact based on sex, race, or ethnicity.

The AEDTL also imposes significant notice requirements. Employers who use automated employment decision tools in employment decisions must disclose the following information at least ten business days before the tool is used: (i) the fact that an automated employment decision tool will be used in connection with the assessment or evaluation of any candidate who lives in New York City; and (ii) the job qualifications and characteristics that the automated employment decision tool will use in assessing the candidate. Employers must also provide the following information within thirty days of a written request: (i) the type of data collected for the automated employment decision tool; (ii) the source of the data; and (iii) the employer’s data retention policy. Finally, employers must advise candidates or employees with information on how to request an alternative selection process or accommodation.

The consequences for violating the AEDTL can be steep. Employers who violate the AEDTL may be subject to civil fines of $500 for a first violation (and each additional violation occurring on the same day as the first violation), and $500 – $1,500 for subsequent violations. Each day on which an automated employment decision tool is used in violation of the law will give rise to a separate violation, as will any failure to provide notice required under the AEDTL. The AEDTL neither expressly permits nor prohibits a private right of action, but states that it shall not be construed to “limit any right of any candidate or employee for an employment decision to bring a civil action in any court of competent jurisdiction.”

On September 23, 2022, the DCWP posted a set of proposed regulations implementing the AEDTL, and held a public hearing regarding them on November 4, 2022. The public hearing attracted hundreds of attendees, and the DCWP received a high volume of comments requesting clarification regarding the AEDTL and the regulations that DCWP proposed. To provide sufficient time to process those comments, hold a second public hearing, and presumably issue new regulations, the DCWP will delay any enforcement measures for the AEDTL until April 15, 2023.

Although this news may come as a relief for employers who use automated employment decision tools, New York employers should continue to consider the AEDTL’s requirements (including the terms of any future final regulations) and plan for compliance. We will continue to monitor any new developments and provide updates as they become available.

Click Here for the Original Article

New York Establishes Statewide Pay Transparency Law

On December 21, 2022, Governor Kathy Hochul signed legislation establishing a statewide pay transparency law in New York State. The new law (S.9427-A/A.10477) requires employers to list salary ranges for all advertised jobs and promotions in the state. The signing of this legislation comes on the heels of a substantively identical law going into effect in New York City last month. As with the New York City law, the statewide requirement is part of a broader push toward improving pay transparency.

The New York State law takes effect 270 days after Gov. Hochul’s signature, i.e., September 17, 2023. It specifically prohibits employers from advertising a job, promotion or transfer opportunity without stating:

• the compensation or range of compensation for the job, promotion or transfer opportunity; and
• the job description for the job, promotion or transfer opportunity, if one exists.

If the job is paid solely on commission, the advertisement must disclose a general statement that “compensation shall be based on commission.” The law defines “range of compensation” to mean the minimum and maximum annual salary or hourly wage for a job, promotion or transfer opportunity that the employer, in good faith, believes to be accurate at the time of the posting for such opportunity.

Like the New York City law, the statewide legislation will apply to employers with four or more employees. The four employees do not need to work in the same location, and they do not need to all work in New York.

The law also requires covered employers to maintain records necessary to comply with the law, such as a history of compensation ranges for the listed job, promotion or transfer opportunity, along with any existing job descriptions for the same. For the avoidance of doubt, covered employers are not required include other forms of compensation or benefits—such as health insurance, paid time off, overtime pay, bonus opportunity, or the availability of a 401(k) plan—in the job posting.

Click Here for the Original Article

Washington State Issues Final Policy on Pay Transparency in Job Postings, Setting Most Stringent Requirements in the Country

Earlier this month, Washington issued its final Administrative Policy providing the state’s interpretation of the Equal Pay and Opportunities Act, which takes effect on January 1, 2023.  The law provides that employers must disclose in each posting for each job opening: (1) the wage scale or salary range, and (2) a general description of all benefits and other compensation to be offered. The guidance takes an expansive view of which employers are covered by the law and requires job postings to contain pay and benefits information beyond what is required by any other state or locality that has enacted pay transparency legislation.

To whom does the law apply?

The law applies to all employers “engaging in any business, industry, profession, or activity in Washington” for any job postings “that recruit Washington based employees.” This includes employers that do not have a physical presence in Washington if they have one or more Washington-based employees or if they engage in business in Washington or recruit for jobs that could be filled by a Washington-based employee, including remote jobs.  This is a broader interpretation of jurisdiction than Colorado or New York City, for example, where employers must have at least one employee physically working from that location before an employer is covered.

The law does not apply to jobs to be performed entirely outside Washington or to printed hard-copy postings made and distributed entirely outside Washington.

According to the guidance, an employer cannot avoid the duty to comply with Washington’s wage and salary disclosure requirements by indicating within a posting that the employer will not accept Washington applicants.

What is a job posting?

To qualify as a “job posting,” an advertisement must list the specific position and qualifications. A social media post that reads “Manufacturing jobs available, apply now online. Weekend shifts required” is not a job posting because it does not include qualifications or reference a specific position for a desired applicant. On the other hand, an electronic reader board outside a business that reads, “Help Wanted- Server. Food Handler’s Certification Needed. Offering: $24.00-$26.00 per hour, medical benefits, 70 vacation hours per year, and $500 sign-on bonus” is considered a job posting.

What wage information must be included?

The requirement to provide a “wage scale or salary range” means the employer must provide applicants with its “most reasonable and generally expected range of compensation for the job.”  A wage scale must not be open-ended, must be determined before the job is posted, the job posting must be updated if the scale changes, and, if there is a starting range, both the starting range and general range must be included in the posting. For example, the post should not say “$60,000/per year and up,” as this range is open-ended. The posting should be updated if the range changes after publication.

If a person is offered a position different from the position applied for, the employer may offer a wage specific to the position offered, rather than the position posted, but should provide a copy of a compliant posting for the position offered.

What benefits information must be included?

Washington joins Colorado in requiring employers to provide a general description of benefits for the position.  This must include health care benefits, retirement benefits, any benefits permitting paid days off (including paid sick leave accruals that are more generous than required by Washington state/local law, parental leave, and paid time off or vacation benefits), and any other benefits that must be reported for federal tax purposes. But while Colorado employers may comply by providing a laundry list of benefits without further description, Washington will require more detail:

Retirement Plans: If an employer includes various retirement options as part of the benefits package, the employer should list the retirement options in the job posting, such as 401k, employer-funded retirement plans, deferred compensation, and other defined-benefit or defined-contribution plans.

Paid Time Off or Vacation: If the employer includes paid time off or paid vacation time as part of the benefits package, the employer should list the number of days or hours the hired applicant would expect to receive, such as 8 hours per month or 12 days per year.

Paid Holidays: If the employer includes paid holidays as part of the benefits package, the employer should list in the job posting the number of paid holidays the hired applicant would expect to receive, such as 10 paid holidays per year. The employer does not have to identify each paid holiday.

