California To Protect Employee Off-Duty Cannabis Use Effective 2024

California Governor Gavin Newsom signed Assembly Bill 2188 (AB 2188) into law on September 18, 2022. AB 2188 will amend the state’s employment anti-discrimination law, the Fair Employment and Housing Act (FEHA), and make it an unlawful practice for an employer to discriminate against an adult applicant or employee based upon the “person’s use of cannabis off the job and away from the workplace.” The new law will take effect on January 1, 2024.

California joins several other states, including New York and New Jersey, that have adopted protections for applicants’ and/or employees’ off-duty cannabis use.

Key Features of AB 2188

AB 2188 notes that tetrahydrocannabinol (THC), the chemical compound most commonly associated with cannabis’ psychoactive effects, remains stored in the body as a nonpsychoactive cannabis metabolite well after a period of impairment. These metabolites do not indicate impairment, only that an individual has consumed cannabis somewhat recently, generally over the previous few weeks. Notably, AB 2188 uses the term “THC” and does not distinguish between variations of THC. The use of this term indicates that the law could apply to variations of THC in addition to the well-known Delta-9 THC. The use of Delta-8 THC, for example, may also result in positive THC drug tests and could also be protected under the statute.

Employee Protections

AB 2188 acknowledges that most tests for cannabis use “only show the presence of the nonpsychoactive cannabis metabolite and have no correlation to impairment on the job” and that “employers now have access to multiple types of tests that do not rely on the presence of nonpsychoactive cannabis metabolites.” The law prohibits employers from discriminating “against a person in hiring, termination, or any term or condition of employment, or otherwise penalizing a person, if the discrimination is based” upon either of the following:

  • The person’s use of cannabis off the job and away from the workplace.
  • An employer-required drug screening test that has found the person to have nonpsychoactive cannabis metabolites in their hair, blood, urine, or other bodily fluids.

Although AB 2188 prohibits employment decisions based upon the presence of nonpsychoactive cannabis metabolites in a drug screening, it does not prohibit an employer from discriminating in hiring, or any term or condition of employment, or otherwise penalizing a person based on scientifically valid preemployment drug screening conducted through methods that do not screen for nonpsychoactive cannabis metabolites.

Exceptions and Exclusions

AB 2188 does not permit an employee to possess or use cannabis in the workplace; it makes clear that nothing in the law permits an employee “to possess, to be impaired by, or to use, cannabis on the job” or affects “the rights or obligations of an employer to maintain a drug- and alcohol-free workplace.”

Additionally, AB 2188 explicitly excludes from its protections employees “in the building and construction trades” and “applicants or employees hired for positions that require a federal government background investigation or security clearance” in accordance with federal regulations. Also, the law does not preempt state or federal laws that require employees to be tested for controlled substances as a condition of employment, to receive federal funding, or to enter into a federal contract.

Employers Should Prepare To Comply With New Restrictions

California employers should review their job application process and employment drug screening protocols to ensure compliance with AB 2188.

Specifically, employers should ensure that commencing January 1, 2024, they do not make any adverse employment decisions based upon an applicant’s or employee’s off-duty cannabis use or the presence of nonpsychoactive cannabis metabolites in drug screening results outside of the narrow exceptions identified above.

Employers intending to continue testing for impairment caused by cannabis should consider alternative tests, including impairment tests, which measure an individual employee’s performance against their own baseline performance, and other tests that identify the presence of THC in an individual’s bodily fluids.

Click Here for the Original Article

California Expands Criminal Record Relief

California recently passed Senate Bill 731 (“SB 731”) into law which significantly expands the automatic sealing eligibility of most felonies that occurred on or after January 1, 2005, if certain circumstances are met. This will impact the type of records employers can lawfully rely upon for hiring decisions after conducting employment background checks.

Summary of Existing Law Regarding Employment Criminal Background Checks:

California employers with 5 or more employees are prohibited from doing any of the following:

(1) including on any application for employment any question that seeks the disclosure of an applicant’s conviction history;

(2) inquiring into or considering the conviction history of a job applicant until the applicant has received a conditional offer of employment; and

(3) considering, distributing, or disseminating certain types of criminal information (including “sealed” convictions) while conducting a conviction history background check in connection with an employment application.

Employers who intend to deny an applicant a position of employment must first make an individualized assessment as to whether the conviction history would have a direct and adverse relationship with the specific duties of the job. If the employer determines it would, the applicant must be notified of the decision and given five business days to respond. (For more information about these requirements, see our prior article here.)

Existing law requires the Department of Justice, on a monthly basis, to review the records in the statewide criminal justice databases and identify persons who are eligible for automatic conviction record relief. Under existing law, a person is eligible for automatic conviction record relief if, on or after January 1, 1973, they were sentenced to probation, and completed the terms of their probation without revocation, or if they were convicted of an infraction or a misdemeanor and other criteria are met.

Summary of the New Law:

Effective July 1, 2023, the new law under SB 731 expands this conviction record relief making it available for defendants convicted of most felonies on or after January 1, 2005, provided they have completed their incarceration, probation, mandatory supervision, parole or any other terms of their conviction, and a period of 4 years has elapsed during which the defendant was not convicted of a new felony offense. The new law does not apply to registered sex offenders or those convicted of violent or serious felonies, such as murder or attempted murder, manslaughter, kidnapping, rape, assault with a deadly weapon, robbery, and similar offenses.

The bill specifies that conviction record relief does not release the defendant from the terms and conditions of unexpired criminal protective orders.

What This Means For Employers:

While the new law doesn’t amend the Labor or Government codes, it dramatically restricts the types of criminal records employers can lawfully access and rely upon for hiring purposes. Employers will be unable to refuse to hire individuals for “less violent crimes,” such as domestic violence or fraud, because those criminal records would be sealed under the new law. This is true even if the employer could have refused to hire the applicant under the old law on the grounds that the conviction history would have a direct and adverse relationship with the specific duties of the job.

It is not entirely clear how a court would treat a situation where an employer relies on a record relating to a crime that should have been sealed, but somehow mistakenly made it onto a criminal background report (something that happens from time to time). As such, employers are wise to seek legal counsel before making any hiring decision based on an applicant’s criminal background history, especially in the near future as the Department of Justice and background-check companies adjust to the new legal requirements.

Critics of SB 731 have also noted how it could result in hiring discrimination by out of state employers against people with California addresses in their background, as SB 731 could prevent such employers from completing their standard—and in some cases mandatory—background checks for certain positions at banks, credit unions, insurance companies, and other similar financial and tech-related institutions.

