February 2021 | Compliance Update

Federal Developments

CDC Expands Guidance On Informed Consent To Support Workplace SARS-CoV-2 Testing
As employers continue to grapple with a safe return to the workplace, the U.S. Centers for Disease Control and Prevention (CDC) issued new guidance for businesses and employers on SARS-CoV-2 testing of employees, as part of a more comprehensive approach to reducing transmission of the virus in non-healthcare workplaces. SARS-CoV-2 is the virus that causes COVID-19.

While the CDC had already released some guidance on the matter of workplace testing (last updated in October 2020), the guidance issued on January 21, 2021, places a new emphasis on informed consent prior to testing and the measures an employer can take to ensure employees are fully supported in their decision-making.

The CDC’s guidance states:

Workplace-based testing should not be conducted without the employee’s informed consent. Informed consent requires disclosure, understanding, and free choice, and is necessary for an employee to act independently and make choices according to their values, goals, and preferences.

Emphasis in original.

For employers that have required employees to submit to COVID-19 viral testing in order to enter the workplace consistent with Equal Employment Opportunity Commission (EEOC) guidance, the CDC’s reference to an informed consent may appear a bit tardy. However, while the CDC’s guidance appears to set standards for meaningful informed “consent,” it does not appear to prevent employers from requiring testing that does not include all of the “elements of consent” and “recommended disclosures” referenced in the guidance. Nor does it appear to prevent employers from requiring testing as a condition of entering the workplace. The CDC’s guidance clearly recommends, however, that employers provide employees:

complete and understandable information about how the employer’s testing program may impact employees’ lives, such as if a positive test result or declination to participate in testing may mean exclusion from work.

Emphasis added.

Basic Considerations
When developing a SAR-CoV-2 testing program, according to the CDC, an employer should first address some basic considerations. For example:

  • Why is the employer offering the test to begin with
  • How frequently will employees be tested
  • How to effectively obtain employee consent
  • What to do if an employee declines to be tested

Key Measures to Implement
The CDC provides a list of key measures an employer should implement when developing an SAR-CoV-2 testing program in the workplace to ensure employee informed consent and a supportive environment:

  • Ensure safeguards are in place to protect an employee’s privacy and confidentiality.
  • As noted above, provide complete and understandable information about how the employer’s testing program may impact employees’ lives, such as if a positive test result or declination to participate in testing may mean exclusion from work.
  • Explain any parts of the testing program an employee would consider especially important when deciding whether to participate. This involves explaining the key reasons that may guide their decision.
  • Provide information about the testing program in the employee’s preferred language using non-technical terms. Consider obtaining employee input on the readability of the information. Employers can use this tool provided by the CDC to create clear messages.
  • Encourage supervisors and coworkers to avoid pressuring employees to participate in testing.
  • Encourage and answer questions during the consent process. The consent process is active information sharing between an employer or their representative and an employee, in which the employer discloses the information, answers questions to facilitate understanding, and promotes the employee’s free choice.

In addition, in order to ensure informed consent, an employee must be provided certain disclosures regarding the workplace testing program. Of course, the disclosures must include those required in the U.S. Food and Drug Administration (FDA) emergency use authorization patient fact sheet external for the particular test, such as the type of the test, how the test will be performed, and known and potential risks. Importantly, these disclosures must be provided during the consent process; meaning, employers will have to know this information and ensure it is provided to employees prior to the employee agreeing to the test.

Employers will need to consider which aspects of the testing program may be more relevant than others to an employee’s decision whether to accept an offered test and include the appropriate disclosures. Areas to consider include:

  • The process for scheduling tests and how the cost of the tests will be covered;
  • What employees should expect at the testing site (e.g., screening);
  • Recommended next steps if an employee tests positive; and
  • What assistance is available should an employee be injured while the test is administered.

Privacy and Security Issues
There are, of course, privacy and security issues to consider when implementing such a program. For example, an employer must consider what personal information the employee will need to provide to the test provider (e.g., name, date of birth, insurance, and so on), the test results to follow, and the myriad of issues that arise once that information is obtained. For example:

  • Whether, where, and for how long the employer will retain the results?
  • How will personal information be kept confidential and secure and how will the employer keep the results confidential and secure?
  • Who will have access to the results?

The employee’s test results will be considered confidential medical information and, while not subject to HIPAA in the employer-employee context, this information still may be protected under state statutory and common law. Consider, for example, that some states, (such as California and Florida) include “medical information” as part of the definition of “personal information” under their breach notification laws. Accordingly, if that information is breached, which could include access to the information by an unauthorized party, notification to affected individuals and relevant state agencies may be required. Additionally, statutory and common law obligations exist requiring employers to safeguard employee personal information, which may include information about their physical health, such as test results or information provided by the employee before taking the test.

Thus, maintaining reasonable safeguards to protect such information is prudent. This might include access management measures and record retention and destruction policies. It also may include having clear guidelines for making disclosures of this information and determining whether an authorization is needed before such information may be disclosed to, or accessed by, a third party.


The COVID-19 pandemic continues to completely reshape workplace practices, and we have certainly entered a “new normal.” In addition to the CDC’s guidance, the EEOC has issued guidance on best practices for workplace identification of employees who have been vaccinated. Further, temperature and symptom screening protocols in the workplace have been mandated or recommended by nearly every state and city across the U.S. These measures are essential in halting the spread of the virus and ensuring a safe and healthy workplace and workforce. Nevertheless, organizations must consider the legal risks, challenges, and requirements before implementing such measures.

New Fair Housing Initiative Prohibits Discrimination Based On Sexual Orientation, Gender Identity
On Feb. 11, the U.S. Department of Housing and Urban Development (HUD) announced that it will enforce the Fair Housing Act to prohibit discrimination on the basis of sexual orientation and gender identity.

The announcement follows a recent executive order in which President Joe Biden directed all executive branch agencies to examine further steps that could be taken to combat such discrimination. HUD’s new interpretation of the Fair Housing Act expands the prohibition of discrimination based on sex to include discrimination based on sexual orientation and gender identity based on the Supreme Court’s decision in Bostock v. Clayton County, Georgia, which held that Title VII’s prohibition on discrimination based on sex encompasses sexual orientation and transgender status.

HUD specifically announced that it would be taking the following enforcement activities:

  • HUD will conduct all activities involving the application, interpretation and enforcement of the Fair Housing Act’s prohibition on sex discrimination to include discrimination because of sexual orientation and gender identity.
  • HUD will accept and investigate all jurisdictional complaints of sex discrimination, including discrimination because of gender identity or sexual orientation, and enforce the Fair Housing Act where it finds such discrimination occurred.
  • State and local jurisdictions funded by HUD’s Fair Housing Assistance Program (FHAP) that enforce the Fair Housing Act through their HUD-certified substantially equivalent laws will be required to administer those laws to prohibit discrimination because of gender identity and sexual orientation.
  • Organizations and agencies that receive grants through the department’s Fair Housing Initiative Program (FHIP) must carry out their funded activities to also prevent and combat discrimination because of sexual orientation and gender identity.
  • HUD (and organizations receiving HUD grants) will review all records of allegations received in the last year and notify persons who alleged discrimination because of gender identity or sexual orientation that their claims may be timely and jurisdictional for filing under this memorandum.


New OSHA Guidance On Mitigating And Preventing The Spread Of COVID-19 In The Workplace
In response to President Biden’s Executive Order requiring action to protect workers amid the COVID-19 pandemic, the Occupational Safety and Health Administration (“OSHA”) released a comprehensive new guidance document for employers, titled: Protecting Workers: Guidance on Mitigation and Preventing the Spread of COVID-19 in the Workplace. Although much of the guidance document focuses on safety principles previously expressed by OSHA and other state and federal entities, the new guidance does highlight several new and notable mitigation and prevention measures. The guidance does not create any new legal obligations as of yet, although employers should review the guidance document, and take note, as it provides insight into what the new Administration will expect moving forward. It also provides helpful strategies and best practices to identify risks of exposure and contraction in workplace settings.