More Generous Paid Sick Leave: If the employer includes a paid sick leave policy that is more generous than that required by Washington State law or any local ordinance that applies to the benefits package, the employer should list the number of hours per month or days per year the hired applicant would expect to receive in the job posting that is greater than Washington State law or any local ordinance, such as 3 hours of paid sick leave for every 40 hours worked or 8 hours of paid sick leave per month.

The Administrative Policy contains the following example of a compliant posting: “Employees (and their families) are covered by medical, dental, vision, and basic life insurance. Employees are able to enroll in our company’s 401k plan, as well as a deferred compensation plan. Employees will also receive eight hours of vacation leave every month and twelve paid holidays throughout the calendar year.”

As with wage ranges, the posting should be updated if this information changes after posting.

What information about “other compensation” must be included?

Per the Administrative Policy, “other compensation” includes, but is not limited to, bonuses, commissions, profit-sharing, stock options, or other forms of compensation that would be offered to the hired applicant in addition to their established salary range or wage scale.

Washington will require employers to provide more information than other jurisdictions do about two types of “other compensation”: commissions and piece-rate pay.

If a job is compensated by commission rates, the Administrative Policy states that the employer should include the rate or range of rates (percentage or otherwise) that will be offered to the hired applicant, i.e., “Commission-based salesperson – 5-8% of net sale price per unit.” While many companies’ commission plans are far more complicated than this, Washington has not provided any additional guidance about what would constitute sufficient detail in those cases.

If a job is compensated by piece-rate, the employer should include the agreed piece rate, e.g., “$0.55 – $0.75 per pound of strawberries picked.”

For other non-base compensation, it appears additional detail is not required, based on the following example of a compliant description included in the Policy: “Hired applicant will be able to purchase company stock, receive annual bonuses, and can participate in profit sharing.”

Although Washington will allow the use of a hyperlink on remote postings to include more detailed descriptions of benefits and other compensation, the posting itself must include a general description of benefits and other compensation (unlike Colorado, where all of this information may be provided only by hyperlink).

What are the next steps?

With January 1 fast approaching, employers should prepare pay range, compensation, and other benefits information for jobs that can be performed in Washington that they anticipate posting in early 2023, including specifics on commission-based and piece-rate pay as well as the types of paid time off offered.  Employers should add the required information to existing postings on or before January 1, 2023 or take them down, including any postings made at their direction by a third party.

Click Here for the Original Article

Pennsylvania’s Expanded Definitions of Protected Classes Will Affect Employment Practices As Well As Discrimination and Harassment Policies, Practices and Management Training

The definitions of “sex,” race” and “religious creed” have been defined expansively by new regulations issued under the Pennsylvania Human Relations Act (PHRA) on December 7, 2022, by the Independent Regulatory Review Commission. Although the Pennsylvania Human Relations Commission (PHRC) has taken the position that the robust definitions simply codify existing law under the PHRA, the new regulations will not become effective until after a legislative review period and publication in the Pennsylvania Bulletin.

Employers are well advised to assume the PHRC will apply the broad definitions discussed below when investigating and enforcing the PHRA prior to their effective date and that these regulations eventually will be set in the Pennsylvania Code.

Definition of “Sex”

Under the new regulation, the protected class “sex” is defined to include, but is not limited to:

1. Pregnancy, including medical conditions related to pregnancy.
2. Childbirth, including medical conditions related to childbirth.
3. Breastfeeding, including medical conditions related to breastfeeding.
4. Sex assigned at birth, including, but not limited to, male, female or intersex.
5. A person’s gender, including a person’s gender identity or gender expression.
6. Affectional or sexual orientation, including heterosexuality, homosexuality, bisexuality and asexuality.
7. Differences of sex development, variations of sex characteristics or other intersex characteristics.

Many of the above examples are further defined by other definitions in the new regulations.

Definition of “Race”

Under the new regulations, the protected class “race” is defined to include, but is not limited to:

1. Ancestry, national origin or ethnic characteristics.
2. Interracial marriage or association.
3. Traits historically associated with race, including, but not limited to:
   1. Hair texture and
   2. Protective hairstyles, such as braids, locks and twists.
4. Persons of Hispanic national origin or ancestry, including, but not limited to, persons of Mexican, Puerto Rican, Central or South American or other Spanish origin or culture.
5. Persons of any other national origin or ancestry.

Many of the above examples are further defined by other definitions in the new regulations.

Definition of “Religious Creed”

Under the new regulations, the protected class “religious creed” is defined as follows:

1. The term includes all aspects of religious observance, practice or belief.
2. Religious beliefs include moral or ethical beliefs as to what is right and wrong that are sincerely held with the strength of traditional religious views. The fact that no group espouses such beliefs or the fact that the religious group to which the individual professes to belong may not accept such belief will not determine whether the belief is a religious belief of a complainant.

What this means for Employers

Employers in Pennsylvania will need to decide which of the subclasses of sex, race and religious creed to include in their policies prohibiting discrimination and harassment, and management training programs on discrimination and harassment. Most importantly, employers will need to consider these expansive definitions in reviewing their employment practices to maximize legal compliance and minimize legal risk. In particular, managers will need specific guidance on how to address these issues as they may arise in the context of diversity, equity and inclusion. Otherwise, discussions about diversity to increase equity and inclusion could end up as evidence in a complaint in which the characteristic was discussed and is alleged to be the basis for an adverse employment action.

Click Here for the Original Article

COURT CASES

Illinois Appellate Court Holds Businesses Must Implement Biometric Retention and Destruction Policies Before Collecting Biometric Data

Seyfarth Synopsis: On November 30, 2022, the Illinois Second District Appellate Court reversed the trial court’s grant of summary judgment in Defendant’s favor in a case entitled Mora v. J&M Plating, Inc. The lawsuit was initiated by a former employee of the Defendant metal finisher, alleging that Defendant violated the Illinois Biometric Information Privacy Act (“BIPA”) by collecting employees’ fingerprints without first implementing a written retention and destruction schedule for biometric data. The trial court initially dismissed Plaintiff’s claims but the Appellate Court reversed, finding that the BIPA requires employers to have a retention and destruction schedule in place before they possess any biometric data.

Background on Mora v. J&M Plating, Inc.

Defendant J&M Plating, Inc. hired Plaintiff Trinidad Mora in July 2014, and shortly thereafter, the company began having employees clock into work using a finger scanner. In May 2018, the company implemented a written retention and destruction schedule for biometric data. Plaintiff signed this policy, thereby consenting to the collection of his biometric identifiers (i.e., his fingerprints). Defendant subsequently terminated Plaintiff’s employment in January 2021, and pursuant to its written biometric policy, Defendant destroyed Plaintiff’s alleged biometric data approximately two weeks after his termination.

One month later, Plaintiff filed a class action lawsuit alleging that the company violated Sections 15(a) and (b) of the BIPA by collecting employees’ biometric data without first providing notice, obtaining informed consent, or issuing a retention and destruction policy.

