January 2021 | Compliance Update

Federal Developments

EEOC Updates Guidance On COVID Vaccines: Mandatory Vaccinations Permitted, With Some Exceptions
On December 16, 2020, the Equal Employment Opportunity Commission (EEOC) updated its COVID-19 Technical Assistance Questions and Answers to include information about COVID-19 vaccinations. This has been a hot topic for employers because of the recent emergency use authorization by the Food and Drug Administration (FDA) of vaccines developed by Pfizer-BioNTech and Moderna. The updated Guidance is found in Section K here.

Since last spring, the EEOC has issued multiple updates to its Q&A resources, advising employers how to navigate the potentially severe health and safety threat from COVID-19 while remaining compliant with workplace anti-discrimination laws, including the Americans with Disabilities Act (ADA); Title VII of the Civil Rights Act of 1964 (Title VII), the Age Discrimination in Employment Act (ADEA) and the Genetic Information Non-Discrimination Act (GINA). Employees are also protected under other federal and state laws.

The key takeaways from the updated Guidance are as follows:

K.1. For any COVID-19 vaccine that has been approved or authorized by the Food and Drug Administration (FDA), is the administration of a COVID-19 vaccine to an employee by an employer (or by a third party with whom the employer contracts to administer a vaccine) a “medical examination” for purposes of the ADA? (12/16/20)

The EEOC has indicated that administration of an FDA approved vaccine is not a medical examination.

The EEOC states that while the administration of a COVID vaccine is not a medical examination, the pre-screening vaccination questions may implicate the ADA provision on disability-related inquiries. If the employer administers the vaccine itself or engages a third-party to do so, the employer must show that the pre-screening questions are “job-related and consistent with business necessity.”

K.2. According to the CDC, health care providers should ask certain questions before administering a vaccine to ensure that there is no medical reason that would prevent the person from receiving the vaccination. If the employer requires an employee to receive the vaccination from the employer (or a third party with whom the employer contracts to administer a vaccine) and asks these screening questions, are these questions subject to the ADA standards for disability-related inquiries? (12/16/20)

Pre-vaccination medical screening is likely to elicit disability information. That means that such questions, whether asked by the employer or its agent, are “disability-related” under the ADA. The employer must demonstrate that the pre-screening questions are “job-related and consistent with business necessity.” In order to comply with this standard, the employer must have a reasonable belief, based on objective evidence, that an employee who does not answer the pre-screening questions and is not vaccinated, will pose a “direct threat” to the health or safety of himself or others. A direct threat is “a significant risk of substantial harm to the health or safety of the individual or others that cannot be eliminated or reduced by reasonable accommodation.”

There are two circumstances in which disability-related screening questions may be asked without needing to satisfy the “job-related and consistent with business necessity” standard. First, if the employer offers the vaccination to employees on a voluntary basis, the pre-screening questions must also be voluntary. An employer may not retaliate, threaten, or intimidate an employee who refuses to answer the screening questions, but they will likely not receive the vaccine. Second, if an employee receives the vaccine from a third-party unrelated to the employer, such as their own medical provider or a pharmacy, the ADA requirement that the questions be “job-related and consistent with business necessity, is inapplicable.

K.3. Is asking or requiring an employee to show proof of receipt of a COVID-19 vaccination a disability-related inquiry? (12/16/20)

No, simply asking employees for proof of vaccination is not a disability-related inquiry. But, if the employer asks follow-up questions, such as why the employee was not vaccinated, this may elicit information about a disability. Any such questions must be “job-related and consistent with business necessity.” Employers should instruct their employees not to provide any medical information that may be contained in a document that provides proof of vaccination.

K.4. Where can employers learn more about Emergency Use Authorizations (EUA) of COVID-19 vaccines? (12/16/20)

Employers should consult the FDA website for up to date information on vaccines issued an EUA. Also, this information is typically included in a patient fact sheet at the time the vaccine is administered. The FDA EUA page can be found here.

K.5. If an employer requires vaccinations when they are available, how should it respond to an employee who indicates that he or she is unable to receive a COVID-19 vaccination because of a disability? (12/16/20)

The ADA allows an employer to have a qualification standard that includes “a requirement that an individual shall not pose a direct threat to the health or safety of individuals in the workplace.” However, if a safety-based qualification standard, such as a vaccination requirement, screens out or tends to screen out an individual with a disability, the employer must show that an unvaccinated employee would pose a direct threat due to a “significant risk of substantial harm to the health or safety of the individual or others that cannot be eliminated or reduced by reasonable accommodation.” 29 C.F.R. 1630.2(r).

Employers should conduct an individualized assessment of four factors in determining whether a direct threat exists: the duration of the risk; the nature and severity of the potential harm; the likelihood that the potential harm will occur; and the imminence of the potential harm. A conclusion that there is a direct threat would include a determination that an unvaccinated individual will expose others to the virus at the worksite. If an employer determines that an individual who cannot be vaccinated due to disability poses a direct threat at the worksite, the employer cannot exclude the employee from the workplace, or take any other action, unless there is no way to provide a reasonable accommodation (absent undue hardship) that would eliminate or reduce this risk so the unvaccinated employee does not pose a direct threat.

If there is a direct threat that cannot be reduced to an acceptable level, the employer can exclude the employee from physically entering the workplace, but the employer may not automatically terminate the worker. Employers will need to determine if any other rights apply under the EEO laws or other federal, state, and local authorities. For example, if an employer excludes an employee based on an inability to accommodate a request to be exempt from a vaccination requirement, the employee may be entitled to accommodations such as performing the current position remotely. This is the same step that employers take when physically excluding employees from a worksite due to a current COVID-19 diagnosis or symptoms; some workers may be entitled to telework or, if not, may be eligible to take leave under the Families First Coronavirus Response Act, under the FMLA, or under the employer’s policies.