To summarize, some of the new mitigation and prevention measures include:

The creation of an employer-implemented COVID-19 Prevention Program in the workplace. OSHA recommends that employers engage workers and their union or other representatives in the development of a COVID-19 Prevention Program. Per OSHA, key elements of the program should include:

  • The assignment of a workplace coordinator to be responsible for COVID-19 issues;
  • Conducting a hazard assessment to determine where and how workers might be exposed to COVID-19 while at work;
  • Identifying a combination of measures that limit the spread of COVID-19 in the workplace, prioritizing controls from most to least effective;
  • Suppressing the spread by using face coverings, and by providing face coverings to all workers at no cost. This includes considering reasonable accommodations for any workers who are unable to wear face coverings due to a disability;
  • Communicating with, educating, and training workers on the COVID-19 policies and procedures in a language they understand, and in a manner that can be accessible to those with disabilities;
  • Consideration of protections for workers at higher risk for severe illness (for example, older adults and people who have serious underlying medical conditions) through supportive policies and practices;
  • Instructing workers who are infected or potentially infected to stay home and isolate/quarantine to prevent or reduce the risk of transmission. This includes ensuring that absence policies are non-punitive, and minimizing the negative impact of quarantine/isolation on workers;
  • Adopting measures to ensure that workers who are infected or potentially infected are separated and sent home from the workplace;
  • Implementing protections from retaliation for workers who raise COVID-19 related concerns, which includes consideration of a hotline or other method for workers to voice concerns anonymously;
  • Performing enhanced cleaning and disinfection after people with suspected or confirmed COVID-19 have been in the building;
  • Providing guidance on screening and testing, as well as information and training on the benefits and safety of vaccinations. Of note, OSHA recommends in this guidance that employers should make a COVID-19 vaccine or vaccination series available at no cost to all eligible employees; and
  • Following all recording and reporting requirements. Remember, employers are responsible for recording work-related cases of COVID-19 illness on their FORM 300 logs when: (1) the case is a confirmed case of COVID-19; (2) the case is work-related; and (3) the case involves one or more relevant recording criteria (for example, medical treatment, days away from work). Employers must also follow certain requirements when reporting COVID-19 fatalities and hospitalizations to OSHA. More information is available on OSHA’s website. Employers should also report outbreaks to health departments as required and support their contact tracing efforts.

Not distinguishing between workers who are vaccinated and those who are not. The OSHA guidance specifically states that a key aspect of the COVID-19 Prevention Program is that workers who are vaccinated “must continue to follow protective measures, such as wearing a face covering and remaining physically distant, because at this time, there is no evidence that COVID-19 vaccines prevent transmission of the virus from person-to-person.” This may change as experts learn more about the protection that COVID-19 vaccines provide, but for now, do not distinguish protocols between workers who are vaccinated and those who are not.

Improving ventilation. The CDC has released important guidance about ways to improve ventilation and prevent the spread of COVID-19 in buildings, and OSHA provides a number of strategies as well within their guidance, with a specific reference to the American Society of Heating, Refrigerating and Air-Conditioning Engineers’ (“ASHRAE”) Guidance for Building Operations During the COVID-19 Pandemic. Of note, OSHA states that if ventilation cannot be increased, the employer should reduce occupancy level in the building. In addition, OSHA recommends the use of portable high-efficiency particulate air (“HEPA”) fan/filtration systems to help enhance air cleaning and encourages ultraviolet germicidal irradiation (“UVGI”) as a supplement to help inactivate SARS-CoV-2.

Emphasis was also placed on:

  • Implementing physical distancing;
  • Installing barriers where physical distancing cannot be maintained;
  • Providing supplies for good hygiene;
  • Routine cleaning and disinfection;
  • Using PPE in accordance with OSHA standards when necessary; and
  • Following other existing OSHA requirements applicable to COVID-19 hazards.

Each of the aforementioned elements is discussed in more detail in the OSHA guidance. Although this guidance is not mandatory and does not carry the weight of an OSHA standard, it is important to read and take appropriate measures to provide a safe environment, especially since OSHA may issue an emergency temporary standard (“ETS”) with similar mandatory provisions soon. As such, stay alert for more from OSHA on enforceable COVID-19 precautions. In addition, continue to monitor the CDC, EEOC, and state and local guidance in an attempt to keep your workplace free from recognized hazards.

State Developments

Virginia Becomes First State To Pass Permanent Workplace Coronavirus Rules
Virginia became the first state to issue mandatory COVID-19 workplace safety rules via an emergency temporary standard (“ETS”) executed on July 15, 2020. The temporary standard expired on January 26, 2021 but the Virginia Department of Labor and Industry’s Safety and Health Codes Board (the “Board”) has recently taken steps to ensure the protection for workers will continue beyond its expiration. On January 13, 2021 in a 9-4 vote, the Board passed permanent workplace virus safety regulations that mirror but also enhance those in the ETS. The permanent regulations became effective on January 27, 2021, with announcements being made on the DOLI website, found here, and in the Richmond Times Dispatch, found here.

Key Takeaways
The ETS imposed COVID-19 workplace safety requirements on employers, such as mandating the use of personal protective equipment (“PPE”), disinfection and sanitation, and employee training, among others. While the permanent standard mirrors the ETS in many ways, it also contains additions and revisions. These include: amended requirements for ‘face coverings’, clarification for employers on the meaning of ‘minimal occupation contact’ for differentiating between “medium” and “low” risk workplaces, implementation of a symptoms based strategy for returning to work, and updated worksite airflow and ventilation requirements.

Employers in the Commonwealth should consult the final regulations, available here, to ensure they are in compliance.

More Detail
The ETS found here, applied to most private employers and some state and local employers as well, and were “designed to establish requirements for employers to control, prevent, and mitigate the spread of [the COVID-19] virus to and among employees and employers.” See Virginia Department of Labor and Industry News Release (July 27, 2020) available here. The ETS attempted to minimize the transmission of the virus between employees by setting workplace standards and reporting obligations. The standards provided guidance for determining risk exposure and categorized jobs by risk level. We previously reported on those workplace standards and obligations here. As noted in the permanent regulations Draft Agenda, found here, the purpose of the permanent regulations is to “mirror, to the extent possible” the ETS, to ensure the protections for workers provided under the former ETS continues for as long as necessary.

Per the Board’s draft meeting agenda, the decision to adopt permanent rules came after a 60 day written comment period spanning from August to September 2020, and a public hearing on September 30, 2020. The Board stated that they received, “993 written comments through the Virginia Regulatory Townhall for the 60 day written comments period…[and] 33 written comments sent directly to the Department…[plus] 29 oral comments received during the public hearing.” See Commonwealth of Virginia Department of Labor and Industry Draft Agenda: Safety and Health Codes Board Meeting (Jan. 12, 2021) available here. Based on the public comments, the Board developed the permanent standard, which subsequently went into effect on January 27, 2021.

Employers Affected
Like the ETS, the permanent standard, found here, applies to employers in the Commonwealth of Virginia that fall under the jurisdiction of the Virginia Occupation Safety and Health jurisdiction, which includes most private employers and some state and local employers as well.