Click Here for the Original Article

Summary and Comparison of U.S. Data Privacy Laws Since California’s CCPA and CPRA

California started the process of individual U.S. states enacting individual privacy laws with its California Consumer Privacy Act (“CCPA”), which currently is in effect, as supplemented and amended by the California Consumer Rights Act (“CPRA”), with general effect on January 1, 2023. There have been various revisions to the accompanying Regulations and many analyses and publications examining CCPA/CPRA, their meaning, and their effects on businesses.

After California, next came Virginia, Colorado, Utah, and Connecticut in passing their own similar but different privacy laws. Tracking compliance with each of these states’ individual data privacy laws can be challenging for businesses that collect, use, retain, sell and/or share personal data, and engage in targeted advertising and profiling because there is no generally applicable federal law at this time.

This article sets out some of the key similarities and differences between and among the individual states’ privacy laws following California’s CCPA/CPRA.

Virginia – After California, Virginia enacted its data privacy law, the Consumer Data Protection Act (“CDPA” or “VCDPA”), which goes into effect on January 1, 2023. The CDPA applies to entities that conduct business in Virginia or produce products or services that are targeted to Virginia residents and that either:

  1. Control or process the personal data of at least 100,000 consumers during a calendar year, OR
  2. Control or process the personal data of at least 25,000 consumers and derive at least 50% of its gross revenue from the sale of personal data.

With regard to (a) above, this is the same 100,000 threshold that is contained in the CPRA, which doubled the 50,000 threshold that is set out in the CCPA.

Pursuant to the VCDPA, the “sale of personal information” is defined as “the exchange of personal data for monetary consideration by the controller to a third party.” Thus, unlike California’s privacy laws, where a sale is defined beyond only monetary sales and also encompasses “valuable consideration,” Virginia’s privacy law requires that the consideration for the sale to be monetary.

Under Virginia’s CDPA, the definition of a sale contains certain exclusions:

  • Disclosures to processors;
  • Disclosures to a third party for purposes of providing products or services requested by the consumer;
  • Disclosures to controller’s affiliate;
  • Disclosures of information that consumers:
  • Intentionally made available to the general public via mass media, and
  • Does not restrict a specific audience.

Virginia’s CDPA provides consumers with the following primary rights:

  • Right to access. Right to confirm whether a controller is processing the consumer’s personal data and to access such personal data.
  • Right to correct. Right to correct inaccuracies in personal information, considering the nature of the personal information and the purposes of the processing of the consumers’ personal information.
  • Right to delete. Right to delete personal information provided by or obtained about the consumer.
  • Right to data portability. Right to obtain a copy of the consumer’s personal information that the consumer previously provided in a portable format and, to the extent technically possible, readily usable format that allows the consumer to transmit the data to another entity without hindrance.
  • Right to opt out. Right to opt out of the processing of their personal data for purposes of targeted advertising, the sale of personal information, and profiling that advances decisions that produce legal or similarly significant effects concerning the consumer.
  • Right to appeal. A business must respond to a consumer request within 45 days of receipt of the request. Where reasonably necessary, the business may then extend the response deadline by an additional 45 days as long as they notify the consumer within the initial response window. Consumers have a right to appeal a business’s denial to act within a reasonable time, and businesses must establish a process for such appeals. If the appeal is denied, businesses must inform consumers how they can submit a complaint to the attorney general.

Additionally, businesses have certain affirmative obligations pursuant to VCDPA:

  • Limits on collection. The CDPA provides that businesses shall limit the collection of data to that which is “adequate, relevant and reasonably necessary in relation to the purposes for which the data is processed.”
  • Limits on use. Once the personal information has been collected, businesses must “not process personal data for purposes that are neither reasonably necessary to nor compatible with the disclosed purposes for which such personal data is processed, as disclosed to the consumer, unless the controller obtains the consumer’s consent.” Also, the CDPA imposes limits on processing sensitive personal information such that doing so is prohibited absent consumer consent.
  • Technical safeguards. In addition to imposing obligations on the business’s processing activities, CDPA requires that businesses establish, implement, and maintain reasonable administrative, technical, and physical data security practices to protect the confidentiality, integrity, and accessibility of personal data.
  • Data protection assessments. Controllers are required to conduct data protection assessments evaluating the risks associated with personal information processing activities. No timeframe is provided for the frequency of these assessments.
  • Data processing agreements. Processing activities by a processor on behalf of a controller must be governed by a data processing agreement. These agreements must clearly set forth instructions for processing data, the nature and purpose of processing, the type of data subject to processing, the duration of processing, and the rights and obligations of both parties. There are various terms that must be included in such agreements, which are set out in the CDPA.
  • Privacy notice. The VCDPA requires controllers to provide consumers with a privacy notice. The notice must state:
    • The categories of personal information processed by the controller.
    • The purpose for processing personal information.
    • How consumers may exercise their consumer rights and appeal a controller’s decision regarding the consumer’s request.
    • The categories of personal information that the controller shares with third parties, if any.
    • The categories of third parties, if any, with whom the controller shares personal data.

Colorado – Colordo was the next state after Viringia to enact a data privacy law, which is Colorado Privacy Act (“CPA”). The CPA goes into effect on July 1, 2023. Colorado’s law is consistent in many ways with Virginia’s data privacy law. The CPA applies to entities that conduct business in Colorado, or produce or deliver commercial products or services that are intentionally targeted to residents of Colorado, and

  1. Control or process the personal data of at least 100,000 consumers or more during a calendar year; OR
  2. Derive revenue or receive a discount on the price of goods or services from the sale of personal information and process or control the personal data of 25,000 consumers or more.

As to (a), this is the same standard as set out in Virginia’s data privacy law.

Additionally, the CPA defines the “sale of personal information” as the exchange of personal data for monetary “or other valuable consideration” by a controller to a third party. Thus, the CPA is consistent with CCPA/CPRA and is not as restrictive in the definition of a sale as is Virginia’s data privacy law.

Similar to Virginia’s CDPA, however, the CPA also excludes certain types of disclosures from the scope of a sale. More specifically, the CPA contains the following exclusions:

  • Disclosures to a processor that processes personal information on behalf of a controller;
  • Disclosures to a third party for purposes of providing a product or service requested by the consumer;
  • Disclosures or transfer to a controller’s affiliate;
  • Disclosures or transfer to a third party as an asset in a proposed or actual merger, acquisition, bankruptcy, or other transaction in which the third party assumes control of all or part of the controller’s assets; and
  • Disclosures:
    • That a consumer directs the controller to make by using the controller to interact with a third party; or
    • Intentionally made available by a consumer to the general public via mass media.