Managers and supervisors responsible for communicating with employees about compliance with the employer’s vaccination requirement should know how to recognize an accommodation request from an employee with a disability and know to whom the request should be referred for consideration. Employers and employees should engage in a flexible, interactive process to identify workplace accommodation options that do not constitute an undue hardship (significant difficulty or expense). This process should include determining whether it is necessary to obtain supporting documentation about the employee’s disability and considering the possible options for accommodation given the nature of the workforce and the employee’s position. The prevalence in the workplace of employees who already have received a COVID-19 vaccination and the amount of contact with others, whose vaccination status could be unknown, may impact the undue hardship analysis.

Employers may rely on CDC recommendations when deciding whether an effective accommodation that would not pose an undue hardship is available, but as explained further in Question K.7., there may be situations where an accommodation is not possible. When an employer makes this decision, the facts about particular job duties and workplaces may be relevant. Employers also should consult the applicable Occupational Safety and Health Administration standards and guidance. Employers can find OSHA COVID-specific resources here.

It is unlawful for employers to disclose that an employee is receiving a reasonable accommodation or retaliate against an employee for requesting an accommodation.

K.6. If an employer requires vaccinations when they are available, how should it respond to an employee who indicates that he or she is unable to receive a COVID-19 vaccination because of a sincerely held religious practice or belief? (12/16/20)

Once an employer is on notice that an employee’s sincerely held religious belief, practice, or observance prevents the employee from receiving the vaccination, the employer must provide a reasonable accommodation for the religious belief, practice, or observance unless it would pose an undue hardship under Title VII of the Civil Rights Act. Courts have defined “undue hardship” under Title VII as having more than a de minimis cost or burden on the employer.

The EEOC guidance explains that because the definition of religion is broad and protects beliefs, practices, and observances with which the employer may be unfamiliar, the employer should ordinarily assume that an employee’s request for religious accommodation is based on a sincerely held religious belief. If, however, an employee requests a religious accommodation, and an employer has an objective basis for questioning either the religious nature or the sincerity of a particular belief, practice, or observance, the employer would be justified in requesting additional supporting information.

K.7. What happens if an employer cannot exempt or provide a reasonable accommodation to an employee who cannot comply with a mandatory vaccine policy because of a disability or sincerely held religious practice or belief? (12/16/20)

If an employee cannot get vaccinated for COVID-19 because of a disability or sincerely held religious belief, practice, or observance, and there is no reasonable accommodation possible, then it would be lawful for the employer to exclude the employee from the workplace. This does not mean the employer may automatically terminate the worker. Employers will need to determine if any other rights apply under the EEO laws or other federal, state, and local authorities.

K.8. Is Title II of the Genetic Information Nondiscrimination Act (GINA) implicated when an employer administers a COVID-19 vaccine to employees or requires employees to provide proof that they have received a COVID-19 vaccination? (12/16/20)

No. Administering a COVID-19 vaccination to employees or requiring employees to provide proof that they have received a COVID-19 vaccination does not implicate Title II of GINA because it does not involve the use of genetic information to make employment decisions, or the acquisition or disclosure of “genetic information” as defined by the statute. This includes vaccinations that use messenger RNA (mRNA) technology, which will be discussed more below. As noted in Question K.9. however, if the administration of the vaccine requires pre-screening questions that ask about genetic information, the inquiries seeking genetic information, such as family members’ medical histories, may violate GINA.

Under Title II of GINA, employers may not (1) use genetic information to make decisions related to the terms, conditions, and privileges of employment, (2) acquire genetic information except in six narrow circumstances, or (3) disclose genetic information except in six narrow circumstances.

Certain COVID-19 vaccines use mRNA technology. This raises questions about whether such vaccines modify a recipient’s genetic makeup and, therefore, whether requiring an employee to get the vaccine as a condition of employment is an unlawful use of genetic information. The CDC has explained that the mRNA COVID-19 vaccines “do not interact with our DNA in any way” and “mRNA never enters the nucleus of the cell, which is where our DNA (genetic material) is kept.” (See the CDC Website for a detailed discussion about how mRNA vaccines work). Thus, requiring employees to get the vaccine, whether it uses mRNA technology or not, does not violate GINA’s prohibitions on using, acquiring, or disclosing genetic information.

K.9. Does asking an employee the pre-vaccination screening questions before administering a COVID-19 vaccine implicate Title II of GINA? (12/16/20)

Pre-vaccination medical screening questions are likely to elicit information about disability, as discussed in Question K.2., and may elicit information about genetic information, such as questions regarding the immune systems of family members. It is not yet clear what screening checklists for contraindications will be provided with COVID-19 vaccinations.

If the pre-vaccination questions do not include any questions about genetic information (including family medical history), then asking them does not implicate GINA. However, if the pre-vaccination questions do include questions about genetic information, then employers who want to ensure that employees have been vaccinated may want to request proof of vaccination instead of administering the vaccine themselves.

GINA does not prohibit an individual employee’s own health care provider from asking questions about genetic information, but it does prohibit an employer or a medical provider working for the employer from asking questions about genetic information. If an employer requires employees to provide proof that they have received a COVID-19 vaccination from their own health care provider, the employer should warn employees not to provide genetic information as part of the proof. As long as this warning is provided, any genetic information the employer receives in response to its request for proof of vaccination will be considered inadvertent and therefore not unlawful under GINA.