The Permanent Standard Revisions and Additions

  1. Face Coverings: By amending the definition of ‘face covering,’ the permanent standard requires face coverings to be made of two or more layers of fabric, and not include valves or vents. In addition, new language requires employees to wear face coverings in work vehicles with other employees and when engaging in “low risk” job tasks that cannot accommodate six feet of space between employees.
  2. Clarification of What Constitutes “Medium” vs. “Low” Risk: Under the ETS, “medium” exposure risk hazards or job tasks, which correspond with more workplace safety rules than those considered “low” risk, were defined as those that “require more than minimal occupational contact inside six feet” with employees or other individuals in the workplace. The new regulations provide more clarity on what “minimal occupational contact” means, defining it as “no or very limited, brief, and infrequent contact with employees or other persons at the place of employment.”
  3. Notification Requirement: Employers are now required to notify the Department if two or more employees have tested positive for COVID-19 within 14-days of being present at the worksite.
  4. Symptom Based Return to Work: The permanent standard includes a symptoms based strategy for return to work. Importantly, the new standard now requires employees who are suspected to be infected with COVID-19 (regardless of whether they have actually tested positive for COVID-19), be excluded from the workplace until three conditions have been met: (1) the employee is fever-free for at least 24 hours, (2) all respiratory symptoms have improved, and (3) at least 10 days have passed since the symptoms appeared. Furthermore, asymptomatic employees who test positive for COVID-19 are excluded from returning to work for 10 days following the date of their positive test.
  5. Face Shields: The permanent standard clarifies that while face shields are not a substitute for masks, they may be used by people with medical conditions preventing the use of an otherwise suitable face covering.
  6. Updated Airflow and Ventilation Requirements: In addition to the requirements under the ETS, the new regulations require that worksites or jobs categorized as very high, high, or medium exposure must, where possible, be designed to increase total air supply and utilize natural ventilation. It also requires the inspection of filters to ensure clean ventilation. The regulations do not mention any specific training requirement, but employers should pay special attention to any subsequent guidelines that are released.
  7. Infectious Disease Preparedness and Response Plan: The new regulations add language requiring the plan “consider and address the level of [COVID-19] disease risk associated with various places of employment …[including] situations where employees work during higher risk activities involving potentially large numbers of people or enclosed work spaces at large social gatherings.” In assessing risk, employers should refer to the amended definition of ‘minimal occupational contact’ to determine whether the job/worksite exceeds the definition.
  8. Trainings: The new regulations require employers with jobs or worksites classified as ‘very high’ or ‘high’ provide training to all employees, regardless of the employees’ individual risk classification. Such employers must provide training on (1) the employer’s infectious disease preparedness and response plan; (2) information pertaining to the characteristics, symptoms, and methods of spread of COVID-19, and (3) safe work practices.

Important Dates

  • Training requirements take effect March 26, 2021.
  • The requirement that employers develop an infectious disease prevention and response plan likewise takes effect on March 26, 2021

Notably, in lieu of complying with the permanent standards, employers are allowed to comply with mandatory and non-mandatory CDC guidelines, provided such guidelines provide equivalent protection to the permanent standard.

Virginia Set To Become Second State To Pass A Comprehensive Privacy Law
The long wait to see if any state would join California in passing a comprehensive privacy law is finally coming to an end, as the Virginia Senate passed the Virginia Consumer Data Protection Act (CDPA) on February 3. An identical version of the bill had already passed the Virginia House of Delegates on January 29, which means that reconciling the two versions of the bill before the February 11 deadline will likely be a mere formality. The bill will then be sent to the governor of Virginia for his signature. Should it be signed into law, the Virginia CDPA will go into effect on January 1, 2023, the same day as the California Privacy Rights Act (CPRA).

The CDPA borrows principles from the CPRA, the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR) but also differs from all three in key respects. Below we have summarized the key provisions of the CDPA. We will continue to provide updates as the bill moves through the Virginia legislature.

  1. Applicability. The CDPA borrows from the CCPA in terms of using threshold requirements to determine applicability. The law applies to “persons that conduct business in [Virginia] or that produce products or services that are targeted to residents of [Virginia] and that: 1) during a calendar year, control or process personal data of at least 100,000 Virginia residents or 2) control or process personal data of at least 25,000 Virginia residents and derive over 50 percent of gross revenue from the sale of personal data.”
  2. Exemptions. Despite being labeled a “comprehensive” privacy law, the CDPA has a number of exemptions (much like the CCPA and CPRA). Some of these exemptions are similar to those in the CCPA and CPRA, but in some cases they are broader than those in the other two laws. For example, instead of only exempting information that is subject to the Gramm-Leach-Bliley Act (GLBA) or protected health information under the Health Information Portability and Accountability Act (HIPAA), the CDPA does not apply to “financial institutions…subject to [the GLBA]” or to any “covered entity or business associate governed by [HIPAA].” The law also exempts information subject to most other federal laws, such as information regulated by the Family Education and Privacy Act, the Fair Credit Reporting Act, the Farm Credit Act, the Children’s Online Privacy Protection Act (COPPA), and the Driver’s Privacy Protection Act.
  3. Controller/processer distinction. Like the GDPR (and unlike the CCPA, which distinguishes between “businesses” and “service providers”), the CDPA uses a controller/processor dichotomy to distinguish between entities that are responsible for determining the purposes and means of processing personal data and the entities that process personal information on their behalf. Like the GDPR, the CDPA creates specific obligations for both controllers and processors (and both can be held liable under the law).
  4. Broad definition of personal data. Similar to the other three privacy laws discussed, the CDPA has a broad definition of “personal data.” It defines the term as “any information that is linked or reasonably linkable to an identified or identifiable natural person.” The definition of personal data explicitly excludes publicly available information and de-identified data (and the law has specific standards for how businesses must treat de-identified data).
  5. Inclusion of sensitive data category. The CDPA has a separate category labeled “sensitive data” that is defined as 1) personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status; 2) genetic or biometric data (used for the purpose of identifying a natural person); 3) personal data collected from a child; or 4) precise geolocation data. Controllers may only process sensitive data with consumer consent (or with parental consent in accordance with COPPA, in the case of children’s data).
  6. Individual rights. Like all three laws previously discussed, the CDPA creates individual rights for Virginia residents that are protected under the law. These include 1) the right to access; 2) the right to amend; 3) the right to delete; 4) the right to data portability; and 5) the right to opt out of the processing of personal data for the purposes of targeted advertising, sale and profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
  7. Data protection assessments. Like the GDPR and CPRA, the CDPA requires entities to conduct data protection assessments when processing data in certain contexts. Specifically, the CDPA requires a data protection assessment when a controller is 1) processing personal data for the purposes of targeted advertising; 2) selling personal data; 3) processing personal data for purposes of profiling (in certain contexts); 4) processing sensitive data; and 5) conducting any processing activity that presents a heightened risk of harm to consumers.
  8. Enforcement. Like the CCPA, the CDPA is enforceable through civil actions brought by the attorney general and also includes a 30-day cure provision. Penalties under the CDPA for both controllers and processors can be as high as $7,500 per violation. Unlike the CCPA, the CDPA does not have any private right of action, even for security incidents.


Philadelphia Amends Ordinances Regulating Employer Use Of Criminal And Credit History Information
SeyfarthShaw Synopsis: On January 20, 2021, Philadelphia Mayor Jim Kenney signed three bills amending the city’s ordinances regulating employer use of criminal and credit history in employment screening. All employers with workers in the City of Philadelphia should immediately assess their screening programs and make necessary adjustments.

The City Expands its “Ban-the-Box” Ordinance
Since 2015, Philadelphia’s “Fair Criminal Record Screening Standards” (FCRSS) has required employers that use criminal history for pre-hire screening purposes to, among other things, defer any inquiries about criminal history until after a conditional offer of employment, remove any criminal history question from employment applications, and remove any question in employment documents regarding the applicant’s willingness to submit to a background check before a conditional offer. The law also prohibits Philadelphia employers from considering convictions older than seven years (excluding any period of incarceration) and mandates that they conduct an individualized assessment before rejecting an applicant with a criminal record considering, the following factors:

(a) The nature of the offense;
(b) The time that has passed since the offense;
(c) The applicant’s employment history before and after the offense and any period of incarceration;
(d) The particular duties of the job being sought;
(e) Any character or employment references provided by the applicant; and
(f) Any evidence of the applicant’s rehabilitation since the conviction.

The ordinance also provides that if an employer rejects an applicant for a “job opening” based in whole or in part on criminal record information, the employer must notify the applicant in writing of the decision and its basis and must provide the applicant with a copy of the criminal history report. The employer must allow the applicant ten (10) business days to provide evidence of the inaccuracy of the information or to provide an explanation.”

The ordinance includes several exemptions, stating that its requirements do not apply where “the inquiries or adverse actions prohibited herein are specifically authorized or mandated by any other applicable Ordinance or regulation.”