The company initially secured dismissal of Plaintiff’s Section 15(b) claim for failure to obtain written consent before allegedly obtaining biometric information, as the trial court held this claim was time-barred under the applicable five-year statute of limitations because the claim first accrued in September 2014. Defendant later filed a motion for summary judgment on the Section 15(a) claim for failure to maintain a BIPA collection and retention policy, arguing that this Section does not contain a timing requirement and ultimately, Plaintiff’s biometric data was properly destroyed pursuant to a destruction and retention policy. The trial court granted summary judgment for the company, and Plaintiff subsequently appealed.

Illinois Appellate Court Reverses Trial Court’s Dismissal

On appeal, Plaintiff relied on the legislative intent behind the enactment of the BIPA to support his interpretation that covered entities must publish a written schedule before collecting or possessing biometric data. To that end, Plaintiff emphasized the Illinois Legislature’s goal of protecting individuals’ biometric privacy rights through the BIPA, and that the company had six years before Plaintiff was hired to comply with the Act (which was enacted in 2008).

The company responded that Section 15(a) contains no timing component, as its primary concern is to ensure that entities have policies in place to destroy biometric data once the purpose for which the data was collected has ended. Because the company had a retention and destruction schedule in place when Plaintiff’s employment ended (and consistent with BIPA, when the need for using Plaintiff’s data ended), the company argued that any harm suffered by Plaintiff was purely hypothetical.

The Appellate Court reversed the trial court’s decision, finding that the lower court incorrectly interpreted the relevant section of the Act. More specifically, the Appellate Court cited the plain language of Section 15(a), which provides that “[a] private entity in possession of biometric identifiers or biometric information must develop a written policy . . . .” The Court thus reasoned that the implementation of a written policy is triggered by the entity’s possession of biometric data.

The Appellate Court also looked to Section 15(b) to reinforce its holding, as this Section requires that entities obtain an individual’s informed consent before collecting biometric data. Finally, with respect to the company’s argument regarding Plaintiff’s lack of harm suffered, the Court relied on the Illinois Supreme Court’s Rosenbach decision to reason that actual harm is not required to file suit under the Act, as the BIPA was enacted for “preventive and deterrent purposes.” Accordingly, the Court reversed the grant of summary judgment and remanded the case for the trial court to reassess Plaintiff’s claims under Section 15(a).

Implications for Employers

Even in situations where, as in Mora, a company implements a written policy and properly destroys biometric data, a company defendant may be liable for failing to implement the policy before possessing such data. As a result, Illinois businesses should ensure that their biometric privacy practices are entirely in compliance with the Act before beginning to collect any sort of biometric data.

Click Here for the Original Article

A California Court of Appeal Stands with Federal Courts: No Injury, No Standing Under FCRA

The California Court of Appeal, Fifth District, recently held in Limon v. Circle K Stores Inc., 84 Cal.App.5th 671, 2022 WL 14391789 (Oct. 25, 2022), that California plaintiffs bringing Fair Credit Reporting Act (“FCRA”) claims must allege a “concrete or particularized injury” to have standing. In holding so, the California court aligned the state’s standing law with federal standing law, which enforces “no injury, no standing.”

Ernesto Limon applied for a job with Circle K Stores Inc. and received a set of FCRA disclosures during the application process. Circle K gave him a form requesting his consent to obtain a background report and allowing him to check a box to request a copy of the background report. The form also informed Limon that by signing, he agreed to release from liability any entity providing information for the background report. Limon signed the forms, and Circle K requested the background report. Circle K hired Limon.

Limon later sued Circle K in federal court in California for violations of the FCRA’s disclosure provisions, § 1681b(b)(2)(A)(i) and (ii). He alleged Circle K’s consent form violated the FCRA because it did not include the disclosures in a “standalone” document, did not “clearly and conspicuously” inform him that a report would be procured, did not appropriately request his consent in writing to obtain the background report, and included the liability release for providers of background information. Critically, Limon did not allege Circle K’s alleged failures harmed him in any way. Therefore, at summary judgment, the federal court dismissed the case for lack of standing under Article III of the U.S. Constitution. The court allowed Limon to provide more evidence to establish an injury necessary for standing, but he conceded he could not.

Limon then re-filed his claims in California state court. The California trial court also dismissed the case for lack of standing. Limon appealed, and the California Court of Appeal affirmed, confirming that, “under California law[,] . . . an informational injury that causes no adverse effect is insufficient to confer standing upon a private litigant to sue under the FCRA.”

The court’s decision – holding California plaintiffs in the Fifth District to a standing burden akin to the Article III standard in federal court – is momentous. To reach it, the court thoroughly analyzed Limon’s no-harm concession against the backdrop of the FCRA’s purpose and California standing law. It then systematically rejected Limon’s arguments for a no-injury standing jurisprudence.

The court first emphasized that the FCRA disclosure provisions underpinning Limon’s claims exist to protect job applicants’ privacy rights, but Limon conceded privacy was not violated. Even if Circle K’s form technically violated the FCRA, holding Circle K responsible for a violation that hurt nobody did not support the FCRA’s purposes.

Then the Court summarized California’s standing doctrine, which requires a plaintiff to “have a personal interest in the litigation’s outcome” or be “beneficially interested” to maintain an action. If a plaintiff “has neither suffered nor is about to suffer any injury of sufficient magnitude reasonably to assure that all of the relevant facts and issues will be adequately presented,” he lacks a “real interest” in the case and has no standing in a California court. Importantly, while Article III does not bind California courts like it does federal courts, the California “beneficially interested” test is equivalent to the Article III injury-in-fact-prong, and “there are, in many instances, commonalities between California’s standing doctrine and federal standing doctrine.”

Against that background, the Court of Appeal systematically rejected Limon’s three arguments that a California plaintiff has standing without suffering any concrete injury.

• First, the court rejected Limon’s assertion that California standing “simply requires that the action be maintained in the name of the person who has the right to sue under the substantive law.” Limon’s argument came from California Code of Civil Procedure section 367, which requires “[e]very action [to] be prosecuted in the name of the real party in interest.” The court concluded that the statute states a prerequisite but does not automatically confer substantive standing when it is fulfilled. Bringing a suit in the real party in interest’s name is necessary, but not sufficient, for standing.
• Second, the court rejected Limon’s argument that California has blanketly allowed plaintiffs to sue without alleging a concrete injury. Limon’s cases in support merely demonstrated that in very narrow circumstances, the courts have identified standing through public interest considerations or per se injurious statutory violations. In certain taxpayer suits, for example, the California Legislature has granted parties “public interest standing” to maintain a suit for the public good without first suffering a personal injury. In civil rights cases where the courts have found standing without evidence of personal injury, the statutory violations were per se injurious. However, those cases are exceptions to, not repudiations of, the rule that a plaintiff must have a “beneficial interest” in a suit to have standing. The court held that the FCRA does not confer public interest standing but rather confers authority on federal and state agencies and officials—not individuals—to vindicate the public interest in the face of FCRA violations.
• And third, the court rejected Limon’s argument that an uninjured plaintiff can obtain a statutory “penalty” for an FCRA violation. In other words, the Court of Appeal held that FCRA violations are not per se injurious, and a plaintiff must still show a “beneficial interest” in the case. Limon argued that the FCRA’s provision for statutory “penalties” in § 1681n(a)(1)(A) is distinguishable from the provision for “damages” in § 1681s, meaning a court may assess a monetary penalty against a defendant notwithstanding a plaintiff’s lack of personal damage from the violation. The court, however, adopted Circle K’s argument on this point: statutory “penalties” punish wrongdoers, whereas “damages” compensate injured parties and “require an injury to compensate.” The court held that the plain meanings of “penalties” and “damages,” coupled with Congress’s intentional use of these words in different places in the FCRA, indicate that an individual FCRA plaintiff can recover “damages” only if he is injured.