Employers have been anxiously awaiting FDA approval of COVID vaccines. Now that two vaccines have been given EUA by the FDA, and others are likely to be approved as well, employers must consider whether to mandate employee vaccination or wait and see. Employers that are functioning remotely with little or no impact on productivity and that are able to do so for the foreseeable future may decide to delay imposing a vaccination mandate until more medical information is available. Other employers, such as those in retail, construction, or manufacturing, are likely to move ahead quickly with a vaccination mandate to mitigate the economic impact of the pandemic on their business. Both practical and legal issues will need to be resolved, but as of today, the EEOC has definitively signaled that mandatory COVID vaccinations are lawful for the vast majority of employees.

Can Employers Make Employees Get The COVID-19 Vaccine?
With two COVID-19 vaccines set to receive federal approval in the United States in the upcoming weeks, the next question is whether employers can make employees receive the vaccine. The short answer is…yes. And while the typical lawyer answer to any question is “it depends,” that concise “yes” does come with a few caveats. So, let’s go through them.

First, it is also worth noting that under the federal Occupational Safety and Health Act (OSHA) and many state laws, employers are obligated to provide a workplace free from serious recognized hazards. This means that employers have the right to establish legitimate health and safety standards and polices so long as they are job-related and consistent with business necessity. As such, a policy requiring vaccinations will depend heavily on the employer’s industry and physical location. Accordingly, courts in a number of jurisdictions have held that these workers can be required to receive vaccinations, such as rubella or flu vaccinations, as long as the requirement is job-related and consistent with business necessity. This is especially true in the healthcare context.

Second, even if an employer can require a vaccination due to a demonstrated legitimate health and safety requirement, we’ve learned from the flu vaccine that the Equal Employment Opportunity Commission (EEOC), which enforces the federal Americans with Disabilities Act (ADA), which protects employees from disability discrimination, and Title VII of the Civil Rights Act of 1964, as amended (Title VII), which protects employees from religious discrimination, has been clear that employers are already allowed to require employees to be vaccinated. However, workers who have a medical reason not to get the vaccine may request a medical exemption under the ADA and workers who have a sincere religious belief that taking the vaccine would violate their religious beliefs may request a religious exemption under Title VII.

For example, persons with certain health-related conditions, such as severe allergies to ingredients in the flu vaccine or disorders such as Guillain-Barré Syndrome, should not be vaccinated for the flu. Further, the EEOC advised that employers should accommodate pregnant employees’ requests not to be vaccinated.

Notably, not all health conditions are ADA-qualifying. In Hustvet v. Allina Health Systemsthe Eighth Circuit held that an employer could terminate a healthcare worker after she refused to receive immunizations for measles, mumps, and rubella because of her alleged chemical sensitivities and/or allergies because there was not enough evidence that the employee’s alleged condition was actually a qualifying disability under the ADA. Because the vaccination requirement was job related and consistent with business necessity, however, the court ruled in favor of the employer.

In the religious accommodation context, in 2012 in Chenzira v. Cincinnati Children’s Hospital Medical Center, the Southern District Court of Ohio concluded that veganism qualifies as a sincerely held religious belief exempting an employee from having to receive the flu vaccine, which was produced from chicken products. The employer had discounted the employee’s request for exemption as a dietary preference or philosophical ideation rather than a sincerely held religious belief, but the court disagreed.

When an employer does receive an exemption request, whether due to disability or religious-related reasons, an employer must engage in an interactive process with the employee to determine if it can provide the employee with a reasonable accommodation that does not pose an undue hardship for the employer. The standard for what constitutes an undue hardship is different under the ADA and Title VII, with the disability accommodation being less strict. In any event, if an employee qualifies for an exemption under either the ADA or Title VII, the employer may have to provide the employee a reasonable accommodation to allow the employee to continue to work with vaccinated individuals, such as working remotely.

Although the EEOC could update its guidance materials, which it has done since the pandemic, it has not addressed the COVID-19 vaccine and its impact on workforces.

As for employer liability, should any employees develop any side effects from any required vaccine, those claims would likely be considered injuries obtained during the course and scope of employment and subject to review through each individual state’s workers’ compensation systems.

So, there you have it. Employers can legally require employees get the COVID-19 vaccine, subject to the reasonable accommodation protections for medical conditions under the ADA and religious accommodation exemption under Title VII. Bear in mind that the requirements to trigger these exceptions have been difficult for employees to meet in the case law. Lastly, just because an employer can require an employee to have the COVID-19 vaccination, it does not mean that an employer should require, and the EEOC has further recommended that employees consider encouraging employees to get vaccines rather than require them. However, given the scope of COVID-19 and the significant loss of life, it will be interesting to see how employers and the EEOC respond.

Tenant Background Report Provider Settles FTC Allegations That It Failed To Follow Accuracy Requirements For Screening Reports
A California-based company that provides background reports to property management companies will pay $4.25 million as part of a settlement with the Federal Trade Commission over allegations the firm failed to follow reasonable procedures to ensure the accuracy of its reports about potential tenants. In a complaint filed by the Department of Justice on behalf of the Commission, the FTC alleges that AppFolio, Inc. violated the Fair Credit Reporting Act (FCRA) by failing until at least April 2019 to implement reasonable procedures to ensure that criminal and eviction records it received from a third party vendor were accurate before including such information in its tenant screening reports. In addition, the FTC alleges AppFolio also violated the FCRA by including eviction or non-conviction criminal records more than seven years old in its reports.

“Consumers face enough hurdles in obtaining housing without the additional burden of inaccurate background checks,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “AppFolio and all background screening agencies must follow reasonable procedures to ensure that the background reports that they provide to their customers are as accurate as possible.”