The CPA generally provides the same consumer rights as does the VCDPA—right of access, right to correction, right to delete, right to data portability, right to opt out of targeted advertising, the sale of personal data, and profiling in that affects decisions that produce legal or similarly significant effects concerning a consumer. However, with regard to a consumer’s right to opt-out, controllers must honor opt-out signals as a method for consumers to exercise their opt-out rights.

The CPA also generally contains the same controller obligations as the VCDP – duty of transparency (including through use of a privacy notice), duty of purpose specification, duty of data minimization, duty to avoid secondary use, duty of care with regard to technical safeguards, duty regarding processing sensitive personal data only after obtaining consent, and the requirement of data processing contracts between controllers and processors.

Utah – After Colorado, Utah enacted its privacy law, the Utah Consumer Privacy Act (“UCPA”) on March 24, 2022. The UCPA goes into effect on December 31, 2023. Utah’s law contains some provisions that are more favorable to businesses, and it is not as encompassing in data privacy rights as Virginia and Colorado’s laws.

The UCPA applies to any controller or processor that:

  1. Conducts business in Utah or produces products or services that are targeted to Utah residents as consumers;
  2. Has annual revenue of $25,000,000 or more; AND
  3. Meets one or more of the following thresholds:
    • During a calendar year, controls or processes personal data of 100,000 or more consumers; or
    • Derives over 50% of the entity’s gross revenue from the sale of personal data and controls or processes personal data of 25,000 or more consumers.

Thus, Utah’s data privacy law is more restrictive and favorable for businesses than CCPA/CPRA, VCDPA and CPA, as Utah’s law provides that (a), (b), and one of the factors in (c) above apply for a controller or processor to fall within the scope of the UCPA.

Additionally, the UCPA’s definition of a “sale” is similar to the more restrictive definition set out in Virginia’s privacy law, whereby a sale involves an exchange of personal information for “monetary consideration by a controller to a third party.”

The UCPA also contains similar exclusions to VCDPA and CPA with regard to certain types of disclosures from the definition of sale, e.g., disclosures to a processor or a controller’s affiliates; disclosures to a third party to provide a product or service requested by the consumer, and the like. The UCPA, however, contains an exclusion that is not written into Virginia’s and Colorado’s privacy laws – the UCPA excludes from the definition of a sale “a controller’s disclosure of personal data to a third party if the purpose is consistent with a consumer’s reasonable expectations.”

Consumer rights under the UCPA are consistent with those set out in Virginia and Colorado’s data privacy laws, but more restricted. The UCPA provides the right to access, deletion, data portability, and opt-out of certain data processing for the purposes of targeted advertising or the sale of personal data.

Notably, consumers do not have the right to request deletion of all of the personal information that the controller retains. Instead, consumers only have the right to delete the personal data that they provided to the controller. Additionally, consumers do not have the right to opt out of profiling, and controllers do not have to recognize universal opt-out signals as a method for consumers to opt-out. And, under the UCPA, consumers do not have the right to correct inaccuracies in their personal information.

Consistent with VCDPA and CPA, Utah’s CPA contains various controller obligations with regard to their collection, use, and retention of personal information. Under Utah’s law, however, controllers’ obligations are not as broad and extensive as their obligations under Virginia and Colorado’s privacy laws.

In Utah, controllers have obligations of transparency (including a privacy notice); parental consent to process personal information of minors under age 13 years (consistent with COPPA); data security; responding to consumer requests; data processing contracts between controllers and processors; and, similar to CCPA/CPRA, non-discrimination with regard to consumers exercising their personal data rights. Further, there is no appeal process for consumers whose requests have been denied under Utah’s privacy law.

Connecticut – Finally, Connecticut recently passed its data privacy law, An Act Concerning Personal Data Privacy and Online Monitoring (“CT law”). The CT law was signed on May 10, 2022, and it goes into effect on July 1, 2023. The CT law is more in line with Virginia’s and Colorado’s data privacy laws. Thus, it may be considered more restrictive on controllers’ data processing activities than the more flexible Utah data privacy law.

The CT law applies to entities that conduct business in Connecticut or produce products or services targeted to Connecticut residents and that during the preceding calendar year either:

  • Controlled or processed the personal data of at least 100,000 consumers, excluding personal data controlled or processed solely for the purpose of completing payment transactions; OR
  • Controlled or processed the personal data of at least 25,000 consumers and derived over 25% of their gross revenue from the sale of personal data.

Connecticut’s law has a lower threshold for revenue based on the control or processing of personal data than Virginia (25% of gross revenue in CT; 50% of gross revenue in VA), which operates to include more businesses in the scope of the law. Connecticut’s law, however, contains a higher threshold for revenue based on the control or processing of personal data than Colorado’s law (25% of gross revenue in CT; any % of gross revenue in CO), which operates to include fewer businesses in the scope of the law. Significantly, the CT law excludes consideration of personal information that is processed solely for the purpose of completing payment transactions, which can be favorable if a business seeks to stay outside the scope of the CT law.

The CT law defines the “sale of personal data” as “the exchange of personal data for monetary or other valuable consideration by the controller to a third party.” Thus, the CT law includes the broader definition of a sale, similar to California and Colorado. Additionally, the CT law excludes certain disclosures, and these exclusions are substantially similar to Colorado’s exclusions.

The CT law provides similar consumer rights to those in Colorado – (1) the right to access, where consumers can confirm whether the business has their personal data, as well as access to such personal data; (2) right of correction; (3) right to delete; (4) right to data portability, which applies to all personal data of the consumer, not just that personal data provided by the consumer; and (5) the right to opt out.

Under CT law, controllers are required to provide “clear and conspicuous” links on their websites allowing consumers to opt-out of various types of processing of their personal information. Starting January 1, 2025, the CT law also requires controllers to recognize universal opt-out preference signals that indicate the consumer’s intent to opt-out of targeted advertising and sales.

The CT law contains controller obligations that are similar to those in CCPA/CPRA,  Virginia’s privacy law, and Colorado’s privacy law. More specifically, controllers have obligations to limit collection of personal information; limit the use of personal information to disclosed purposes; maintain reasonable security (administrative, technical and physical security); transparency (e.g., privacy policies); vendor contracts between controllers and processors; data protection assessments for activities that involve a heightened risk of harm to consumers; and obtain consent to the sale and targeted advertising of personal data from consumers aged 13-16 years, as well as compliance with the consent requirements set out in COPPA.

Click Here for the Original Article

Missouri’s New Marijuana Law: What Employers Need to Know

The uncertified results for the November 8, 2022 election indicates Missouri voters have passed Amendment 3, legalizing marijuana for personal use (effective December 8, 2022). Assuming the unofficial results will be certified, what does this mean for Missouri employers? Here are some key take-aways:

Question 1: What am I NOT allowed to do under Amendment 3?