Having untangled and dismantled Limon’s standing arguments, the Court of Appeal held Limon lacked standing to pursue his FCRA claims in California court. Limon had suffered no injury to his privacy rights because he willingly submitted to the background check, he consented in writing to Circle K’s procuring the background report, and he conceded he would have signed an FCRA-compliant form allowing Circle K to do exactly what it did. He never alleged he did not receive a copy of the background report or that the report contained any inaccurate or damaging content.

In holding Limon failed to satisfy California’s standing requirements, the Court of Appeal drew an important connection between California and federal standing law. The wave of Article III standing cases following TransUnion LLC v. Ramirez, 141 S. Ct. 2190 (2021), will continue, and state practitioners should be aware of their state’s standing requirements. Limon joins the ranks as another potent weapon in a California defendant’s arsenal against purely statutory claims.

Click Here for the Original Article

INTERNATIONAL DEVELOPMENTS

‎In a Nutshell: Data Protection, Privacy and Cybersecurity in Mexico

Overview

The right to privacy or intimacy is contemplated in Paragraphs 1 and 12 of Article 16 of the Mexican Constitution, and prohibits the intrusion of an individual’s person, family, domicile, documents or belongings (including any wiretapping communication devices), except when ordered by a competent authority supported by the applicable law. The right to data protection is stipulated in Paragraph 2 of Article 16 of the Mexican Constitution, and seeks to set a standard for collecting, using, storing, disclosing or transferring (collectively, processing) of personal data (as defined below) to secure the right to privacy and self-determination. The right to privacy and data protection are closely related fundamental rights that seek to protect individuals’ ability to guard a portion of their lives from the intrusion of third parties. Notwithstanding this, while a breach of privacy usually results in a breach of the right to personal data protection, a data protection breach does not always result in a breach of privacy.

The first formal effort to address personal data protection was introduced in 2002 when Mexican Congress approved the Federal Law for Transparency and Access to Public Governmental Information (the Former Transparency Law). Although the Former Transparency Law was mainly aimed at securing access to any public information in the possession of the branches of government and any other federal governmental body, it also incorporated certain principles and standards for the protection of personal data being handled by those government agencies. This effort was followed by similar legislation at the state level.

After several attempts to address data protection rights more decisively, in 2009 Congress finally approved a crucial amendment to the Constitution that recognised the protection of personal data as a fundamental right. Consequently, Congress enacted the Federal Law for the Protection of Personal Data in Possession of Private Parties (the Private Data Protection Law), which came into effect on 6 July 2010 and was followed by the Regulations of the Private Data Protection Law on 22 December 2011.

In January 2014, Congress approved an amendment to the Constitution to create an autonomous entity to be in charge of enforcing the Private Data Protection Law and to take on the duties of the former Federal Institute for Access to Information and Protection of Data (the former IFAI), which was originally created as a semi-autonomous agency separate from the federal public administration. However, in a rather controversial move, the former IFAI amended its internal regulations so that it could assume the necessary characteristics and role of the proposed autonomous entity. Consequently – and as a result of the new General Law for Transparency and Access to Public Governmental Information, which annulled the effect of the former Transparency Law – all matters previously dealt with by the former IFAI are now being handled by the ‘new IFAI’ as an autonomous entity; and it has adopted the name National Institute of Transparency, Access to Information and Protection of Personal Data (INAI).

The Private Data Protection Law is an omnibus data protection law that sets the principles and minimum standards that shall be followed by all private parties when processing any personal data. However, the Private Data Protection Law also recognises that standards for implementing data protection may vary depending on the industry or sector. Accordingly, the Private Data Protection Law can certainly be complemented by sectoral laws and self-imposed regulatory schemes, which focus on particular industry standards and requirements, to the extent that those standards and requirements comply with the data protection principles in the Private Data Protection Law. There have been efforts to promote such sector-specific rules among those processing any personal data within the same industry.

On 13 December 2016, Congress approved the General Law for the Protection of Personal Data in Possession of Governmental Entities (the Governmental Data Protection Law, and collectively with the Private Data Protection Law, the Data Protection Laws), which was enacted on 27 January 2017, to set forth a legal framework for the protection of personal data processed by any authority, entity or organ of the executive, legislative and judicial branches, political parties and trusts operating with public funds at federal, state and municipal levels. Provided that this particular publication is intended to address issues arising from data protection in the private sector, we will not address the governmental Data Protection Law in detail, unless it is necessary to add context.

The INAI is in charge of promoting the rights to protection of personal data and enforcing and supervising compliance with the Data Protection Laws and those secondary provisions deriving from those Data Protection Laws. To this end, with respect to the private sector, the INAI has been authorised to supervise and verify compliance with the Private Data Protection Law; interpret administrative aspects of the Data Protection Laws; and resolve claims and, inter alia, impose fines and penalties. The INAI has been actively working through media campaigns to raise awareness among corporations and individuals of the relevance of adequate protection of personal data. Although the INAI has the authority to initiate enforcement activities, most fines and penalties imposed have resulted from claims filed by data subjects. We are aware that companies that have been fined by the INAI for breaching the Private Data Protection Law have challenged the decisions by means of nullity claims and amparo lawsuits; however, the relevant files are not publicly available.

The year in review

During 2022, the INAI has continued to enforce the Private Data Protection Law and, at the same time has issued non-binding guidelines and bulletins related to the protection of personal data. Some of the most relevant ones are the following:

1. On 9 January 2022, the INAI published a bulletin stating that in 2021 fines imposed for failure to comply with the Private Data Protection Law amounted to 90,193,016 Mexican pesos. The more frequent infractions were for processing personal data in contravention of the principles established in the Private Data Protection Law, namely the process or transfer personal data without the proper consent of the data subjects applicable to the personal data being processed, and deficient privacy notices. The most fined sectors were the financial and insurance sectors.
2. On 17 April 2022, the INAI published a bulletin warning about the most common practices cybercriminals use to illegally obtain personal data and commit fraud or scams in the digital environment: phishing, pharming, smishing and vishing, and recommendations to prevent these attacks.
3. On 19 April 2022, the INAI published a bulletin explaining that the digital era poses permanent risks to privacy, so it was necessary to implement strategies to protect personal data and to generate critical awareness of the duties of the public and private sectors in this area. The use of technology involves the processing, collection and storage of personal data that flow globally and may be available to everyone, posing permanent risks to the privacy of individuals. This new context obliges governments and, of course, the guarantor bodies and agencies in this area to discuss and implement strategies to respond to the new ways of managing, but also to store and protect people’s data in what we know today as the digital era.
4. On 29 April 2022, a bulletin with recommendations to protect the personal data of children when playing games on the internet was also published.
5. On 6 May 2022, the INAI published an awareness bulletin in relation with the value and importance of personal data in the market. It mentioned that ‘personal data is the oil of the 21st century because every time we carry out an activity that involves a mobile device, we are sacrificing part of our privacy, which is a fundamental right contemplated in article 16 of the Mexican Constitution’.