Property managers use AppFolio’s reports for tenant screening. Under the FCRA, companies that provide tenant screening background reports on consumers are required to follow reasonable procedures to ensure the “maximum possible accuracy” of those reports and are prohibited from reporting certain obsolete information.

The FTC alleges that AppFolio failed to implement procedures to adequately review the accuracy of the information it received from its vendor before including the information in background reports.

As a result, AppFolio provided inaccurate information about some applicants such as records for individuals with a different name or birthdate; records with a missing or inaccurate offense name, type, or date; records with a missing or inaccurate disposition; and multiple entries for the same criminal or eviction action. The FTC alleges that some applicants may have been denied housing or other opportunities because of the inaccurate information included in background reports provided by AppFolio.

Despite receiving numerous complaints from consumers, AppFolio did not make changes to its procedures that addressed the problems with the reports, the FTC alleges. In addition to the $4.25 million monetary penalty, the proposed settlement prohibits AppFolio from providing non-conviction criminal or eviction records older than seven years and requires the company to maintain reasonable procedures to ensure the maximum possible accuracy of information included in its background reports.

FTC Finalizes Settlement With Service Provider Over Alleged Privacy Shield Misrepresentations
The EU-U.S. Privacy Shield Framework, which provided a mechanism to legally transfer personal information from the EU to the United States, was invalidated on July 16, 2020, but the Federal Trade Commission (FTC) has made it clear that companies that claimed to be participants must still make good on their word. A case in point is the FTC’s recent settlement with NTT Global Data Centers Americas, Inc. (NTT) over charges that the company misrepresented its participation in the EU-U.S. Privacy Shield Framework after its certification had lapsed in January 2018. Businesses that transfer personal information from the EU to the United States rely on representations by service providers such as NTT that they comply with established privacy principles and that an approved adequacy mechanism is in place to facilitate such transfers. The settlement terms bar NTT from misrepresenting in any way its participation in or adherence to any privacy or data security program. They also require NTT to apply Privacy Shield or equivalent protections to all personal information the company collected during its membership in the framework or return or delete that information. The FTC has taken similar action against other companies over the years, and this decision reaffirms the importance of ensuring that claims about participation in the Privacy Shield, or any other privacy program, are made only when an application has been approved and a certification is current. All references to certification must be promptly deleted from privacy policies and other materials if a certification has lapsed. The Commission vote to finalize the settlement with NTT was 3-1-1. Commissioner Rebecca Kelly Slaughter did not take part, and Commissioner Rohit Chopra voted no and issued a statement in which he pressed the Commission to impose monetary fines on companies that mislead consumers about their participation in privacy programs.

Whether the FTC imposes heavier sanctions down the road or not, damage to reputation can cost a company dearly. The FTC’s settlement with NTT is also a reminder of the importance of “trust but verify.” The U.S. Department of Commerce’s Privacy Shield list provides a way to double check that an organization’s representations about compliance are true. The vast majority of Privacy Shield participants take their obligations seriously. The FTC’s focus on the few organizations that do not remain current in their Privacy Shield commitments enhances the reliability of the Privacy Shield even as discussions continue on possible alternative adequacy mechanisms to address data transfers from the EU to the United States.

CDC Updates Guidance On Quarantine After COVID-19 Exposure, But State Guidance May Differ
Since the onset of the COVID-19 pandemic, various federal, state and local government entities have issued and updated guidance relating to the health and safety of workplaces. The Centers for Disease Control and Prevention (CDC) has led the way, with other entities relying on its guidance. On October 21, the CDC updated the definition of an exposure that should result in quarantine; on November 16, the CDC updated its guidance on the need for critical infrastructure workers to quarantine after exposure to an individual with COVID-19; and on December 2, the CDC shortened its recommended length of quarantine from the initially recommended 14 days to as little as seven days.

CDC Guidance for Individuals Exposed to a Suspected or Confirmed Case of COVID-19
The CDC previously recommended that employees who were in close contact with a known or suspected case of COVID-19 (including those with symptoms or who are asymptomatic but have tested positive) quarantine for 14 days from the date of their last exposure to that individual. The CDC defined “close contact” in this context to mean being within six feet for a cumulative 15 or more minutes during a 24-hour period, whether or not either individual was wearing personal protective equipment.

For exposed individuals who are asymptomatic, a quarantine for 14 days may be onerous, especially when such individuals are unable to work from home. As such, the CDC has issued updated guidance to reflect that such individuals, if they remain asymptomatic, may discontinue quarantine after 10 days without testing, or after seven days if a test administered within 48 hours before discontinuing quarantine is negative. Individuals who discontinue quarantine must have no clinical evidence of COVID-19, continue to monitor symptoms daily for 14 days after they are no longer quarantined, and strictly adhere to all other transmission risk reduction guidelines for the full 14 days after exposure (including correct and consistent mask use, social distancing, hand and cough hygiene, environmental cleaning and disinfection, avoiding crowds, and ensuring adequate indoor ventilation). While the CDC indicates that the shorter quarantine periods will not as effectively eliminate the risk of transmitting COVID-19, the risk of transmission is 1% to 5% in the case of the 10-day quarantine without testing, and 5% to 12% in the case of a seven-day quarantine and negative test result.

symptomatic Critical Infrastructure Workers Exposed to COVID-19
For most of the pandemic, despite its general recommendation that exposed employees quarantine for 14 days, the CDC allowed exposed employees in “critical infrastructure” businesses who remained asymptomatic to continue to work as long as they followed certain safety protocols. Critical infrastructure businesses include financial institutions, information technology providers, healthcare workers, food and agriculture businesses, energy providers, and critical manufacturing services, among others. This blanket exemption for critical infrastructure employees ended with the CDC’s guidance issued November 16. Now, given the widespread transmission of COVID-19 by asymptomatic individuals, critical infrastructure employers may take advantage of the exemption from the 14-day quarantine only as “a last resort and only in limited circumstances, such as when cessation of operation of a facility may cause serious harm or danger to public health or safety.” In such limited circumstances, critical infrastructure employees may continue to work if they continue to be asymptomatic, have not tested positive and additional precautions are observed. These additional precautions include employees pre-screening themselves before arriving at work; employers screening employees again upon their arrival at work; regularly monitoring and asking employees to self-monitor for symptoms; requiring the use of masks, social distancing and good hand hygiene; and routine cleaning and disinfecting of all work areas.