Answer: An employer cannot discriminate against (in hiring, firing, or terms & conditions of employment) or otherwise penalize an applicant or employee who has a valid medical marijuana patient ID card for:

  1. having a valid patient ID card; or
  2. legally using lawful medical marijuana off-premises and outside work hours; or
  3. testing positive for medical marijuana.

Exception 1: This does not apply to employers who would otherwise lose a monetary or license-related benefit under federal law.

Exception 2: These protections do not permit an applicant or employee with a valid patient ID card to use, possess, or be under the influence of medical marijuana while working (on the employer’s premises or during work hours).

Question 2: Can I prevent my employees from using marijuana outside of work?

Answer: You can take disciplinary action against an employee whose lawful, off-duty use of marijuana:

  1. affects that employee’s ability to perform job-related responsibilities; or
  2. affects the safety of others; or
  3. conflicts with a bona fide occupational qualification.

Question 3: Can I still drug test applicants and/or employees?

Answer: Yes. However, if an applicant or employee has a valid patient ID card, you cannot take action against them for testing positive for medical marijuana. (See Question 1).

Question 4: Can I still have a drug-free workplace?

Answer: Yes. You are allowed to ban marijuana from your workplace. You can prevent employees from possessing, using, or being under the influence of marijuana while working (on the employer’s premises or during work hours), whether it’s for personal use or medical use. You will not face liability for refusing to hire an applicant or disciplining or discharging an employee for working or attempting to work while under the influence of marijuana.

Question 5: Can I still inquire about an applicant’s criminal history on a job application?

Answer: Yes. In Missouri, it’s legal for a job application to ask about the applicant’s criminal history. However, a provision of Amendment 3 expunges the criminal history records (including arrest, plea, conviction, and sentence) for certain marijuana-related offenses. This means your application cannot require the applicant to acknowledge the existence of, or answer any questions about, the expunged record.

A number of issues remain to be clarified under this new Constitutional Amendment, including exactly what evidence is required to establish someone is under the influence of marijuana. We will endeavor to provide updates on these issues as the Amendment is interpreted by the State and the Courts.

Click Here for the Original Article

Recreational Marijuana in Missouri Is Coming Soon – What Employers Need to Know

On November 8, 2022, Missourians voted to legalize recreational marijuana, adopting “Amendment 3,” a proposal to amend the state Constitution. With this development, Missouri joins a growing number of states that have legalized recreational marijuana for adults 21 and older (although marijuana is still unlawful as a matter of federal law). Missouri previously legalized the use of marijuana for medical reasons by adopting Amendment 2 in 2018. Amendment 3 both legalizes the recreational use of marijuana and modifies the existing medical marijuana law, especially with respect to employment protections for medical marijuana users. The changes will go into effect on December 8, 2022.

Changes Related to Medical Marijuana. While the focus of Amendment 3 was the legalization of marijuana used recreationally, the changes related to the use of marijuana for medical reasons are significant for employers. In particular:

  • New Employment Protections for Certain Medical Marijuana Users. The Amendment specifically prohibits discrimination against a person in hiring or any term or condition of employment if the discrimination is based on: (1) “[t]he person’s status as a qualifying patient or primary caregiver who has a valid identification card, including the person’s legal use of a lawful marijuana product off the employer’s premises during nonworking hours”; or (2) “[a] positive drug test for marijuana components or metabolites of a person who has a valid qualifying patient identification card,” unless the individual is excepted from coverage under an enumerated exception.
  • Workplace Impairment/Possession Can Be Prohibited. Employers can continue to discipline or terminate an employee for using or possessing marijuana or being under the influence of marijuana on the premises of the place of employment or during the hours of employment.
  • Federal Contract or Licensing Exceptions. Employers may continue to take adverse action against employees who are medical marijuana users if a failure to do so would cause an employer to lose a monetary or licensing-related benefit under federal law.
  • Employment Protections Do Not Extend to Employees in Certain Positions. The Amendment specifically provides that the employment protections do not apply to “an employee in a position in which legal use of a lawful marijuana product affects in any manner a person’s ability to perform job-related employment responsibilities or the safety of others, or conflicts with a bona fide occupational qualification that is reasonably related to the person’s employment.”
  • Limitation on Private Right of Action Retained. Missouri’s medical marijuana law states that employees may not sue employers for “wrongful discharge, discrimination, or any similar cause of action” if employers prohibit employees from working or attempting to work while under the influence of marijuana, or discipline them for doing so. The new Amendment did not modify this provision.

Legalization of Recreational MarijuanaThe provisions of Amendment 3 authorizing the use of marijuana for recreational purposes permit an employer to discipline individuals who use marijuana for recreational purposes, including in the following circumstances:

  • Workplace Use/Possession Can Be Prohibited. Employers may still prohibit marijuana use or possession in the workplace or on the employer’s property.
  • Workplace Impairment Can Be Prohibited. Employers may prohibit and take adverse action against employees for working while under the influence of marijuana.
  • Impaired Driving Prohibited. Individuals are prohibited from operating any motor vehicle or other motorized form of transport while under the influence of marijuana.

Practical Guidelines for Employers

Employers should review their existing drug-free workplace policies and drug testing policies as they relate to the use and possession of marijuana, as well as to testing for marijuana, to ensure compliance with Amendment 3. This is especially true as to the changes related to medical marijuana. While federally mandated testing and marijuana prohibitions—including DOT marijuana use and testing rules—can and must continue, employers should review their federal contracts and funding requirements to determine how they impact compliance with Amendment 3’s provisions. Employers are encouraged to remind their employees of any policy provisions related to the possession and use of marijuana in the workplace and working while under the influence of marijuana.

Click Here for the Original Article

Recreational Marijuana in Maryland? What Employers Need to Know

Many people are rejoicing because the voters in Maryland approved recreational marijuana (which Maryland refers to as “cannabis”) last week. Employers, however, are perhaps not quite so excited – and may be confused about what that actually means for the workplace. While we don’t yet have all the answers, let’s talk about what we do know.

Is Recreational Cannabis In Effect Now? First of all, individuals may not start legally lighting up for fun at this point. The voter-approved constitutional amendment permits recreational use by those age 21 or older starting July 1, 2023. Another cannabis law passed by the General Assembly this past session allows individuals to grow up to two plants per household, and to share cannabis with other adults without payment or trade, also starting July 1, 2023. But for those who are not installing grow lights in their homes or who don’t have friends with access, they will need to wait until the State sets up its highly regulated recreational cultivation and distribution system – and until then, buying cannabis for recreational purposes in Maryland will still be illegal.