On January 20, 2021, the Philadelphia Mayor signed Bill No. 200479 to expand and modify the law in several respects. The amendments are effective April 1, 2021.

  • First, the amendment expanded the definition of covered “employee” to “any person employed or permitted to work at or for a Private Employer within the geographic boundaries of the City, including as an independent contractor, transportation network company driver, rideshare driver, or other gig economy worker.”
  • Next, the bill expands the definition of a covered “private employer” to “any third-party person or entity that facilitates the relationship of work for pay between two other parties, as full-time or part-time employees or as independent contractors.”
  • In addition, the amendment makes the law applicable to both job applicants and to incumbent employees.
  • It also expressly allows employers to inquire about an employee’s pending criminal charge provided that it is job-related, the employer’s written policy details the pending charges that must be reported, and the employer “reasonably” concludes that the employee’s continued employment would present an “unacceptable risk to the operation of the business or to co-workers or customers” and that terminating the employee is “compelled by business necessity.”
  • Finally, the amendment modifies the remedial provisions. The law has always afforded aggrieved individuals with a private right of action and the right to obtain compensatory damages, punitive damages and attorney’s fees. Now, however, instead of punitive damages, an individual can potentially recover “Liquidated damages, equal to the payment of the maximum allowable salary for the job subject to the complaint for a period of one month,” up to a maximum of $5,000. It is unclear how this might be calculated for a gig economy worker who does not receive a salary.

The City’s Amendments to Restrictions on Employer Use of Credit History
Since 2016, it has been an “unlawful discriminatory practice for an employer to procure, to seek a person’s cooperation or consent to procure, or to use credit information regarding an employee or applicant in connection with hiring, discharge, tenure, promotion, discipline or consideration of any other term, condition or privilege of employment with respect to such employee or applicant.” The prohibition on the procurement and use of credit information applies regardless of whether the check is conducted pre- or post-offer of employment. The ordinance sets out several exceptions. For instance, the law does not apply to any law enforcement agency or financial institution.

Under the amended ordinance effective March 21, 2021 (Bill No. 200413), law enforcement agencies and financial institutions are no longer automatically exempted from its prohibitions. Instead, law enforcement agencies and financial institutions may use credit history information for employment purposes if one of the other exceptions in the ordinance applies, including if such information “must be obtained pursuant to state or federal law” or the “job requires an employee to be bonded under City, state, or federal law.”

The amendment in Bill No. 200614 removes the requirement that employers provide written notice to the applicant or employee of their reliance on credit information, identify and provide the information on which the employer relied in making its adverse decision, and provide the individual an opportunity to explain the circumstances surrounding the potentially disqualifying information before the employer takes action. Of course, employers still must be mindful of the Fair Credit Reporting Act’s pre-adverse and adverse action notice requirements when taking action based in whole or in part on information obtained from a third-party background check report.

Philadelphia Predictability Pay Requirement To Be Enforced Beginning June 1
Starting June 1, 2021, the Philadelphia Office of Worker Protections will begin enforcement of predictability pay as part of the Philadelphia Fair Week Work Ordinance.

The Ordinance, which became law in December 2018 and went into effect on April 1, 2020, imposes significant scheduling and pay requirements on certain retailers, hotels, and food service establishments. It also provides protections for employees whose employers fail or refuse to comply with the regulations. The enforcement of predictability pay was paused as of the April 1, 2020, effective date in response to the COVID-19 health emergency.

For more on the Ordinance, please see our articles, Philadelphia City Council Enacts Broad Scheduling Regulations and Philadelphia Fair Workweek Ordinance Set to Go into Effect April 1.

Predictability Pay
Predictability pay is compensation employers must provide to employees if employers initiate changes to employees’ posted work schedules.

Covered employers include retailers, hotels, and food service establishments, plus chain establishments or franchises, with at least 30 locations and 250 employees worldwide. Covered employers must post employees’ work schedules 10 days in advance of the workweek. Covered employees include all non-exempt employees under either federal or state law.

If an employer requests to change an employee’s posted work schedule, it is considered an employer-initiated change in which predictability pay must be provided. Employer-initiated changes include when an employer:

  1. Reduces an employee’s hours;
  2. Changes an employee’s scheduled work location;
  3. Adds extra hours after receiving the employee’s consent to their posted work schedule; and
  4. Makes changes to an employee’s on-call shift, including not calling an employee in to work.

Covered employers must pay the following amount of predictability pay for each change to the advance notice requirement:

  • If the employer adds time to an employee’s work shift, with no loss of hours, the predictability pay is one hour at the employee’s rate of pay.
  • If the employer changes the date, time, or location of an employee’s work shift, the predictability pay is one hour at the employee’s rate of pay.
  • If an employer subtracts hours from an employee’s regular or on-call shift, the predictability pay is no less than one-half times the employee’s rate of pay per hour, for any scheduled hours the employee does not work.
  • If an employer cancels an employee’s regular or on-call shift, including not calling the employee in to work, the predictability pay is no less than one-half times the employee’s rate of pay per hour, for any scheduled hours the employee does not work.

Exceptions to Predictability Pay
Covered employers are not required to pay predictability pay under certain circumstances. These include when:

  • Power outages, severe weather, or transit or utility shutdowns occur;
  • Threats to the employer’s property or personnel occur;
  • An employee’s schedule is altered due to changes involving a ticketed event or hotel banquet that are beyond the employer’s control; or
  • An employee’s hours are reduced due to termination of employment.

In addition, the Ordinance includes a 20-minute grace period for changes to shift times before an employee would be entitled to predictability pay.

Implications for Philadelphia Employers
Despite the ongoing economic effects of the COVID-19 pandemic on employers and employees nationwide, Philadelphia employers must ensure they continue to comply with applicable federal, state, and local employment laws, such as the predictability pay requirement that will be enforced as part of the Ordinance beginning June 1, 2021. Employers must document exemptions to predictability pay for two years, as with all provisions of the Ordinance.

New California Pay Data Report Filing Required By March 31 For Most Employers With One Employee In California During 2020
Citing the pay gap between men and women, and an even larger gap for women of color, the California legislature passed SB 973 in September 2020. The new law requires that most private employers with a total of 100 or more employees, regardless of work location, file an annual pay data report if they had at least one employee working in California in 2020. While all company employees are considered to determine if the 100-employee threshold is met, only employees with a sufficient nexus to California need to be included in the report. The first report, covering 2020, is due by March 31, 2021 and must be filed using the state’s online portal.

California recently announced that a pay report user guide and template form will be available by February 1, 2021, and the data submission portal will open on February 15, 2021. While the final report format is not yet available, it will be similar to the now defunct EEO-1 Component 2 report grid. Each EEO-1 category will be divided into 12 pay bands. For each pay band, employers will report the total number of California-related employees as of a specific date, their total annual earnings, and their total annual work hours by race, ethnicity, and sex. The California Department of Fair Employment and Housing (DFEH) also has been regularly updating a list of FAQs to help covered employers begin to gather and analyze the required data. The most recent update was on January 15, 2021.

Which Employers Are Required to Submit a Pay Data Report?
For larger employers this question has a simple answer. An employer meeting all of the following criteria must file a pay data report by March 31, 2021: (1) the employer had at least 100 employees regardless of work location in all pay periods in 2020(2) the employer is required to file an EEO-1 report for 2020; and (3) the employer had at least one employee working in California. Employers not required to file an EEO-1 report are exempt from the pay data report requirement, regardless of their employee count. Similarly, companies with 50-99 employees who file EEO-1 reports because they are government contractors are not required to file a California pay data report.