The CDC further recommends that critical infrastructure businesses, where possible, reduce the need to reintegrate exposed critical infrastructure employees into the workplace by identifying and prioritizing job functions essential for continued operations, cross-training employees on critical job functions, and determining which if any existing workers possess skills necessary to perform critical job functions should employees unexpectedly need to be absent.

BEWARE: Local Jurisdictions May Follow Different Guidance
The CDC guidance is not binding, and the guidance of state and local authorities should be followed. Some states’ guidance specifically requires that employers follow CDC guidance, while others’ guidance incorporates CDC guidance and/or are more restrictive than CDC guidance. For example, as of the date of publication:

  • Although New York exempts from quarantine asymptomatic exposed critical infrastructure employees, a determination as to whether an individual is deemed “critical” must be made in consultation with state and local health authorities, and the close contact definition is over a cumulative 10 minutes (rather than 15) during a 24-hour period. In addition, New York had previously reduced the 14-day quarantine requirement for those engaging in certain out-of-state travel in accordance with a testing regimen and exempts from quarantine critical infrastructure employees under certain circumstances.
  • New Jersey has revised its guidance to follow the CDC’s “last resort” guidance for asymptomatic exposed critical infrastructure employees and/or critical infrastructure employees who engage in certain out-of-state travel, and to reduce the quarantine period for employees who engage in certain out-of-state travel to match the CDC’s new lesser seven-day and 10-day periods. However, New Jersey has communicated that it continues to recommend a 14-day quarantine period for exposed non-critical infrastructure employees for maximum protection.
  • Pennsylvania continues to recommend a 14-day quarantine period for all exposed employees for maximum protection, unless such quarantine is an “undue burden,” in which case the CDC’s new lesser seven-day or 10-day quarantine period will apply. Pennsylvania also allows quarantine to end after certain out-of-state travel upon a negative test.
  • Rhode Island requires businesses to justify on a case-by-case basis why a particular critical infrastructure employee exposed to COVID-19 is unable to quarantine for 14 days. Exposed health care employees, however, may return from quarantine earlier than 14 days in accordance with a testing regimen.

The legal landscape related to COVID-19 has changed rapidly and will likely continue to do so given the current resurgence throughout the country and world. As always, employers should confer with legal counsel to ensure they comply with the applicable obligations in their jurisdiction.

State Developments

A Brief Guide To California’s Latest Employer COVID-19 Reporting Obligations
California employers are now subject to three new COVID-19 related reporting obligations when there is a COVID-19 positive employee or employees in their workplaces, including: reporting to their (1) workers’ compensation carrier, (2) employees and other workers, and (3) local public health authority. We address each briefly below.

  1. Employers must now report cases of COVID-positive employees to their worker compensation carriers. More specifically, under Senate Bill 1159, within three days after the employer knows or reasonably should know of an employee testing positive, the employer must notify the workers’ compensation carrier that (1) the employee has tested positive; (2) the date the employee tests positive; (3) the specific address or addresses of the employee’s place of employment during the 14-day period preceding the positive test; and (4) the highest number of employees who reported to the physical workplace in the 45 days preceding the last day the employee worked in the workplace.
  2. Starting in 2021, employers must notify certain workers on its premises of a potential exposure and local health department after an “outbreak”. Assembly Bill 685 will require employers, within one business day of receiving notice of a potential exposure to COVID-19, to notify in writing all employees and employers of subcontracted employees who were on the premises at the same time as the “qualifying individual” within the “infectious period” that they may have been exposed to COVID-19. In addition, within 48 hours of an “outbreak” in its workforce, employers also must notify the local public health department in the jurisdiction of the worksite of the names, number, occupation and worksite of “qualifying individuals.” An “outbreak” occurs when there are “[a]t least three probable or confirmed COVID-19 cases within a 14-day period in people who are epidemiologically-linked in the setting, are from different households, and are not identified as close contacts of each other in any other case investigation.”
  3. Under new CAL/OSHA standards, employers also have reporting obligations to their local health department but must provide more that what is required by AB 685. Cal/OSHA’s new COVID-19 Emergency Temporary Standard (“ETS”) now requires covered California employers, among other things (including drafting a written COVID-19 Prevention Program and implementing rigorous remediation measures contingent on the severity of the “outbreak”), to notify the local public health department in the applicable jurisdiction with 48 hours after learning of three (3) or more COVID-19 cases within a fourteen (14) day period at a worksite. Information provided will include the total number of COVID-19 cases; the name, contact information, occupation, workplace location, business address, hospitalization and/or fatality status, and Labor group code for each COVID-19 case; and any other information requested by the local public health department. An employer must notify the local public health department of any subsequent COVID-19 cases occurring after the initial notification and implement additional recordkeeping measures, by internally recording and tracking all COVID-19 cases, while ensuring all medical information remains confidential, with the employee’s name, contact information, occupation, location where the employee worked, last day in the workplace, and date of positive COVID-19 test. Importantly, nothing about the ETS changes an employer’s obligation to report serious occupational illnesses to Cal/OSHA or to maintain records required by the Cal/OSHA regulations (e.g. inspection records, documentation of hazard corrections, and training records).