Will Employees Be Able to Use Recreational Cannabis (Once It’s Permitted)? The new constitutional amendment, the new cannabis law and the current law don’t directly address employee use of recreational cannabis. The new cannabis law referenced above establishes some rules that have a workplace connection:

  • Cannabis or hemp products must be added to the existing ban on smoking in any indoor place of employment under the Clean Air Act. Employees who make complaints to or participate in Clean Air Act proceedings before the State are protected from adverse employment action.
  • All individuals may not smoke cannabis, and drivers may not consume cannabis, in a vehicle on any public road. To the extent that employees drive as part of their job responsibilities, this would apply to them (in addition to the fact that they should not be smoking/imbibing while on the job!).

We anticipate that there will be a bill proposed in the next General Assembly session (which starts in January 2023) to provide workplace protections for the off-duty use of recreational cannabis. We also anticipate that the bill will state that employees will not be able to use or be under the influence of cannabis while on duty. In addition, we would hope and (through our work with the Maryland Chamber of Commerce) will advocate for exceptions to protected off-duty use of recreational marijuana by certain employees, similar to the laws in other states. These exceptions typically include where such off-duty use is prohibited by law, regulation, or federal contract, or where the employee performs a safety-sensitive position.

Can Employers Discipline for Off-Duty Recreational Use? Currently, the personal use of recreational cannabis is a civil offense (similar to a traffic ticket) – so it’s still illegal, and employers can take disciplinary action based on an employee’s recreational use, even off-duty, for now. And even after July 1, 2023, there is no statutory protection for off-duty recreational use – yet. Unlike other states, Maryland does not have any law protecting employees from adverse employment actions based on legal off-duty conduct, so Maryland employers can discipline, up to and including termination, for any off-duty conduct. But stay tuned for the next General Assembly session!

Is There Any Impact on Workplace Testing? No. Employers are permitted to test for the use of alcohol and controlled substances, as long as the testing is done in compliance with Maryland law. This includes testing for cannabis.

Can Employers Consider Marijuana-Related Convictions for Purposes of Hiring or Continued Employment? With regard to all convictions, we suggest that employers only consider those that are related to the job in question. The EEOC has stated that the use of convictions to disqualify applicants generally may have a disparate impact on certain minority populations. In order to limit that disparate impact, the EEOC’s position is that an employer may use criminal history information to make employment decisions only when it is job related for the position in question and consistent with business necessity. To meet this standard, a criminal conduct must be recent enough and sufficiently job-related to be predictive of performance in the position in question. The EEOC’s guidance identifies three factors to consider in making this assessment:

  1. The nature and gravity of the offense or offenses;
  2. The time that has passed since the conviction and/or completion of the sentence; and
  3. The nature of the job held or sought.

By the way, the new cannabis law also allows for individuals to request that certain drug-related offenses be expunged (i.e. cleared) from their criminal background. If expunged, employers will not be able to ask about or use those convictions for employment purposes.

What About Medical Cannabis? At this time, while the use of medical cannabis is legal in Maryland, there is no law that protects medical cannabis users in the workplace. For the past several years, there have been bills that sought to provide workplace protections for the authorized off-duty use of medical marijuana – but these have all failed. At this time, the Maryland Medical Cannabis Commission offers this FAQ on its website:

Q: My employer tests for drug use including cannabis. Can they test me if I am a medical cannabis patient? Can they fire me if I use medical cannabis?

A: Maryland law does not prevent an employer from testing for use of cannabis (for any reason) or taking action against an employee who tests positive for use of cannabis (for any reason).

But whether off-duty use must be permitted as a reasonable accommodation under the Americans with Disabilities Act and state anti-discrimination law has not yet been litigated in Maryland. Some courts in other states have found such an obligation under the medical marijuana laws in those states. Thus, any employer with an employee seeking to use medical cannabis off-duty as a reasonable accommodation for a disability should consult with employment counsel.

Bottom Line. We expect further developments as the smoke clears on this new world of recreational cannabis and we’ll keep you updated. But for now, employers can still choose to prohibit (or not) the off-duty use of recreational marijuana by employees.

Click Here for the Original Article

What Employers Need to Know About Pay Transparency Requirements in Job Postings

Pay equity has been a hot topic in employment law in recent years. Now, laws requiring disclosure of pay scales are viewed as the next step towards achieving equal pay for equal work across genders, races, and nationalities. In fact, Inc. magazine named 2022 the “Year of Pay Transparency,”1 and LinkedIn News listed pay transparency as one of the “[i]deas that will change the world in 2022.”2 In the last few years, many states and localities have enacted pay equity legislation focused on mandating compensation transparency in job advertisements. California recently joined other jurisdictions in this effort with Governor Gavin Newsom signing Senate Bill 1162 on 27 September 2022. The law, which goes into effect on 1 January 2023, requires employers with 15 or more employees to include a pay scale in job postings and for employers with more than 100 employees to submit an annual report of pay information to the California Civil Rights Department. Similarly, on 1 November 2022, employers in New York City (with at least four employees) must include a good faith salary range for every job, promotion, or transfer opportunity advertised. These are just a few of the growing number of state and local laws implementing pay transparency requirements for job applicants, as well as in some jurisdictions for current employees.

Many employers—including those that operate in regulated locations, employ remote workforces, or recruit nationally—have questions about what the new laws will require, how to comply with them, and to whom the laws apply. This is understandable considering many of the laws apply even if an employer does not have a physical location in the jurisdiction, such as New York City, where coverage exists if a worker could perform the job in the regulated location, or Colorado, where employers with at least one employee residing in the state must comply.

Below is an overview of the jurisdictions that have implemented wage transparency laws and a summary of the requirements of each jurisdiction. It should be noted that many of these laws, as well as those in other jurisdictions, also include document retention obligations, pay equity reporting, and requirements related to compensating employees equitably irrespective of a protected class, such as gender. The below information covers the portions of the laws specifically related to disclosing compensation information in job postings.



Employers in California already were required to provide applicants for a position the pay scale for the job upon a “reasonable” request. Following passage of an expansive pay transparency bill that amended Labor Code Section 432.3, effective 1 January 2023, covered employers (those with 15 or more employees) must include a pay scale in any advertised job postings, including positions posted by third parties. “Pay scale” is defined as the “salary or hourly wage range that the employer reasonably expects to pay for the position.”3 Although the definition of pay scale does not explicitly include bonuses, commissions, and other benefits, other state laws do require inclusion of such information, and employers should keep an eye out for additional guidance from the Department of Labor Standards as the effective date approaches. All employers must now also provide this information to current employees upon request.4

The amendments to the Labor Code also impose document retention obligations, including maintaining a record of each employee’s job title and wage history for three years after the employment relationship terminates. The law can be enforced through a private right of action, and offending employers may be subject to civil penalties, including the possibility of penalties up to US$10,000 per violation. Employers may take advantage of a cure provision, and avoid an initial penalty, if they revise the offending job posting to include the relevant pay scale.