For smaller employers with workforces that fluctuate above and below 100 employees during the year, determining coverage is more complicated. To make this calculation, the employer needs to understand how California counts employees and in which pay periods it employed at least 100 employees. In making this calculation, employers must count the number of employees, not the full-time equivalents. The employer must also count employees on paid or unpaid leave “including California Family Rights Act leave, pregnancy leave, disciplinary suspension, or any other employer-approved leave of absence.” Employers must also count temporary employees that “the employer is required to include in an EEO-1 Report and for whom the employer is required to withhold social security taxes.” If the employer uses temporary workers “provided by staffing agencies or independent contractors that meet this definition of employee,” they must be counted toward the 100-employee threshold. Finally, if the employer is owned or affiliated with another company, and if the group is considered a single enterprise for EEO-1 purposes, it will be for California purposes as well. Employers that met the 100-employee threshold for some but not all pay periods in 2020 should carefully review the requirements to determine whether they need to file a report.

What Should Covered Employers Be Doing Now?
Although the actual report format is not yet available, covered employers should start now to ensure they have enough time to gather and quality check their data. The first step is to identify the pay period between October 1, 2020 and December 31, 2020 that they intend to use as their snapshot. Then employers need to identify the employees with a sufficient nexus to California that need to be included in the report. More detail is available in the DFEH FAQs. Because DFEH will be using these reports “for the effective enforcement of equal pay or anti-discrimination laws, where appropriate,” employers may want to analyze data from more than one pay period before settling on a snapshot period so that they file a report that presents the fewest questions. This particularly applies to employers:

  • Whose salary increase date is in the fourth quarter;
  • Whose workforce numbers fluctuated significantly in the fourth quarter; and
  • Who will have a difficult time obtaining pay data for employees on leave and who have certain fourth quarter pay periods with large numbers of employees on leave.


Illinois Set To Enact New Law Limiting Criminal Convictions In Employment Decisions
Illinois has long limited employers from considering the criminal history of an applicant or employee in making employment decisions. The Illinois Human Rights Act prohibits employers from considering an employee’s arrest history, for example. In recent years, Illinois’ “Ban the Box” law disallows employers from asking about criminal convictions prior to a job offer or before a candidate is selected for an interview and, therefore, assumed to be otherwise qualified for the position in question. Now, Illinois is poised to go a step further in banning the use of criminal history in employment decisions.

In January 2021, the Illinois legislature passed Senate Bill 1480, which, in relevant part, provides that unless otherwise authorized by law, an employer may only consider an individual’s criminal conviction history if there is a substantial relationship between the criminal history and the position sought or held, or if the employer can show that the individual’s employment raises an unreasonable risk to property or to the safety or welfare of specific individuals or the general public. Governor Pritzker now has this legislation “on his desk” and is expected to sign this bill into law soon. Upon signing this legislation, the law will go into effect immediately. The law amends the Illinois Human Rights Act.

An employer may show that an individual’s criminal conviction history has a substantial relationship to the position applied for, or currently held, if the position provides an opportunity for the individual to conduct the same or similar offenses. Six different factors guide this analysis: (1) the length of time since the conviction, (2) the number of convictions that appear on the conviction record, (3) the nature and severity of the conviction and its relationship to the safety and security of others, (4) the facts or circumstances surrounding the conviction, (5) the age of the employee at the time of the conviction, and (6) evidence of rehabilitation efforts. As to the phrase “unreasonable risk,” it is not defined. However, this phrase certainly places the burden on the employer to establish that a risk exists that no reasonable employer in similar circumstances should incur.

If an employer denies employment to an applicant because of a conviction record, the employer must provide written notice to the applicant that specifically identifies the relevant conviction record underlying the decision and the employer’s rationale for why the conviction disqualifies the individual from employment. The employer must then give the applicant at least five (5) business days to respond to the employer’s notice and provide evidence to refute the employer’s concern. If the employer still decides not to hire the individual, the employer must provide another written notice informing the candidate of their right to file a charge of discrimination with the Illinois Department of Human Rights. This same process must be used for employers taking adverse action against existing employees based on criminal convictions.

While this law would not restrict employers from running criminal background checks on applicants or employees, it clearly creates additional hurdles. In reviewing the laws created in other states, Illinois’ new law would be the most restrictive in the country. Employers must not only justify any actions taken based on a criminal conviction under the Act’s two exceptions but must also comply with the written notification requirements.

Court Cases

Factually V. Legally Inaccurate Information, The Difference Matters: Court Rejects FCRA Claims Based On Disputed Legal Issue
On January 21, 2021, the United States District Court for the Northern District of Illinois granted TransUnion Data Solutions LLC’s (“Trans Union”) motion for judgment on the pleadings, denying Blue Sobenes’ (“Sobenes”) claims against Trans Union under sections 1681i(a) and 1681e(b) of the Fair Credit Reporting Act (“FCRA”).

In Sobenes v. Transunion Data Sols., Sobenes charged goods and services on a credit card issued to her by Comenity Bank, which subsequently charged off and then sold the account. The debt buyer later brought an action in state court against Sobenes to collect on the account; however, six days before scheduled arbitration, the state court lawsuit was dismissed without prejudice. After this voluntary dismissal, the debt buyer continued to furnish information regarding the account to consumer reporting agencies, including Trans Union.

Sobenes, through counsel, advised Trans Union that information on her credit report concerning the Comenity Bank debt was inaccurate, and she provided supporting documentation, including the motion to dismiss the state court lawsuit without prejudice. After conducting an investigation, which revealed that Sobenes still owed the debt, Trans Union declined to remove the debt from Sobenes’ credit report. Sobenes then filed suit against Trans Union alleging that it failed to conduct a proper and reasonable reinvestigation concerning the inaccurate information in Sobenes’ credit report after Sobenes advised it of the dispute; failed to consider all relevant information submitted by Sobenes concerning the dispute of the inaccurate information; and failed to delete the inaccurate information from Sobenes’ credit file after reinvestigation, all in violation of section 1681i(a) of the FCRA. She further alleges that Trans Union failed to employ and follow reasonable procedures to assure maximum possible accuracy in Sobenes’ credit report information and file, in violation of section 1681e(b) of the FCRA.

The Court began its analysis by iterating that to state a claim under section 1681i(a) or section 1681e(b) of the FCRA a plaintiff must sufficiently allege that the credit report contains factually, not legally, inaccurate information. It elaborated further defining factually inaccurate information as information which includes inaccurate amounts, tradeline items not immediately removed once vacated, and inaccurately updated loan terms. The Court defined legal inaccuracies to include the validity of a debt or a dispute regarding to whom the debt was assigned. Finally, it furthered its investigation stating, that to distinguish the two types of inaccuracies one must ask whether the defendant could have uncovered the inaccuracy if it had reasonably investigated the issue. After establishing this foundation, the Court held that Sobenes did not allege factual inaccuracies. She did not dispute that she incurred the debt, the amount of the debt, or that the debt was ever vacated. Instead, she argued the debt buyer provided insufficient documentation to prove that it owns the Comenity Bank debt. In answering its own question, the Court determined that Trans Union could not have uncovered the alleged inaccuracy if it had reasonably investigated the issue, and further determined that Trans Union had reasonably investigated the issue and properly included its findings of that investigation in its credit report. The Court held that it was unreasonable to expect Trans Union to determine whether the Bill of Sale was defective or to infer that the debt buyer lacked proper ownership of the debt from its voluntary motion to dismiss without prejudice.

In summary, plaintiffs in the District of Illinois need to plead factual inaccuracies in their FCRA section 1681i(a) and 1681e(b) claims to withstand judicial scrutiny.

Big News For Background Screening: New Appellate Ruling Says FCRA Permits Reporting Unmatched Criminal Records
Addressing a recurring issue bedeviling the background screening industry, the U.S. Court of Appeals for the Eleventh Circuit confirmed on December 4 that it is not inaccurate for a consumer reporting agency (CRA) to report a criminal or sex-offender record without matching the record to a subject consumer, so long as the CRA notifies the user that the record needs further investigation before being attributed to an individual.

This seemingly technical ruling under the Fair Credit Reporting Act (FCRA) goes to the heart of criminal background screening by CRAs in the U.S. since criminal records in the United States, in a great majority of cases, do not contain definitive identifying information such as social security numbers or even specific dates of birth. This means that many providers of criminal background screenings provide records in response to a screening without matching to a specific individual, leaving it to the user of the data to conclude whether the record applies to a given individual. This practice has been challenged across the country in private lawsuits; now, the Eleventh Circuit has weighed in, and validated that reporting unmatched results can comply with the FCRA.