Click Here for the Original Article

UK HR Two Minute Monthly: Settlement agreements, whistleblowing, redundancy and general news roundup

Settlement agreement cannot be used to settle future unknown claims

While parties are free to settle contractual employment claims by agreement, there are specific statutory provisions which limit an employer’s ability to settle statutory employment claims. These include section 147 of the Equality Act 2010 which applies to the settlement of discrimination claims and section 203 of the Employment Rights Act 1996 (ERA) which applies to the settlement of claims under the ERA such as unfair dismissal. In both cases, the relevant section sets out the conditions which must be met for a settlement agreement to be valid and statutory claims settled. Importantly, this includes a requirement for the agreement to “relate to the particular [statutory] complaint”.

The Scottish EAT recently considered the meaning of “particular complaint”. The case concerned a claimant who had entered into a settlement agreement on his voluntary redundancy. As well as notice and an enhanced redundancy payment, the claimant understood he would receive an additional sum six months after the termination of his employment, paid under a collective agreement. However, the collective agreement stated that the payment would only apply to individuals who were under 61 and the claimant was 61 at the date of his dismissal. A month after the claimant entered into the settlement agreement, the respondent decided not to pay the additional sum. The claimant claimed this refusal to pay was an act of age discrimination. The respondent relied on the terms of the settlement agreement – the claimant had settled all future claims for age discrimination through the settlement agreement and could not now make a claim based on age discrimination for the additional sum.

At first instance, the Employment Tribunal agreed. It held that the settlement agreement did indeed prevent the claimant from bringing the claim. However, the EAT disagreed and held that a settlement agreement could not be used to settle a future claim unknown to the claimant when the settlement agreement was entered into. It reached this conclusion relying on three particular points. First, it held it was contrary to Parliamentary intention. It referred to a discussion recorded in Hansard where it was stated that a settlement agreement can only settle a particular complaint which has already arisen. Secondly, it held that preventing the claimant’s claim was contrary to the broad purpose of the legislation, which was to prevent employees from signing away their rights without understanding what they were doing. Thirdly, the EAT held that the requirement to settle “the particular complaint” was not satisfied by a clause which lists a series of types of complaint by reference to their nature or section number (in this case the agreement referred to “age, under section 120 of the Equality Act 2010 and/or regulation 36 of the Employment Equality (Age) Regulations 2006”).

The EAT considered previous case law but felt that there was nothing in those decisions which precluded this finding. It noted that the outcome was potentially “inconvenient” for parties who want certainty at the end of an employment relationship, but that this did not override parliamentary intention or express statutory requirements.

Ironically, the claimant was unable to bring his claim anyway on other jurisdictional grounds.

Why this matters

This decision is notable in that, despite the EAT’s comments, it appears to reach a conclusion which is out of step with previous case law, which stated that there were circumstances where a future claim could be settled even where the employee did not and could not have knowledge of it. The EAT found however that this finding did not relate to statutory claims.

While situations where entirely new claims arise after termination are unusual, employers need to be aware of this issue and also be aware that, at least until there is a decision from a higher court on the point, there is a risk that settlement of a future statutory claim not in existence at the time a settlement agreement is entered into (as in this case), will not be valid.

Potentially of more significance, the case also suggests that the settlement of claims by the use of a list by reference to their nature or section number may not be sufficient to amount to the settlement of a particular complaint. This gives rise to an increased risk of employees arguing that a settlement agreement has not validly waived all claims, particularly in the case of claims which were less obviously in contemplation at the point the agreement was entered into. This approach is common practice, however, and seems unlikely to change without further case law – the ambit of the EAT’s finding is not clear and appears to contradict earlier decisions.

Bathgate v Tecnhip UK Limited (2) Technip FMC PLC (3) Technip Singapore PTE Limited

Whistleblowing – alleged “protected disclosures” struck out for not meeting statutory tests

The claimant was employed by the respondent at its London office for around twenty years. He was a journalist covering natural gas, carbon and power and was committed to reducing climate change and carbon emissions. The claimant alleged that the respondent, a leading international news outlet, was deliberately under-reporting stories relating to climate change and also alleged that, when the claimant highlighted this, the respondent retaliated by placing him on a performance improvement plan and ultimately dismissing him.

The claimant brought a whistleblowing claim. The respondent applied to strike out the protected disclosures made by the claimant. The respondent’s case was that the disclosures should be struck out because they failed to meet the statutory tests set out in section 43B(1) of the Employment Rights Act 1996 (ERA).

As a reminder, s43B(1) lies at the heart of the law of protected disclosures. It states that:

“..a [protected] disclosure means any disclosure of information which, in the reasonable belief of the worker making the disclosure, is made in the public interest and tends to show one of the following…”

The phrase “…one of the following…” refers to sub-paragraphs (a) to (f) of the section, which set out what the disclosure is about. In this case the disclosures were mostly concerned with (e) and (f). (e) is about damage to the environment and (f) is about concealing that (e) is going on. With regard to retaliation by the respondent, the claimant relied on (b), which is that the respondent failed to meet a legal obligation by unlawfully retaliating. The claimant brought a claim under (f) again, alleging that the respondent had concealed its retaliation.

The EAT examined the claimant’s disclosures. It focused on the two main objective tests which are:

• there must be a disclosure of information (as opposed to, for example, opinion); and
• the employee must reasonably believe the disclosure is in the public interest.

The first test is sometimes overlooked. When deciding whether a disclosure is information, as opposed to opinion or general sentiment, the authority is the 2018 case of Kilraine –v-London Borough of Wandsworth. In Kilraine, it was held that the disclosure (a) must be information and (b) must be information that has enough factual content and specificity to show one of the matters listed in (a)-(e). In this case most of the disclosures had to show that the respondent was damaging the environment and concealing the damage it was doing.

Satisfying the test proved more difficult that the claimant perhaps believed. The claimant had to show that the respondent, a news organisation, was responsible for damage to the environment. Few people will doubt that there is damage being done to the environment, but did the claimant’s disclosures tend to show the respondent was damaging the environment?

No. The EAT refused to accept that the respondent’s climate change coverage was damaging the environment. It accepted the claimant’s argument that he believed the respondent should be covering climate change more than it was but this was a matter of opinion, not information and even as a matter of opinion the claimant’s disclosures did not pass the legal test because they were not factual/specific enough.