Unlike some of the other laws that state, sometimes explicitly, that the law applies to remote roles (for example, Colorado and New York City), the California law does not specifically address whether the law covers remote job postings as well.


Effective 1 January 2021, Colorado’s Equal Pay for Equal Work Act (EPEWA), C.R.S. § 8-5-1-1 et seq., requires covered employers (those with at least one employee in Colorado) to list the rate of compensation (or a range thereof) in job postings to all prospective applicants and notify current employees of promotional opportunities. Covered employers must also provide a general description in the advertisement of any bonuses, commissions, or other compensation the prospective applicant would be eligible to receive if hired.

Colorado’s law initially prompted some employers, who did not have any employees located in the state, to exclude remote employees based in Colorado from applying for advertised positions. However, the Colorado Department of Labor quickly issued a stern notice2 directed to those employers. The notice reminded employers that the EPEWA provisions apply to all remote job openings as long as the hiring employer has at least one worker in Colorado.

Exceptions to the salary posting requirements include:

  1. Confidentiality on account of a desire to replace an existing employee;
  2. Automatic promotion of an employee after a trial period of up to one year; and
  3. Temporary/acting/interim position for up to six months (noting that if the position becomes permanent it must be posted).

The law can be enforced with fines between US$500 and US$10,000 per violation.


Effective 1 October 2021, Connecticut’s “An Act Concerning the Disclosure of Salary Range for a Vacant Position,” requires covered employers (those with at least one employee in Connecticut) to disclose the “wage range” for a vacant position to current employees and applicants upon the earlier of: (i) the applicant’s request, or (ii) the communication of an offer of employment.6 “Wage range” means the range of wages an employer anticipates relying on when setting wages for a position. To determine the wage range for a particular position, the employer may reference any applicable pay scale, previously determined range of wages for the position, actual range of wages for employees who currently hold comparable positions, or the budgeted amount for the position.

Subsequent guidance7 from the Connecticut Department of Labor confirmed, “Yes, the Act applies to employers within the state using the services of one or more employees for pay even if such employees are located outside the physical confines of the state.”


Effective 1 October 2020, the Equal Pay for Equal Work Law,8 as amended, requires covered employers (any employer engaged in business in the state of Maryland) to provide a wage range to all applicants who request such disclosure. The law specifies that employers are prohibited from refusing to interview, hire, or employ an applicant because the applicant requested the wage range associated with the desired position. Maryland also prohibits an employer from requesting past salary information from an applicant. However, an employer may, after making an offer of employment that includes compensation, rely on the wage history that an applicant voluntarily provided to support a higher wage than offered.

While a private cause of action does not exist, an applicant may file a complaint with the Maryland Department of Labor’s Commissioner of the Division of Labor and Industry (the Commissioner). Civil penalties range between US$300 and US$600 per violation. However, the law specifies that upon finding a violation, the Commissioner shall either “(i) issue an order compelling compliance[,] or (ii) in the Commissioner’s discretion, for a first violation, issue a letter to the employer compelling compliance.”9


As of 1 October 2021, Nevada mandates that covered employers (any private or public employer in Nevada) must disclose a wage or salary range to applicants after an initial interview and to current employees that apply for a promotion/transfer, complete an interview for a promotion/transfer, have been offered a promotion/transfer, or request the information to consider a promotion/transfer.10

Fines extend up to US$5,000 for each violation and payment of the Nevada Labor Commissioner’s fees and costs to investigate and prosecute a claim.11

Rhode Island:

Effective 1 January 2023, the Rhode Island Equal Pay Law has been amended to require employers (those with one or more employee in the state) to provide job applicants a wage range upon the applicant’s request.12 Even when the applicant does not make a request, an employer should provide the wage range for the position “prior to discussing compensation.”13 The wage range is defined as the range the employer anticipates paying for the position, including budgeted amounts. For current employees, the wage range can include applicable pay scales and what other employees in that same position have been paid previously. Finally, if a current employee requests the wage range for their position at any time during their employment, the employer must provide them such information.

The law provides a private cause of action. In addition, enforcement of the law can include fines starting at US$1,000 per violation (first offense) to US$5,000 (two violations in a seven-year period).

Washington State:

As of 28 July 2019, covered employers (those with 15 or more employees) in Washington must disclose the minimum wage or salary for a position upon an applicant’s request once a conditional offer of employment is made. The employer must also disclose wage or salary ranges upon the request of an employee offered an internal transfer to a new position or a promotion.

Effective 1 January 2023, under the Washington Equal Pay and Opportunities Act, as amended, covered employers in Washington also are required to disclose a salary range in job postings as well as a general description of the benefits and other compensation to be offered. This includes all “discretionary and nondiscretionary wages and benefits provided by an employer to an employee as a result of the employment relationship.”14 Additionally, the Washington Department of Labor and Industry notes on its website that its Employment Standards Program anticipates developing an administrative policy to help employers better understand the requirements of this legislation.

The law provides that the penalty for a first violation may not exceed US$500. For a repeat violation, the penalty may not exceed US$1,000 or 10% of the damages, whichever is greater.15


Cincinnati, Ohio:

Effective 13 March 2020, under the City of Cincinnati Ordinance No. 83 (the Ordinance), covered employers (those with 15 or more employees within the city) are required to provide the pay scale to an applicant for a position after a conditional offer has been made and if a reasonable request is made by the applicant.16 The Ordinance does not define the terms “reasonable request” or “pay scale.”

The Ordinance creates a private cause of action and provides for compensatory damages, reasonable attorney’s fees, the costs of the action, and legal and equitable relief with a two-year statute of limitations on such damages and relief. In a unique turn, the Ordinance also provides a safe harbor for employers who, within the previous three years, and before a lawsuit is filed against the employer, have received an external certification, which is then made publicly available, that their practices do not include salary history in the hiring process. Pursuant to the Ordinance, the city established the Salary History Implementation Working Group. It is expected that this group will provide further guidance on all aspects of the Ordinance, including the parameters of the safe harbor provision.

Westchester County, New York:

Effective 6 November 2022, Westchester County Local Law No. 119—amending the local human rights law (Section 700.03(a)(9))—prohibits covered employers (those with at least four employees) from advertising a position without including the minimum and maximum salaries for the job advertised.

The Westchester County law applies to positions that are required to be performed in whole or in part in Westchester County, whether in a physical office or remotely. While no private cause of action exists, violations of this law are subject to any of the appropriate penalties within Section 700.11(h) of the local human rights law, which include compensatory and punitive damages, as well as civil penalties up to US$250,000.