In reaching this ruling, the Eleventh Circuit paradoxically rejected a lenient legal test regarding the standard for “inaccuracy” in favor of a more stringent one accepted by a plurality of other federal appellate courts. Nevertheless, the court held that the report containing unmatched records passed muster even under that more stringent test.

This precedential decision may become a leading case defining the duties of CRAs and users of unmatched criminal records under the FCRA.

The case is styled Erickson v. First Advantage Background Services Corp., No. 19-11587 (11th Cir. Dec. 4, 2020), and can be found here.

While applying to coach his son’s Little League team, Keith Erickson consented to a background check prepared by First Advantage Background Services Corporation. At the time of his application, Erickson’s name was “Keith Dodgson”—a name he shared with his long-estranged father. Unfortunately for Erickson, his namesake was a registered sex offender in Pennsylvania. Further complicating matters, Pennsylvania only records the birth year of registered sex offenders, rather than a full date of birth. First Advantage’s policy in such cases is to search by name only, inform the report’s user that any matched record is based on the name alone, and instruct the user to conduct further research before taking action against the subject of the report.

Erickson’s background check uncovered his father’s sex-offender record. First Advantage sent a report, including the record to Little League, explaining that the record was a name-only match and that Little League’s “further review of the State Sex Offender website is required in order to determine if this is your subject.” First Advantage also sent a letter to Erickson, informing him that his background check revealed he shared a name with a registered sex offender. The letter emphasized that Little League was “aware this record may not be yours” and would investigate further. Erickson immediately disputed the record with both First Advantage and Little League. Humiliated, he voluntarily chose not to coach his son’s team. He and his wife even went so far as to change their family name to avoid any future association with his father.

Erickson filed suit in federal court, claiming First Advantage violated the FCRA’s requirement that a consumer reporting agency “follow reasonable procedures to assure maximum possible accuracy” of information included in a consumer report. First Advantage initially disputed the applicability of the FCRA in a summary judgment motion, which the district court denied, and the case moved to trial. After Erickson presented his case at trial, the court granted judgment as a matter of law in favor of First Advantage. The court held Erickson failed to show either that the report was inaccurate or that he was harmed, two essential elements of his claim. Erickson appealed.

On appeal, First Advantage did not challenge the district court’s denial of its summary judgment motion, so the threshold question of the FCRA’s applicability was not an issue. Addressing the inaccuracy element of Erickson’s claim, the Eleventh Circuit first discussed the problem of unmatched records in background screening generally. The court acknowledged it is not uncommon for screening databases to include a sex-offender record without an underlying record of conviction, and that some state sex-offender registries, like Pennsylvania’s, include only the offender’s name and year of birth. This sets the stage for background screeners to regularly face the problem of imperfectly matched records.

First Advantage deals with this problem in three ways. First, in instances where a state registry includes only a birth year, First Advantage conducts a search based on the subject’s name only, completely avoiding any partial-birth-date matches. Second, it notifies the user at the outset that searches in these jurisdictions are based on name only. Third, when a name-only match is found, First Advantage includes it in the report but also instructs the user that further research is required to confirm whether the record belongs to the subject.

Court adopts “factually correct and free from potential misunderstanding” standard of “inaccuracy”
The court grappled first with the meaning of “maximum possible accuracy” under the FCRA, a thorny question that has been evaluated by several other circuits. The court rejected a more lenient standard followed by some courts requiring only “technical accuracy.” The technical accuracy standard requires only that the information in the report not be factually incorrect. Under this standard, so long as the report does not contain any objective untruth or inaccuracy, there can be no liability.

A plurality of the circuit courts—including the Fourth, Fifth, Sixth, and Ninth Circuits—hold that “maximum possible accuracy” means more than mere technical accuracy. These courts typically describe the standard as requiring a report to be neither factually inaccurate nor “materially misleading.” The Eleventh Circuit chose to follow this course, finding the statutory text “demands” more than mere technical accuracy. The court focused on the literal definitions of the phrase “maximum possible accuracy” and concluded “information must be factually true and also unlikely to lead to a misunderstanding” to meet that standard.

Importantly, the Eleventh Circuit emphasized that whether a report is potentially misleading is an objective inquiry. A reviewing court must “look to the objectively reasonable interpretations of the report.” A report that is “objectively likely to cause the intended user to take adverse action” is objectively misleading, whereas one “that some user somewhere could possibly squint at…and imagine a reason to think twice about its subject” is not. The focus on the “intended user” of the report means the court must consider the reasonable expectation and understanding of a person in the position of that user to determine if the user would likely be misled.

The Eleventh Circuit holds that CRA’s report met its articulated standard because a reasonable user would understand that the record was not matched
After defining this standard, the court held “the only objectively reasonable interpretation of [First Advantage’s] report was one that was not misleading.” The report never claimed the record was a certain match; instead, it explained it was a name-only match, and “cautioned that the record might not be Erickson’s at all.” Furthermore, a reasonable user of the report in Little League’s shoes would not be so misled as to take adverse action based on the report alone. Adding further support for this conclusion was the fact that First Advantage’s report reminded Little League that “further review of the State Sex Offender Website” was required. Because “the only reasonable understanding” of the report was that “someone with Erickson’s name was a registered sex offender in Pennsylvania,” no reasonable user would be misled.

The court was careful to caution that a CRA cannot “caveat [its] way out of liability” for a clearly misleading report simply by providing a fine-print disclaimer or “vague equivocations.” But where the language of the report makes clear what the report is and what it is not, and where it is prepared “consistent with the expectations of the requester,” such a report is not misleading.

Key takeaways
The key message of this decision is that it is not inaccurate for a CRA to report unmatched records—so long as a reasonable user would understand that the records are, in fact, unmatched. This decision also provides some potential compliance tips for CRAs seeking to assure “maximum possible accuracy.” CRAs can note, for example, the notifications First Advantage gave to the users of its reports, which the court found to be clear.

On the flip side, the decision implies that the argument that a “technically accurate” report can give rise to inaccurate understandings will not pass muster under the FCRA, according to the Eleventh Circuit, if a reasonable user would not be misled.

International Developments

German Laptop Retailer Fined $12.7M Under GDPR For Employee Surveillance
A German data regulator last week announced a €10.4 million (U.S. $12.7 million) fine against an online laptop and electronic goods retailer for video-monitoring employees for at least two years without legal basis. The State Commissioner for Data Protection (LfD) Lower Saxony said NBB’s (notebooksbilliger.de) constant surveillance was “inadmissible” under the General Data Protection Regulation (GDPR). The fine is the highest the authority has set so far. According to the regulator, cameras recorded employees in workplaces, salesrooms, warehouses, and common areas. NBB claimed the aim was to prevent and investigate criminal offenses and to track the flow of goods in the warehouses.

“Companies must understand that with such intensive video surveillance they are massively violating the rights of their employees.” – Barbara Thiel, Head of LfD Lower Saxony

However, in order to prevent theft, a company must first use “milder” methods, such as random bag checks when employees leave the premises. Moreover, the LfD said video surveillance is only lawful if there is “justified suspicion” against specific persons, and even then, video monitoring may only be used for a “limited” time.

The data authority found NBB’s video surveillance was neither limited to a specific period of time nor to specific employees. The recordings were saved for 60 days in many cases. Customers were also filmed in seating areas without their knowledge or consent.

The regulator said “the allegedly deterrent effect of video surveillance, which is repeatedly put forward, does not justify a permanent and unprovoked interference with the personal rights of employees” in a translated press release.

“We are dealing with a serious case of video surveillance in the company,” said Barbara Thiel, head of LfD Lower Saxony, in a translated statement. “Companies must understand that with such intensive video surveillance they are massively violating the rights of their employees.”

Thiel added video surveillance is “a particularly intensive encroachment on personal rights” because it can pressurize employees “to behave as inconspicuously as possible in order not to be criticized or sanctioned for deviating behavior.”