The claimant was equally unsuccessful on proving (f), which was that the respondent was deliberately concealing the damage it was doing to the environment. The EAT again was very clear – there was no information tending to show that the respondent had deliberately concealed anything.

On (b), the claimant was more successful, as the EAT said that his disclosures about employer retaliation might contain enough information to show unlawful actions on the part of the respondent. However, the other point that sometimes gets overlooked is that the claimant has to prove both that the disclosure contains enough factual information to pass the Kilraine test and that it passes the “public interest” test.

This led the EAT to examine the second test, the public interest test, and satisfying this proved just as difficult for the claimant. The claimant may have believed that climate change was obviously in the public interest, but the EAT was clear that it is not the subject matter that counts, it is the disclosure itself. As the environmental damage and concealment disclosures did not pass the information test then it did not matter whether they passed the public interest test as they had already failed. This is because the disclosures have to pass both tests. However, with regard to the retaliation disclosures under (b) it was important as the first information test had been passed.

Unfortunately, the claimant failed the public interest test for his (b) disclosures. The leading authority on the public interest test is the 2018 case of Chesterton Global –v- Nurmohamed. In broad terms, to pass the Chesterton public interest test, the claimant had to show he was not the only employee affected by the respondent’s retaliation – he had to show that other employees (as well as him) were affected. He could not show this. None of the claimant’s disclosures contained anything to indicate than anyone other than the claimant had been affected – it was the claimant alone who had suffered retaliation.

Even on the “environment” disclosures, which did not pass the information test, the claimant could not satisfy the public interest test. It was clear that climate change in itself was a matter of public interest, but were the claimant’s disclosures? The claimant’s disclosures were not about climate change, they were about a news organisation allegedly under-reporting stories about climate change, and this failed to satisfy the public interest test as set out in Chesterton. The EAT drew a very clear distinction between the issue of climate change, and the claimant’s individual disclosures.

The EAT struck out the claimant’s protected disclosures which brought an end to his claim. He could only be dismissed for whistleblowing (making protected disclosures) if the disclosures passed the statutory tests in s43B(1) – and in this case they did not.

Why this matters?

This case is a reminder of just how rigorous the law of whistleblowing is. In particular, disclosures have to pass the relevant statutory tests before being classified as protected disclosures and this is not easy. It is also a reminder that even if the disclosures concern a matter of worldwide significance, it does not automatically confer whistleblowing protection on them.

Lastly, and returning to the first point, it confirms that any disclosure must not only pass the “information” test, it must also has to pass the “public interest” test. It may not be the exciting side of whistleblowing, but it shows how cases can fail at the first fence if the disclosures themselves do not pass the relevant legal tests.

Carr -v- Bloomberg LP

Redundancy – dismissal was unfair when claimant placed into a ‘pool of one’ without consultation

The claimant was a nurse employed under a series of fixed term contracts. Her close colleague was also a nurse employed in a similar role under a similar series of fixed-term contracts. The claimant (only) was invited to a meeting at which she was informed of the respondent’s financial difficulties and its need to cut costs. Shortly after the meeting the claimant was told that she alone was at risk of redundancy. This was despite the fact that the claimant and her colleague carried out very similar work and were at the same level. The claimant was not placed in a pool for redundancy selection with her close colleague. The respondent’s rationale for this was that, because the latest of the claimant’s series of fixed-term contracts expired before that of her colleague, the claimant should, of the two, be “selected” for redundancy. She would now be consulted with.

However, “consultation” consisted only of attempts to find the claimant alternative employment. There was no alternative employment and the claimant was duly dismissed by reason of redundancy. She brought a claim for unfair dismissal at the Employment Tribunal (ET).

The ET dismissed the claim. It held that decisions about how an employee was selected for redundancy were subject to the “band of reasonable responses” test under section 98(4) of the Employment Rights Act 1996 (ERA). The ET was “quite satisfied” that the respondent’s decision to dismiss the claimant, based on her fixed-term contract expiring before that of her colleague (and effectively placing her in a pool of one), fell within the band of reasonable responses open to a reasonable employer. This was despite the fact that the respondent conceded that the earlier expiry of a fixed-term contract was the only reason for selecting the claimant for redundancy over her colleague, and that no alternative to this was considered or made the subject of consultation. It was also admitted that redundancy consultation for the claimant was limited to a search for alternative employment. The claimant appealed.

The EAT, in a judgment that criticised for ET for not exploring sufficiently the issue of reasonableness, allowed the appeal and found the dismissal to be unfair.

The EAT found the decision to use the expiry date of a fixed-term contract as a reason to dismiss the claimant by reason of redundancy to be (a) arbitrary, (b) outside the reasonable band of responses and (c) made without any form of consultation. It was held that consultation is a fundamental part of any fair redundancy procedure. It was noted that for consultation to be “genuine and meaningful”, it must take place at an early stage and, possibly most importantly, when the employee still has the ability to potentially influence, have some input into, or at least have some form of dialogue about the outcome. What is the point of meaningful consultation if, as far as the employee is concerned, it has no effect and the decision to dismiss has already been made?

The EAT went so far as to say that the decision to select the claimant for redundancy on such an arbitrary basis, and without consultation, was a potential breach of the implied term of mutual trust and confidence.

Why this matters

This decision emphasises the importance of both redundancy consultation and pooling.

In terms of consultation, the ET was very clear that the process should have started earlier and at a stage where the employee could have some influence or input into the outcome.

This seems to be saying that employers need to consult in advance about (a) who is pooled and (b) selection criteria. However, employers should also should bear in mind that the facts of this case are very unusual. A pool of one will by definition be unusual and likely to be unreasonable. If the pool had been larger than one, which is normally the case, the decision may have been different. The EAT said it would only interfere in an employer’s decision regarding redundancy processes and pooling in unusual circumstances. It seems to follow from the EAT’s reasoning that, in most cases, an employer’s decision to pool multiple employees and to choose specific selection criteria will not necessarily require prior consultation, although notification might be advisable. The reason is that, if there is more than one employee in the pool, consultation after the pooling stage will not be meaningless, and there will still be a potential for employees to affect the ultimate outcome. In this case the employer had contrived to reduce the pool down to one and, once that was done, dismissal was inevitable and consultation meaningless.

In terms of pooling, the case reinforces the point that a pool of one is problematic. The EAT seemed to acknowledge that a pool of one can be fair in appropriate circumstances, but they did not elaborate as to what circumstances that could be. The circumstances would surely be very rare, and in this case a pool of one was found to be both unfair and outside the band of reasonable responses, which is not encouraging.

Mogane v Bradford Teaching Hospitals NHS Foundation Trust

News roundup

Government introduces Bill to force minimum service levels during rail/transport strikes

The Government has introduced the Transport Strikes (Minimum Service Levels) Bill, which will make provision for compulsory minimum service levels in specified transport services during periods of strike action. In addition, if the Bill becomes law, it will provide that that trade unions will lose their immunity from liability for industrial action if they fail to take reasonable steps to ensure that the persons required to work to ensure minimum service levels do not take part in the strike.