Ithaca, New York:

Effective 1 September 2022, Ithaca City Code § 215-3(F) (amended 4 May 2022 by Ord. No. 2022-03), requires employers that employ four or more employees within the City of Ithaca to include in job advertisements the minimum and maximum hourly or salary compensation for the position advertised, including postings for promotions or transfers.

Ithaca’s law is silent as to its application to workers located outside of Ithaca, such as a remote employee. In other words, the law is silent on whether employers must comply with the salary disclosure requirements if an employee would not be physically working from Ithaca.

Employers who violate Section 215-3(F) may be liable for “money damages and any other remedy available at law,” as set forth in Section 215-9.5. In addition, a private cause of action exists.

Jersey City, New Jersey:

Originally effective 13 April 2022 and subsequently amended 15 June 2022, Ordinance No. 22-045 (the Ordinance) requires covered employers, employment agencies, and agents of covered employers (those with five or more employees within Jersey City) to include a minimum and maximum salary range and benefits in every job posting or advertisement. The Ordinance specifies that any independent contractors engaged by the employer on the date the job advertisement is posted will count towards the five-employee threshold.17

Violations of the Ordinance can be reported to the Office of Code Compliance, or to the Women’s Advisory Board for referral to the Office of Code Compliance, and will be subject to the penalties set forth in Section 1-25 of the Municipal Code, including fines of up to US$2,000.

New York City:

Effective 1 November 2022, a covered employer (those with four or more employees) must disclose a good faith salary range for every job, promotion, and transfer opportunity that is advertised. The disclosure must contain the “minimum and maximum annual salary or hourly wage.”18 All prospective applicants, including internal applicants, are entitled to receive the disclosure when the job is posted.

The law applies to any position that could be filled by a candidate who resides in New York City. Further, the law also explicitly provides that it applies to any position that may be performed, at least in part, in New York City, which could even encompass an employee who is required to report to a New York City office for work on a sporadic or infrequent basis. Salary transparency protections will be enforced by the New York City’s Commission on Human Rights. After the first violation, employers that violate the law may face civil penalties up to US$250,000.

Toledo, Ohio:

Effective 25 June 2020, the City of Toledo’s “Pay Equity Act to Prohibit the Inquiry and Use of Salary History in Hiring Practices” mandates that employers must provide applicants the pay scale for the position they are applying for after the employer has made an offer and upon the applicant’s reasonable request. The ordinance does not apply to internal transfers or promotions or to applicants who are rehired within five years.

There is a private cause of action for violations of the act and those affected applicants can bring a cause of action within two years from the occurrence of a violation. Those affected could seek “compensatory damages, reasonable attorneys’ fees, the costs of the action, and such legal and equitable relief as the court deems just and proper.”19


New York State:

Recently, on 3 June 2022, the New York State Legislature passed Senate Bill 9427, which awaits the governor’s signature. This statewide bill is similar in most respects to the pay transparency laws that have been enacted in New York City, Westchester County, and Ithaca. Should the governor sign the bill into law, it will go into effect 270 days from the date of signing.


The differences in scope and applicability aside, all of these laws demonstrate a growing trend of mandated salary disclosures in pursuit of pay equity. Indeed, most if not all of these laws were passed as one of several amendments to the respective jurisdictions’ laws centering on pay equity and discriminatory hiring practices—such as bans on inquiries into salary history. Although the equally growing trend toward remote workforces may make implementation of these laws challenging, employers should expect further proliferation of laws of this kind to be the way of the future.

Employers with operations in these jurisdictions and those that may be covered based on the locations of their employees should evaluate the pay ranges for all current positions. As part of this review, employers may want to consider engaging counsel to conduct a pay equity analysis and make any necessary modifications to existing compensation ranges. Finally, employers should ensure that the compensation information to be included in the applicable job postings is accurate and satisfies the various requirements under these new laws.

Click Here for the Original Article

United States: Virginia Consumer Data Protection Act takes effect in 2023

In brief

Companies around the world have to comply with the Virginia Consumer Data Protection Act (VCDPA) with respect to personal data of consumers in Virginia. With the VCDPA, Virginia follows the California Consumer Privacy Act of 2018, as amended by the California Consumer Rights Act of 2020 (CCPA) but excludes employee and business representative data from its scope. Businesses that have implemented measures to comply with the CCPA can leverage some of their existing vendor contract terms, website disclosures and data subject rights response processes to satisfy requirements under the VCDPA. However, the VCDPA contain certain unique and prescriptive requirements that will require VCDPA-specific approaches to compliance. For example, the VCDPA requires businesses to obtain affirmative opt-in consent before processing sensitive personal data, and to conduct data protection assessments when processing sensitive data or conducting certain activities with the personal data such as targeted advertising, selling or profiling. Unlike the CCPA and other privacy laws, the VCDPA does not provide the Virginia Attorney General with rulemaking authority. Any changes to the VCDPA must be done via amendments by the legislature.

The VCPDA becomes effective 1 January 2023 and does not include a look-back period for violations.

Who and what data are protected?

The VCDPA protects “consumers”, which the statute defines as Virginia residents acting in an individual or household context. Individuals acting in an employment or commercial context are expressly excluded from protection.

The VCDPA defines “personal data” to mean information that is linked or reasonably linkable to an identified or identifiable individual, but does not include data that is de-identified or publicly available. Unlike the CCPA, the VCDPA does not expressly protect the personal data of households.

The VCDPA includes exemptions for certain types of data and entities. These include exemptions for institutions governed by the Gramm-Leach-Bliley Act (GLBA) and certain data maintained by a public utility, employment records, protected health information processed by covered entities and business associates under the Health Insurance Portability and Accountability Act, and other types of information already regulated under other federal laws, including the GLBA, Family Educational Rights and Privacy Act, Fair Credit Reporting Act, and Children’s Online Privacy Protection Act (COPPA).

Who must comply?

Unless an exemption applies, the VCDPA applies to “controllers” and “processors” that conduct business in Virginia or sell products or services intentionally targeted to residents of Virginia, and meet either of the following thresholds: the business (i) controls or processes personal data of 100,000 or more consumers during a calendar year; or (ii) controls or processes personal data of at least 25,000 consumers and derives over 50 percent of gross revenue from the sale of personal data.

“Controller” is analogous to a “business” under the CCPA and is defined as a person that, alone or jointly with others, determines the purposes for and means of processing personal data. “Processor” is analogous to a “service provider” under the CCPA and is defined as a person who processes personal data on behalf of a controller. To qualify as a “processor” under the VCDPA, a company has to process personal data on behalf of a controller. The VCDPA mandates that processors adhere to the controller’s instructions and assist the controller with complying with the controller’s own obligations, and the two parties must enter into an agreement with certain terms prescribed by the VCDPA.