“Employees do not have to give up their personal rights just because their employer puts them under general suspicion,” she said.

Last October, the Data Protection Authority of Hamburg handed retailer H&M the country’s largest GDPR fine to date (€35.2 million) for similar employee-monitoring violations.

Germany’s federal and regional data protection authorities have been keen to focus on steering organizations away from “common” privacy violations under the GDPR—such as video monitoring, cold-calling, etc.—rather than pursuing record fines. Regulators feel such an approach creates a greater understanding of what privacy means and how the GDPR impacts people and work on a day-to-day basis.

The European Data Protection Board (EDPB) And European Data Protection Supervisor (EDPS) Issued A Joint Opinion Making Recommendations For Revisions To The Draft Standard Contractual Clauses (SCCs) Issued By The European Commission (EC)
As a reminder, the draft SCCs were issued in November 2020 by the EC in an attempt to rectify some of the shortcomings identified in the CJEU’s Schrems II decision from July 2020. Originally the SCCs were expected to be finalized in Q1 of 2021, but with this joint opinion suggesting significant revisions, it looks like it might be a bit longer before we see a final version. Once they are adopted, businesses will have 1 year to implement the new SCCs. Click here to read more. As a note, the “new” SCCs are intended to eventually replace the SCCs currently found on the EC’s website (click here). SCCs are used for data transfers between the European Union (EU) and non-EU countries.

Brussels To Allow Data To Continue To Flow To UK
Brussels is set to allow data to continue to flow freely from the EU to the UK after concluding that the British had ensured an adequate level of protection for personal information. A draft decision by the European Commission, seen by the Financial Times, is expected to be approved this week. It will be welcomed by businesses—particularly in the health, insurance and technology sectors—that regularly transfer customer personal information such as bank details. The move will also help with aspects of EU-UK law enforcement co-operation, although the UK has lost access to the giant SIS II police database and European Arrest Warrant network. A positive decision by Brussels on data sharing had been widely expected and would benefit the EU and the UK. It would be periodically reviewed by the commission and is open to legal challenges at the European Court of Justice, such as the one that led to parts of the EU-US “Privacy Shield” data transfer arrangements being struck down last year. The decision to grant data adequacy to the UK will face scrutiny by the European Data Protection Board before it can be implemented, but the body does not have the power to block the move. The arrangement will be re-examined every four years to check that UK rules do not compromise the privacy of EU citizens, according to the draft decision. It will allow for data transfers on police matters such as search warrants and the interception of communications for preventing or detecting serious crimes. UK law already allows data transfer to the EU. But a full adoption of the commission’s decision must take place before June 30, when the interim regime agreed after Brexit expires, to ensure continuity of data flows between the bloc and the UK. The EU decision is far from the end of the story, as the experience with transatlantic data sharing shows.

Canadian Privacy Commissioner Reports Provide Guidance For Outsourcing Agreements
Canadian private sector privacy laws generally permit organizations to engage service providers to process personal information for the organizations. Organizations remain accountable for the personal information they transfer to a service provider and must use contractual and other safeguarding measures to protect the personal information while in a service provider’s custody. In 2020, the Privacy Commissioner of Canada issued two investigation reports that provide guidance regarding measures to help ensure that outsourcing arrangements comply with private sector privacy laws. All organizations that engage service providers to process personal information can benefit from the guidance. For more information click on this link: https://www.blg.com/en/insights/2021/02/privacy-commissioner-reports-provide-guidance-for-outsourcing-agreements

Canadian Privacy Commissioners Issue Report On AI’s Facial Recognition Tool
privacy commissioners of Alberta, British Columbia and Quebec and their federal counterpart. In their jointly published report of findings, the privacy commissioners held that Clearview’s treatment of Canadians’ personal information was in breach of provincial and federal private sector privacy laws and recommended that Clearview cease all operations in Canada and delete all images and biometric facial arrays about Canadians in its possession.

In the report, the privacy commissioners confirm their position on three important points that have application beyond the use of facial recognition:

  1. biometric information is inherently sensitive;
  2. the privacy legislation has extra-territorial application; and
  3. information that is available on the internet, such as through social media, is not necessarily exempt from consent requirements under privacy legislation.

Clearview’s facial recognition tool functions in four sequential steps:

  1. downloading images of faces and associated data from online sources (including social media sites);
  2. creating biometric identifiers for each image;
  3. allowing users to upload a target image; and
  4. providing a list of images and metadata, including a link to the source, of images that Clearview’s software determines are similar to the target.

Clearview’s customers include law enforcement agencies, such as the RCMP, and others in various jurisdictions. Clearview markets its tool as a service that allows law enforcement agencies to quickly identify people of interest. According to the report, Clearview has scraped billions of images and created biometric identifiers for tens of millions of Canadians, including children.

Speaking as one voice, the commissioners issued the report under each of their respective enabling statutes:

  1. Canada’s Personal Information Protection and Electronic Documents Act;
  2. Quebec’s Act Respecting the Protection of Personal Information in the Private Sector, and Act to Establish a Legal Framework for Information Technology;
  3. British Columbia’s Personal Information Protection Act; and
  4. Alberta’s Personal Information Protection Act.

The main issues considered in the report were:

  1. whether the federal and provincial commissioners had jurisdiction to consider the issue;
  2. whether Clearview was required to obtain consent for its treatment of personal information, and if so, whether it did; and
  3. whether Clearview treated personal information for a reasonable purpose.

Regarding jurisdiction, Clearview took the position that the provincial and federal privacy commissioners did not have jurisdiction over Clearview because it was located outside of Canada and did not target Canadians but rather collected information indiscriminately.

The report rejected Clearview’s argument, holding that Clearview “actively marketed its services to Canadian organizations [and] publicly declared Canada to be part of its core market in statements to the media and its own promotional materials.” The report also noted that Clearview provided services to the RCMP and other Canadian law enforcement entities, on both paid and free-trial arrangements. That Clearview “collects images without regard to geography does not preclude [the federal privacy commissioner’s] jurisdiction when a substantial amount of its content is sourced from Canada.”

On the matter of provincial jurisdiction, the report states that “Clearview’s activities fall under the jurisdiction of both the [federal commissioner and those of] the provinces” because:

  1. “Clearview’s practice of indiscriminate scraping has undoubtedly resulted in the collection of the personal information of individuals within Quebec, Alberta and British Columbia;” and
  2. “provincial and municipal law enforcement agencies located within the provinces and subject to provincial oversight were targeted and used trial accounts of Clearview’s software.”

Clearview acknowledged that it made no attempts to obtain express consent from data subjects, and instead argued that there is no requirement to obtain consent to use personal information that is available on the internet since there could be no reasonable expectation of privacy. On the contrary, the report held that images uploaded to social media are not “publications” in the same way that images in a magazine might be and are therefore not subject to the same exemptions for the consent requirement. Furthermore, the report noted that such images are not necessarily uploaded with all photographed individuals’ consent and would not be uploaded with the expectation that such images would be used for mass surveillance.

On differentiating social media websites from other “publications,” the report noted that:

  1. social media sites are dynamic, with information being added, changed, and deleted in real time; and
  2. individuals exercise a level of direct control over accessibility of content over time.

Furthermore, the privacy laws’ designated sources of what is considered “publicly available” did not include social media websites.

Clearview contended that its purpose was appropriate “[g]iven the significant potential benefit of Clearview’s services to law enforcement and national security.” The report rejected this argument, holding instead that “[a]lthough some of the information collected may have ultimately been used for law enforcement, Clearview’s real purpose for the collection is a commercial for-profit enterprise and not law enforcement.” Furthermore, the report stated that “Clearview fails to acknowledge: (i) the myriad of instances where false, or misapplied matches could result in reputational damage to individuals, and (ii) more fundamentally, the affront to individuals’ privacy rights and broad-based harm inflicted on all members of society, who find themselves under continual mass surveillance by Clearview based on its indiscriminate scraping and processing of their facial images.”