Employers Must Act Now:
California employers should update their COVID-19 compliance policies and procedures immediately to ensure the new notification measures are addressed.

Florida Governor Signed SB 664: Verification Of Employment Eligibility Into Law That Requires Private Employers To Use E-Verify Or To Use The Form I-9 And Maintain Copies Of The Documents Used To Complete The Form I-9 For Three (3) Years
Effective January 1, 2021 private employers in Florida must (a) use the E-Verify system; or (b) duplicate the Form I-9 process by requiring the documents employees presented during the Form I-9 completion be presented in order to comply with Florida law. If the latter, employers must maintain those documents for at least three (3) years after the date of hire. (See, Section 2 of SB 664). The new law has the potential to create a two-track system for private employers with operations and licensed to do business in Florida when completing their Forms I-9. Or, in the alternative, require them to change their Form I-9 processes to photocopy documentation presented by the employee for Section 2 purposes. Employers currently not photocopying documents presented by new hires when completing the Form I-9 (which is not generally required), are most directly impacted by this new requirement. They either have to change their practices with respect to Form I-9 completion and begin photocopying documents or run the risk of an enforcement action by Florida authorities. Non-compliance with Florida law may lead to suspension or revocation of a company’s license to do business in the state. Generally, unless an employer uses E-Verify, photocopying the documents presented for Form I-9 Section 2 purposes is not required. Employers may, but are not required to, photocopy the document(s) presented by the new hire when completing the Form I-9. (See, 8 U.S.C.A. section 1324a(b)(4); 8 C.F.R. section 274a.2(b)(3)). Click here to read the text of the bill.

Court Cases

Two Recent Ninth Circuit Cases Provide Guidance On FCRA Disclosure And Authorization Form Requirements
The Federal Reserve anticipates an approximate two percent reduction in unemployment by June 2021, envisioning rapid mass-hiring by employers once governments lift the more stifling COVID-19 restrictions. Businesses requiring pre-employment background checks may be uniquely exposed to liability under the Fair Credit Reporting Act (“FCRA”) if minor mistakes are amplified by mass-hiring events.

The FCRA requires, among other things, that an employer inform and obtain consent from an applicant regarding the employer’s intent to obtain a consumer report. Specifically, the employer must provide a “clear and conspicuous disclosure…in writing…in a document that consists solely of the disclosure.” Two recent Ninth Circuit cases further explicate this standard, and when it applies.

In Walker v. Fred Meyer Inc., 953 F.3d 1082 (9th Cir. 2020), the court addressed the standalone disclosure, and found that an employer may provide a “concise explanation” of what the consumer report may be used for. The Court held that “beyond a plain statement disclosing ‘that a consumer report may be obtained for employment purposes,’ some concise explanation of what the phrase means may be included.” In other words, an employer may concisely explain to an applicant or employee what the report entails, how it will be obtained, and for which type of employment purposes it may be used.

In Walker, the relevant issue was whether the employer willfully violated the FCRA by providing an unclear disclosure form encumbered by extraneous information. Plaintiff Walker claimed the disclosure form was confusing because it included information rendering him “unable to meaningfully evaluate and understand the nature of the report.”

The Walker Court held that beyond a plain statement disclosing “that a consumer report may be obtained for employment purposes” an employer may include a concise explanation of what that phrase means without violating the FCRA’s “standalone” requirement. The Court found that a statement specifying the use of investigative reports did not violate the FCRA’s standalone requirement because investigative reports are a subcategory or specific type of consumer report.

However, the Court disapproved of two other portions of the employer’s disclosure, which explained: how an applicant may inspect the Credit Reporting Agency’s (“CRA”) files, how the CRA will help the applicant understand the files, and if the CRA obtains any information by interview, that the applicant has the right to obtain a disclosure of the scope and nature of the investigation performed. The Court found these statements could pull an applicant’s attention away from his privacy rights protected by the FCRA, were more than merely a ‘concise statement’ and therefore violated the FCRA’s ‘standalone’ requirement.

The second case, Luna v. Hansen & Adkins Auto Transport, Inc., No. 18-55804 (April 24, 2020), drew a distinction between the FCRA requirements applicable to a disclosure versus an authorization form. Plaintiff Luna alleged that Defendant-employer violated the FCRA by (among others) failing to place the FCRA authorization on a standalone document. There, the authorization appeared at the end of the employment application and included other notices, waivers, and agreements, unrelated to acquiring the consumer report.

The Court rejected Plaintiff’s argument that, by including the authorization form within the employment application and among other waivers, the Defendant-employer violated the FCRA’s ‘standalone’ requirement. Instead, the Court held that the “standalone” requirement only applies to the disclosure form, not the authorization.

In sum, employers should review the content of their disclosure forms, and ensure that no information is included beyond explaining what a consumer report entails, how it will be obtained, and for which type of employment purpose it may be used. Anything more may violate the FCRA. In the view of the Ninth Circuit, employers may, however, include FCRA authorizations within the employment application, which may facilitate more quickly expanding their workforce once the economic headwinds shift.