APPG publishes report into impacts of menopause

On 12 October, the All-Party Parliamentary Group on Menopause (APPG) published a report on the impacts of menopause and the case for policy reform. The APPG was established in 2021 by Carolyn Harris MP to tackle the lack of understanding around menopause among policymakers, the public and employers. The report marks the conclusion of its inquiry and contains a section dedicated to menopause in the workplace, which the APPG confirms was one of the issues that attracted the most interest during the inquiry.

ICO guidance on monitoring at work

The Information Commissioner’s Office (ICO) has published its draft guidance on monitoring at work. The guidance is open for consultation until January 2023. The ICO is publishing its draft guidance on employment practices in stages with this guidance being the first.  It covers areas such as:

• webcams and screenshots;
• monitoring of timekeeping;
• keystroke monitoring to capture and log keyboard activity;
• productivity software that logs how employees spend their time; and
• tracking internet activity and keystrokes.

Click Here for the Original Article

UK – 10 changes to immigration rules this Autumn

Key changes for businesses this October

• The Seasonal Worker route has been expanded again to include roles in the poultry sector. This means that between 18 October to 31 December each year, workers wanting to take up very specific jobs in poultry (such as bird / game dressers, trussers and poultry meat packers) can come to the UK to work. They will need to be sponsored by an approved scheme operator (an overarching body regulated by DEFRA and licenced by the Gangmaster Authority) who will have overall responsibility for the worker’s welfare, including ensuring they are paid the correct wage. The worker will be placed with a UK employer who must pay the worker at least £25,600 per year (pro-rated to account for their time in the UK) and ensure they work at least 30 hours a week.
• Nationals of Columbia, Guyana and Peru have been granted non-visa status. This means people from these countries can come to the UK as visitors without having to formally apply for a visa in advance. They must still travel within the confines of the visitor rules while in the UK and may be questioned by immigration officials at the border as to the purpose of their visit. Nationals should therefore travel with evidence that their visit is for business purposes, including letters from their overseas employer and UK host confirming the purpose of the visits.
• There has been quite a significant but small change to the Global talent route, specifically those seeking endorsement under the Arts and Culture, and Digital Technology routes. The Arts Council will require the 3 letters in support of the endorsement to come from people or organisations who have worked directly with the applicant. Similarly, applicants under the digital technology strand of this route will have to provide 3 letters of support from organisations who have knowledge of the applicant’s talents in the previous 12 months.
• The police registration scheme has been formally abolished. This change took effect in practice in August and removed the requirement for migrants in certain categories to register with the Police when they arrived in the UK.
• Adult children of Hong Kong BN(O) Household Members will be able to apply for status independently of their parents.
• Nationals of British Overseas Territories have been added to the majority English speaking list. This means nationals of these countries do not need to prove their English language abilities when applying for visas.
• The Global Business Mobility Service Supplier route is being updated to enable permanent residents of Australia and New Zealand to apply under this route if the services they want to provide in the UK are covered by trade agreements between their county and the UK. Australians applying under this route will also be able to stay in the UK for 12 months.
• Sponsors in all work routes will be able to make temporary reductions to migrant’s pay if they have to reduce their hours due to health reasons, including phased returns to work. If this is the case, an occupational health report must be produced and the minimum hourly rates (which for workers sponsored under the skilled worker route is £10.10 per hour), must still be met.

Other important changes

• A new route is being introduced which will give temporary permission to stay for victims of modern slavery. Applicants must be confirmed victims of slavery or trafficking who are in the UK, which means they must first get a decision on their status as a victim. Successful applicants (including children) will then be given permission to stay in the UK for 30 months, but they can then renew that permission providing they still meet the eligibility criteria. The Home Office must be satisfied that if they grant permission, this will help the applicant recover from physical or psychological harm, enable them to seek compensation and co-operate with officials in investigating the exploitation. Permission will not be granted if the Home Office feels the applicant could get help abroad.
• The Ukrainian extension scheme will allow Ukrainians who have permission to stay in the UK for any period between 18 March 2022 and 16 May 2023 to extend their stay to 36 months, which will help anyone who only received a temporary permission. Applications must be made by 16 November 2023.

When do these changes come into effect?

Most of the changes for businesses come into effect on 9 November 2022 but not all. For example, the expansion of the seasonal worker route took effect on 18 October and the new route for victims of modern slavery will open on 30 January 2023.

What does this mean for businesses?

The changes as a whole do not mean a great deal for businesses but there are some helpful tweaks. For example, removing the need for Columbian nationals to apply for visitor visas in advance of travel to the UK, or the expansion to the seasonal worker route for poultry workers which will no doubt help turkey sales in the lead up to Christmas.

More notably are the changes that are missing. For example, many hoped that the investor route would be re-opened this Autumn after the route closed earlier this year in response to the war in Ukraine. The investor route is often the only route available to wealthy individuals wanting to come to the UK to invest and create new businesses. The fact it was not included does not necessarily mean this route will forever be closed to investors into the UK, and we will have to keep a close eye on developments in this area.

Click Here for the Original Article

European Commission Publishes Draft Adequacy Decision for EU-US Data Transfers

On 13 December 2022, the European Commission published its draft adequacy decision for the EU-US Data Privacy Framework. The draft decision aims to address the concerns raised by the Court of Justice of the European Union (“CJEU“) in its Schrems II decision in July 2020. Publication of the draft adequacy decision follows the signature of US Executive Order 14086 by President Biden on 7 October 2022, along with a US Regulation establishing a two-layer redress mechanism which includes a new Data Protection Review Court (previously discussed here).

If adopted by the European Commission, the adequacy decision will allow European data exporters to transfer personal data freely to US certified organisations, without the need to put in place a data transfer tool under Article 46 of the GDPR (such as the Standard Contractual Clauses) or to carry out and document a transfer impact assessment. The final adequacy decision is not expected before Spring 2023.

The Draft Adequacy Decision

The draft adequacy decision reflects the assessment by the European Commission of the US legal framework and concludes that the US ensures an adequate level of protection for personal data transferred from the EU to US certified companies.

US companies will be able to join the EU-US Data Privacy Framework by committing to comply with a detailed set of privacy obligations, including the requirement to delete personal data when it is no longer necessary for the purpose of its collection, and to ensure continuity of protection when personal data is shared with third parties. EU citizens will be able to benefit from several redress avenues if their personal data is handled in violation of the Framework, including independent dispute resolution mechanisms and an arbitration panel. In addition, the US legal framework provides for a number of limitations and safeguards regarding access to data by US public authorities, in particular for criminal law enforcement and national security purposes. This includes the new rules introduced by the US Executive Order 14086.