The report recommends that Clearview cease offering the facial recognition services in Canada, cease the collection, use and disclosure of images and biometric facial arrays collected from individuals in Canada, and delete images and biometric facial arrays collected from individuals in Canada. The report notes that Clearview has declined to accept the findings and recommendations and indicates that the privacy commissioners “will pursue other actions available to us under our respective Acts to bring Clearview into compliance with federal and provincial privacy laws applicable to the private sector.”

Additional Issues
The report raised some further concerns that the commissioners felt were relevant but on which they do not specifically opine:

  1. There are concerns over the efficacy and accuracy of facial recognition technologies, including Clearview’s and others. According to the report, facial recognition technologies disproportionately misidentify faces of people of color, and especially women of color, by a factor of 10 to 100 times, which could result in discriminatory treatment.
  2. False positive matches could pose great risk of harm to individuals, especially in a law-enforcement context.
  3. Clearview has received cease and desist letters from Google, Facebook, Twitter, and LinkedIn regarding Clearview’s practice of collecting information in violation of terms of service.
  4. Clearview’s systems have been breached before, including two occasions that it has publicly acknowledged: in February 2020 when its client list was leaked and in April 2020 when its source code and pilot project video were obtained and partially leaked.

Lessons Learned
The report stated that part of its reason for publishing its findings was to “ensure that other organizations will have the benefit of our conclusions as they contemplate initiatives that may share certain similarities with Clearview’s practices.” In other words, the report is self-identifying as a warning shot.

This report should be considered in addition to the recent report by the federal privacy commissioner regarding the use of facial recognition technology by Cadillac Fairview (see Use of Facial Recognition Software for Customer Analytics). In that investigation, the federal privacy commissioner was similarly focused on the inherent sensitivity of facial recognition data and the requirement of express consent in order to collect, use or disclose that information.

Organizations that collect, use, or disclose biometric information, or collect, use or disclose information from disparate online sources, should consider the privacy commissioners’ newly-emboldened posture on its commitment to bring organizations into compliance with Canadian privacy laws.

UK Government Sets Out New Plans To Help Build Trust In Use Of Digital Identities
The government has today published its draft rules of the road for governing the future use of digital identities. It is part of plans to make it quicker and easier for people to verify themselves using modern technology and create a process as trusted as using passports or bank statements.

Digital identity products allow people to prove who they are, where they live or how old they are. They are set to revolutionize transactions such as buying a house, when people are often required to prove their identity multiple times to a bank, conveyancer or estate agent, and buying age-restricted goods online or in person.

The new ‘trust framework’ lays out the draft rules of the road organizations should follow. It includes the principles, policies, procedures and standards governing the use of digital identity to allow for the sharing of information to check people’s identities or personal details, such as a user’s address or age, in a trusted and consistent way. This will enable interoperability and increase public confidence.

The framework, once finalized, is expected to be brought into law. It has specific standards and requirements for organizations which provide or use digital identity services including:

  • Having a data management policy which explains how they create, obtain, disclose, protect, and delete data;
  • Following industry standards and best practice for information security and encryption;
  • Telling the user if any changes, for example an update to their address, have been made to their digital identity;
  • Where appropriate, having a detailed account recovery process and notifying users if organizations suspect someone has fraudulently accessed their account or used their digital identity;
  • Following guidance on how to choose secure authenticators for their service.

Organizations will be required to publish a yearly report explaining which demographics have been, or are likely to have been, excluded from their service and why. The move will help make firms aware if there are inclusivity problems in their products while also boosting transparency.

The framework will also help promote the use of ‘vouching’, where trusted people within the community such as doctors or teachers ‘vouch for’ or confirm a person’s identity, as a useful alternative for those without traditional documents, such as passports and driving licenses.

Economists have estimated the cost of manual offline identity proofing could be as high as £3.3 billion per year. The new plans will not only make people’s lives easier but also give a boost to the country’s £149 billion digital economy by creating new opportunities for innovation, enabling smoother, cheaper and more secure online transactions, and saving businesses time and money.

The move has been welcomed by industry and civil society groups which have praised the government’s open and collaborative approach, as it works to develop a final trust framework that meets the needs of all users.

The full UK Digital Identity and Attributes Trust Framework is available online, along with details of how to provide comments and feedback. The new proposals, drawn up by the Department for Digital, Culture, Media and Sport (DCMS), will help restrict opportunities for criminals and allow organizations who choose to sign up know they are meeting the necessary requirements. This will help give people confidence that particular service protects their data and privacy.

Other Developments

Cannabis In The Workplace
As we move into a new decade, employers are faced with an increasingly complex and evolving legal landscape regarding cannabis use. While cannabis is a Schedule I substance under the federal Controlled Substance Act (CSA), many state and local legislatures have not only legalized it but have adopted workplace protections for lawful users. This leaves many employers holding their breath as they try to balance their workforces’ locally sanctioned lawful use of cannabis, not only with federal sanctions but with associated workplace risks.

In contrast to just a few years ago, many Americans can lawfully use cannabis under state or local law (even if it is still unlawful under federal law). Only a few states do not permit use of at least medical marijuana or related products. Indeed, 15 states and the District of Columbia already have either decriminalized or legalized recreational cannabis use; four of those—Arizona, Montana, South Dakota, and New Jersey—just legalized the possession and use of recreational marijuana in the most recent election.

For employers, this patchwork presents challenges for monitoring and responding to cannabis use in and around the workplace and the risks associated with same. Maybe the most pressing issue is how to appropriately address usage in the workplace while navigating anti-discrimination protections for workers who use cannabis and hemp products legally, pursuant to state and local law.

This issue is made more complicated by the difficulties in testing for intoxication: there is no breathalyzer equivalent, and drug tests pose problems because traces of THC may remain in an individual’s system for weeks after use. That is, determining employee impairment is often a guessing game.

Broadly, and recognizing that each law differs, legalization statutes at the state and local level typically permit employers to prohibit marijuana use or intoxication on their premises or during work hours: just as employees cannot drink alcohol while working, they cannot be high on the job. However, while impairment may be prohibited, a notable (and increasing) number of such jurisdictions prohibit discrimination against persons who lawfully use marijuana.

This creates a Catch-22 for employers: with no way to test for intoxication, an employer must either confront an employee who may be high and risk a discrimination claim, or else ignore the issue and risk potential safety and operational issues.

Confounding this, many localities limit or prohibit reliance on positive drug tests for marijuana in making employment decisions. For instance, in January 2020, Nevada’s blanket prohibition on pre-employment marijuana tests, the first of its kind among states, went into effect. Similarly, on the local level, beginning in May 2020, New York City banned employers from conducting pre-employment marijuana tests, while allowing a narrow carveout for safety and security sensitive jobs. Other states allow marijuana testing but prohibit terminating or rescinding a job offer based solely on a positive marijuana test. Practically speaking, these laws create potential discrimination claims whenever an applicant or employee who tests positive is denied a job or continued employment—even if the employer has legitimate concerns about drug usage.

Against this background, employers are placed in a difficult position, in which they must weigh their business interests and employee safety against the state and local law afforded rights of marijuana users and the risks of discrimination claims. These challenges are compounded by the technical inability to test for intoxication. Nor can employers expect to rely on the fact that marijuana is unlawful at the federal level as a defense: courts increasingly have rejected the theory that the CSA preempts anti-discrimination laws protecting marijuana uses. See, e.g., Noffsinger v. SSC Niantic Operating Co., 273 F. Supp. 3d 326 (D. Conn. 2017).

Action steps
With this in mind, employers must be aware of relevant local jurisdictional law and ensure their policies and practices are updated accordingly. In addition, managers—particularly where employee and operational well-being is at issue—should be trained to proactively, tactfully identify and address safety and productivity risks. Likewise, while employers generally may prohibit unlawful substances in the workplace, they should be cognizant that, based on local law, they may need to accommodate medicinal users, such as by permitting cannabis on company premises (even if prohibiting its use). And finally, employers should routinely review the ever-changing legal landscape to ensure they are continuing to comply.