Supreme Court Grants Cert On Major FCRA Standing Issue
Back in August, CPW reported on a developing issue in the consumer privacy space—one of the “big three” consumer reporting agencies (“CRAs”) was sued for using “matching technology” against the “Specially Designated Nationals” list maintained by the U.S. Department of the Treasury’s Office of Foreign Assets Control, and similar “terrorist watch lists,” on consumers’ credit reports. This practice occasionally resulted in consumers incorrectly being presented as “potential” matches against these lists on their credit reports. The Ninth Circuit found in Ramirez v. TransUnion LLC, 951 F.3d 1008 (9th Cir. 2020) that TransUnion’s failure to use additional identifiers, such as date of birth, to verify the matches could be found to be objectively unreasonable.

In a first of its kind ruling, the Ninth Circuit also found in Ramirez that every class member needed to have Article III standing at the final stages of a damages suit. It determined that the class of 8,185 consumers who had received inaccurate reports using the matching technology could obtain money damages, although Judge McKeown penned a dissent concluding that only the 1,853 consumers whose credit reports were requested by a potential credit grantor had standing to assert a claim. The Court also reduced the punitive damages award per class member, finding the sum to be excessive in violation of due process. TransUnion appealed both issues and petitioned the Supreme Court for a writ of certiorari in September.

This morning, the Supreme Court granted Transunion’s’ petition. While it declined to take up the punitive damages issue, it granted cert for the question: “Whether either Article III or Rule 23 permits a damages class action where the vast majority of the class suffered no actual injury, let alone an injury anything like what the class representative suffered.” This decision is sure to impact future class action litigation and issues of standing, especially for claims under the FCRA.

Federal Court Holds State-Imposed Credit Reporting Restrictions Preempted By The FCRA
A federal court in Maine recently held that the FCRA preempts burdensome credit reporting restrictions imposed by the Maine Fair Credit Reporting Act. “By seeking to exclude additional types of information” from consumer credit reports, the Court said, “the Maine Amendments intrude upon a subject matter that Congress has recently sought to expressly preempt from state regulation.” The case is Consumer Data Industry Association v. Frey, 2020 U.S. Dist. LEXIS 187061 (D. Me. Oct. 8, 2020).

As Troutman Pepper reported previously, the Maine legislature passed two amendments to the Maine Fair Credit Reporting Act in 2019 prohibiting consumer reporting agencies from including certain kinds of information in a consumer’s credit report (the “Maine Amendments”). Specifically, these amendments prohibit reporting medical debts less than 180 days old, medical debts that have been settled or paid, and debts that are the product of “economic abuse.” Me. Rev. Stat. Ann. tit. 10, §§ 1310-H(4), 1310-H(2-A) (2019). Both laws would require a credit reporting agency to engage in burdensome investigations of the underlying circumstances, conditions, and status of a consumer’s debts to determine whether those debts are reportable. The Consumer Data Industry Association (“CDIA”) filed suit against the Maine Attorney General and the Superintendent of the Maine Bureau of Consumer Credit Protection, seeking declaratory judgment that both laws are preempted by the FCRA. The parties filed cross-motions for judgment on a stipulated record in April 2020.

This October, the U.S. District Court for the District of Maine ruled in favor of the CDIA, holding that the Maine Amendments are preempted by the FCRA. Engaging in a detailed analysis of the language and history of the FCRA’s preemption provisions, the court rejected a narrow construction advocated by the State of Maine that would limit preemption to the specific types of information already regulated by the FCRA. “In the Court’s reading, the amended language and structure of [the FCRA’s preemption provisions] reflect an affirmative choice by Congress to set ‘uniform federal standards’ regarding the information contained in consumer credit reports.” Accordingly, the court held that the FCRA preempts any state regulation of information contained in consumer reports. Because the Maine Amendments place additional prohibitions on the kind of information that may be included in a consumer report, they concern the exact subject matter expressly preempted by Congress.

Although the immediate effect of this decision is limited to the State of Maine, the court’s analysis and persuasive reasoning has substantial ramifications for other states seeking to impose their own restrictions on consumer credit reports. The Defendants have filed an appeal of the district court’s decision, which will give the First Circuit Court of Appeals an opportunity to rule definitively on this issue. Troutman Pepper will continue to monitor and report further developments.

International Developments

CNIL Fines Two Companies Of The Carrefour Group €3.05 Million For GDPR And Cookie Violations
On November 26, 2020, the French Data Protection Authority (the “CNIL”) announced that it imposed a fine of €2.25 million on Carrefour France and a fine of €800,000 on Carrefour Banque for various violations of the EU General Data Protection Regulation (“GDPR”) and Article 82 of the French Data Protection Act governing the use of cookies.

Carrefour France and Carrefour Banque are both affiliates of the French retail group, the Carrefour Group. The group has diversified its activities into the banking and insurance, travel agency and e-commerce sectors. Between June 8, 2018 and April 6, 2019, the CNIL received 15 complaints from individuals relating to the exercise of their data protection rights with affiliates of the Carrefour Group. The complainants argued that Carrefour (1) did not comply with their data access or erasure requests; (2) sent them direct marketing communications despite the fact that the complainants had objected to receiving those communications; or (3) in one case, did not allow the complainant to unsubscribe to marketing emails. The CNIL carried out online inspections on the carrefour.fr and carrefour-banque.fr websites and onsite inspections at the premises of Carrefour France and the parent company of the group, Carrefour SA. These inspections aimed to verify whether Carrefour France and Carrefour Banque were in compliance with all provisions of the GDPR and the French Data Protection Act.

The CNIL’s inspections revealed that both companies infringed several obligations of the GDPR and the cookie law requirements of Article 82 of the French Data Protection Act when processing customer or web user data. On November 18, 2020, the CNIL imposed a fine on each company for these infringements. The CNIL did not impose other sanctions, such as an injunction to bring the data processing activities in question into compliance, as both Carrefour companies made huge efforts during the proceedings to remedy the non-compliance.