Next steps

The draft adequacy decision has now been sent to the European Data Protection Board (“EDPB“) for its non-binding opinion. Following this, the European Commission will seek approval from a committee composed of representatives of the EU Member States. The approval requires 55% of EU countries (15 out of 27) representing at least 65% of the total EU population. In addition, the European Parliament will have the right to review the adequacy decision, but its position will be non-binding. Once this process is completed, the European Commission can proceed with adopting the final adequacy decision.

The functioning of the EU-U.S. Data Privacy Framework will be subject to periodic reviews, which will be carried out by the European Commission, together with European Data Protection Authorities, and the competent US authorities. The first review will take place within one year after the entry into force of the adequacy decision.

The European Commission’s press release is available here, and the Q&As here.

Click Here for the Original Article

Key changes in data privacy legal framework in Argentina

During the past days there have been important changes in the Data Protection sector, with the incorporation of two new regulations.

a. Congress approved the law on ratification to the Amending Protocol with respect to the Automated Processing of Personal Data (the “Convention“)

The Convention was the first binding international instrument which protects the individual against abuses which may accompany the collection and processing of personal data, and which seeks to regulate at the same time the international flow of personal data.

We set out the key changes brought by the Conventions as follows:

• Prohibition of processing of “sensitive” data, it also broads the definition of sensitive data by including genetic data, criminal records and biometric data.
• Recognition of the right of data subjects not to be subject to a decision that significantly affects them and that is based solely on automated data processing, without their views being considered.
• Obligation to notify, at least to the competent authority, those security incidents that may seriously interfere with the fundamental rights and freedoms of data subjects.
• Restriction on the rights laid down in the Convention are only possible when overriding interests (e.g. State security, defense, etc.), are at stake.
• Restrictions on transborder flows of personal data to States where legal regulation does not provide equivalent protection (which is already contemplated in some Resolutions issued by the local Data Protection Authority).
• The Convention encourages local authorities to act with independence and impartiality to ensure compliance with data protection principles and to strengthen the rules on cross-border data flows.

b. Creation of a foreign entities Register of Databases to guarantee the full enjoyment of subject data’s rights

The Agency of Access to Public Information (“AAIP) has published in its website, the creation of the Register of Personal Databases for foreign entities. As a consequence of this, foreign entities that are not registered locally must appoint a representative who will be responsible for the registration of any database that include information of Argentinean residents before the AAIP. This representative will be also responsible for any modification or cancellation of such database.

As a reminder, any personal database must be registered with the Agency of Access to Public Information. Registration requires the following information:

• the name and domicile of the person in charge of that database;
• the characteristics and purpose of the database;
• the nature of the personal data contained in each file;
• the method of collecting and updating the data;
• the recipients to whom such data may be transmitted;
• the manner in which the registered information can be interrelated;
• security measures;
• data retention period; and
• means for individuals to access, correct and update their data.

c. Finally, The Data Protection Authority Resolution No. 244/2022 has set the amounts of the administrative fines that may apply when a company is sanctioned more than once for the same conduct, as follows:

• Moderate — up to AR$3,000,000 (US$; 17,647 at the current exchange)
• Severe — up to AR$10,000,000 (US$; 58,823 at the current exchange)
• Very severe — up to AR$15,000,000 (US$; 88,235 at the current exchange)

Click Here for the Original Article

MISCELLANEOUS DEVELOPMENTS

‎Cookie Banners Under the CCPA/CPRA

We recently provided an update regarding the California Privacy Protection Agency’s modified regulations (the “Regulations”) for the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act (the “CCPA”). In that update, we briefly discussed new requirements regarding website popups, including cookie banners.

The Regulations require Businesses to design and implement methods for consumers submitting CCPA requests and “obtaining consumer consent” that incorporate the following principles:

• Language that is easy to understand;
• Symmetry in choice, meaning the business shall not make it more difficult to exercise a more privacy-protective option than a less privacy-protective option;
• Avoids language that is confusing to the consumer;
• Avoids using choice architecture that impairs or interferes with the consumer’s ability to make a choice; and
• Designed in a way that it is easy to execute.

Regarding “symmetry in choice,” the Regulations specifically require:

The path for a consumer to exercise a more privacy-protective option shall not be longer or more difficult or time-consuming than the path to exercise a less privacy-protective option because that would impair or interfere with the consumer’s ability to make a choice. Illustrative examples follow.

A website banner that provides only the two choices when seeking the consumer’s consent to use their personal information, “Accept All” and “More Information,” or “Accept All” and “Preferences,” is not equal or symmetrical because the method allows the consumer to “Accept All” in one step, but requires the consumer to take additional steps to exercise their rights over their personal information. Framing the consumer’s options in this manner impairs the consumer’s ability to make a choice. An equal or symmetrical choice could be “Accept All” and “Decline All.”

While the above language does not call out cookie banners or cookie pop-ups, the symmetry in choice requirement applies to any method used to “obtaining consumer consent.” Providing a cookie banner and having the consumer select Accept or Decline is obtaining the consumer’s consent to place cookies and use other technologies on their device. Additionally, the illustrative example provided by the California Privacy Protection Agency seems to be drafted with cookie banners in mind since many cookie banners ask users to “Accept All” or “Preferences” if they wish to either accept or opt-out of specific cookies. This will no longer be sufficient as it would require more steps from the consumer to decline certain cookies.

Possible options would be to change the two choices to “Accept All” and “Decline All Non-Essential Cookies” (with an effective opt-out/decline mechanism), or make the choice “Select Cookie Preferences” and take the user to the “Cookie Policy” page where they have the symmetrical option to accept or decline certain cookies.

To note, the CCPA does NOT require Businesses to have cookie banners on its website. This simply applies to Businesses that choose to have a cookie banner. Many Businesses are choosing to include a cookie banner due to other data protection laws and regulations around the world, including the European Union’s General Data Protection Regulation.

Click Here for the Original Article

Does a business have to provide a privacy notice directly to a consumer if it obtains the consumer’s data from a third party (i.e., purchases it)?

Modern data privacy statutes require that organizations inform individuals about the organization’s privacy practices by creating a privacy notice (sometimes referred to as a privacy policy or a notice at collection). Some data privacy statutes provide specific directions regarding how the privacy notice must be distributed. For example, the California Consumer Privacy Act and the California Privacy Rights Act expressly require that a privacy notice be posted on a company’s website (if the company has a website), and a notice at collection be provided anytime a company collects personal information directly from a consumer. California does not require, however, that a company directly provide consumers with a privacy notice in situations in which the company obtains the consumer’s information from a third party (e.g., purchases it). This contrasts with other privacy regimes (e.g., the European GDPR) which require privacy notices to be distributed directly to a consumer even when an organization obtains the information from a third party, unless the organization can demonstrate that distribution would pose a disproportionate effort.

Most of the other U.S. modern data privacy statutes do not prescribe when, and how, a privacy notice should be distributed, stating only that a controller is under an obligation to make the privacy notice “accessible.” The following chart compares and contrasts the distribution strategy required by modern state privacy statutes.

Click here for a side-by-side comparison of the distribution strategy required by the modern data privacy laws.

Click Here for the Original Article