GDPR and Cookie Violations
In its decision against Carrefour France, the CNIL found that the company failed to comply with basic GDPR requirements and its obligations as a data controller, including the (1) storage limitation requirement; (2) obligation to facilitate the exercise of individuals’ data protection rights; (3) obligation to provide notice to individuals about the processing of their personal data in an easily accessible form, using clear and plain language and in a comprehensive manner (i.e., with all information required by the GDPR); (4) obligation to comply with subject right requests; and (5) obligations to ensure the security of personal data and to notify personal data breaches. Further, the CNIL found that Carrefour France infringed cookie law requirements by automatically setting cookies on the user’s device when the user visited the home page of the carrefour.fr website.

In its decision against Carrefour Banque, the CNIL found that the company failed to comply with the (1) obligation to process personal data fairly; (2) obligation to provide notice in an easily accessible form, using clear and plain language and in a comprehensive manner; and (3) cookie law requirements.

Highlights from the CNIL’s decisions are detailed below.

  • Storage limitation: The CNIL found that Carrefour France defined an excessive data retention period for the personal data of its customers who are members of its loyalty program. Loyalty program members’ data had been retained for a period of four years from their last activity. According to the CNIL, the four-year retention period is excessive: personal data of inactive customers should not have been kept for more than three years. Further, the CNIL found that Carrefour France kept personal data of loyalty program members and web users for a longer period than the defined retention period. The inspections revealed that the personal data of more than 28 million inactive customers had been retained for five to ten years in the context of the loyalty program. Similarly, the personal data of more than 750,000 web users had been retained for five to ten years from the date of their last order. Finally, the CNIL found that Carrefour France systematically asked for a copy of an ID document when individuals exercised their data protection rights and kept that copy for a period of one to six years. According to the CNIL, copies of ID documents should only be retained for the time necessary to verify the identity of the requester. As soon as that identity is confirmed, it is no longer necessary to keep a copy of the ID document. Carrefour France should have archived only a copy of its response to the individual for evidentiary purposes. The CNIL concluded that Carrefour France infringed the GDPR’s storage limitation requirement.
  • Facilitating the individuals’ rights: The CNIL stressed that asking for a copy of an ID document for every subject rights request is excessive. An ID document should have been requested only in cases where the company had reasonable doubt as to the identity of the requester. Further, the CNIL found that Carrefour France did not comply with subject rights requests within the one-month time limit required by the GDPR. In some cases, individuals did not hear from the company for up to nine months. Carrefour France explained that the entry of application of the GDPR led to an increase of subject right requests (from one to two requests a day before May 25, 2018 to sometimes more than 75 requests a day after that date). The CNIL made it clear that the company should have anticipated this increase in the number of requests and concluded that the company infringed Article 12 of the GDPR. The CNIL noted that the company adopted during the proceedings new ad hoc tools to handle subject right requests and can now respond to such requests, on average, within less than 15 days.
  • Complying with individuals’ rights requests: The CNIL further found that Carrefour France did not comply with several subject rights requests, including individuals’ requests to access their personal data, requests for erasure of their personal data and individuals’ objection to receiving direct marketing communications by text message or email. In particular, the CNIL noted that one of the erasure requests related to the email address used by the company for direct marketing purposes. The CNIL’s inspection revealed that the email address had not been erased. The company explained that it could not erase the email address because the company used the individuals’ email address as the database entry point. The CNIL found that the company had to implement a system for organizing its customer database in such a way that the company could comply with subject right requests.
  • Notice to individuals: The CNIL found that the notice provided to web users and customers who wish to sign up for Carrefour’s loyalty program or payment card was not easily accessible. The notice about the processing of their personal data was dispersed and fragmented among several documents (general terms of use, terms and conditions, page relating to the protection of personal data, dedicated page for the exercise of individuals’ data protection rights). Further, the notice was drafted using broad, vague or unclear terms, such as “these processing activities include, without limitation,” “your data may be processed for one or several of the following purposes,” “your data may be used” or “certain data about you are used”. In the CNIL’s view, these terms did not allow individuals to understand the extent of the processing of their personal data. Similarly, general terms such as “you also have the right to obtain the restriction of a data processing activity, and the right to the portability of the data you may have provided, which may apply in certain cases,” did not allow individuals to understand the situations in which their rights apply and the conditions for their application. Additionally, the CNIL found that the information was incomplete and insufficient. In particular, the CNIL found that the information provided on the carrefour.fr and carrefour-banque.fr websites did not specify the data retention periods for all data collected or all purposes of the data processing, including the data collected by cookies. In the CNIL’s view, it was insufficient to specify that “personal data are retained for the applicable statute of limitation periods” or that “the retention of your data by Carrefour Banque varies according to the applicable laws and regulations.”
  • Obtaining users’ consent for non-essential cookies: The CNIL found that cookies were automatically set on the carrefour.fr and carrefour-banque.fr websites prior to any action from web users. The CNIL noted that this included some non-essential cookies such as Google Analytics cookies, and that the data collected by these cookies could be used with data from other processing activities to serve targeted ads. Accordingly, these cookies could not have been set unless the user accepted them.

CNIL’s Fines
Interestingly, in setting the fine against Carrefour France, the CNIL relied upon the concept of “undertaking” within the meaning of EU competition law to take into account not only the revenues of Carrefour France but also the higher revenues of its two subsidiaries who benefited from the data processing activities in question. Carrefour France and Carrefour Banque may now appeal the CNIL’s decisions within two months before France’s highest Administrative Court (Conseil d’Etat).