How to comply?

Privacy Notices. Under the VCDPA, controllers must provide privacy notices that include: (i) the categories of personal data processed by the controller; (ii) the purpose for processing personal data; (iii) how consumers may exercise their rights, including the controller’s contact information and how a consumer may appeal a controller’s decision with regard to a consumer’s request; (iv) the categories of personal data that the controller shares with third parties, if any; and (v) the categories of third parties, if any, with whom the controller shares personal data. Unlike the CCPA, the VCDPA does not expressly require that privacy notices be issued prior to collection and they do not need to include certain elements required by the CCPA such as information on sources of personal data, processes that the controller follows to verify requests, or information on financial incentives offered in exchange for the collection, retention or sale of personal information. Nevertheless, and depending on what notices a business currently issues and what they cover, many businesses can leverage current privacy notices to comply with the VCDPA by updating such notices to include statements regarding the right under the VCDPA to appeal a controller’s decision with respect to data subject requests.

The VCDPA also requires controllers that “sell” personal data to third parties or process personal data for targeted advertising to clearly and conspicuously disclose such processing, as well as the manner in which a consumer may exercise the right to opt-out of such processing. Unlike the CCPA, the VCDPA definition of “sale” of personal data is limited to an exchange of personal data for monetary consideration. The VCDPA also excludes certain types of disclosures from being a “sale” of personal data, such as disclosures to a processor to process the personal data for the controller, disclosures of personal data to a third party for the purpose of providing a product or service requested by the consumer, disclosures to an affiliate of a controller, disclosures to third parties as part of a merger or similar transaction, or disclosures of personal data intentionally made available by a consumer to the general public or mass media channels.

Sensitive Data. Unlike the CCPA, which will introduce an “opt-out” regime for the processing of sensitive personal information beyond certain authorized purposes, the VCDPA requires consumers to “opt-in” to the processing of their sensitive data.

The VCDPA defines “sensitive data” to mean certain prescribed categories of data, including personal data that reveals an individual’s race, ethnic origin, religious beliefs, mental or physical health diagnoses, sexual orientation, citizenship or immigration status; personal data from a known child (under 13); the processing of genetic or biometric data for the purpose of uniquely identifying an individual; and precise geolocation data.

In practice, fitness trackers, delivery app services, and other businesses that provide recommendations and/or services based on a consumer’s precise location must ensure that they obtain opt-in consent from users before processing such personal data. When dealing with children’s data, companies must obtain consent from parents or guardians in accordance with the verifiable parental consent requirements of COPPA.

Technical and Organizational Measures, Assessments. The VCDPA requires controllers to establish, implement, and maintain reasonable administrative, technical and physical data security practices, and to conduct and document data protection assessments before engaging in any processing activity that presents a heightened risk of harm to a consumer. The VCDPA considers processing for purposes of targeted advertising or profiling, selling personal data, and processing sensitive data to be activities that typically present a heightened risk of harm to consumers.

The CCPA did not initially contain such an assessment requirement, but the California Privacy Protection Agency is tasked under the CCPA with issuing regulations that will require audits and risk assessments as well. Companies should be able to leverage assessments performed under the VCDPA to comply with CCPA and other US state privacy statutes.

Data Processing Agreements. Before a processor performs any processing on behalf of a controller, the parties must enter into a contract that includes terms similar to those required under other US state privacy laws (and the GDPR), including the controller’s instructions for processing and requirements that the processor shall (1) keep the personal data confidential; (2) delete or return all personal data to the controller as requested at the end of the provision of services, unless retention of the personal data is required by law; (3) on request, make data available to the controller; (4) cooperate with third party assessments; and (5) conclude similar agreements with subcontractors. Data processors must adhere to controllers’ instructions and use appropriate technical and organizational measures to assist controllers in meeting their obligations under the VCDPA. Businesses should continue to update their contracts while keeping standardization in mind where possible (see Standardizing data-processing agreements globally).

Data Subject Rights. Under the VCDPA, consumers have the right to know whether a controller is collecting their personal data, to access their collected personal data, to download and remove personal data from a platform in a format that allows the transfer to another, and to correct and delete personal data held on them. Consumers also have the right to opt-out of the sale of their personal data, or use of their personal data for targeted advertising and certain types of profiling.

Responding to Data Subject Rights Requests. To exercise one’s rights, the VCDPA allows consumers to, once they have been authenticated, receive responses to consumer requests without undue delay but in any case within 45 days of receipt of the request. Controllers may extend this time period by another 45 days where reasonably necessary, and the consumer will ultimately have the ability to appeal any decision made by the controller under the controller’s appeal process (which the VCDPA requires controllers to put into place). The appeals process must provide the consumer with an appellate response within 60 days and must provide consumer information on how to contact the Virginia Attorney General if the consumer has concerns about the results of any appeal. This contrasts with the CCPA, which does not mandate an appeals process.

Sanctions and remedies. Unlike the CCPA, there is no private right of action provided by the VCDPA, but the Virginia Attorney General can bring a civil action for an injunction or penalties of not more than USD 7,500 per violation. The Virginia Attorney General must first issue a notice of violation to a controller and allow a 60-day cure period before pursuing an enforcement action. Similar to the CCPA, the VCDPA creates a consumer privacy fund that will support actions by the Virginia Attorney General to enforce the VCDPA.

Click Here for the Original Article


District of Massachusetts Dismisses Data Breach Class Action for Lack of Injury

On October 18, 2022, in Webb v. Injured Workers Pharmacy, LLC, the District of Massachusetts dismissed a class action complaint brought by former pharmacy patients alleging that their sensitive personal information had been exposed in a data breach affecting more than 75,000 customers. In its analysis, the court determined that the named plaintiffs and putative class members could not satisfy the injury-in-fact requirement for constitutional standing. Plaintiffs Webb and Charley had claimed the breach caused “anxiety, sleep disruption, stress, and fear” and cost them “considerable time and effort” monitoring their accounts.

The court rejected these factual allegations as an insufficient basis to confer constitutional standing under Article III:

The Complaint does not sufficiently allege that the breach caused any identifiable harm. It is only alleged that Webb and Charley spent “considerable time and effort” monitoring their accounts and, in Webb’s case, dealing with the IRS. Plaintiffs “cannot manufacture standing merely by inflicting harm on themselves based on … hypothetical future harm.” Clapper v. Amnesty Int’l USA, 568 U.S. 398, 416 (2013). The Complaint alleges neither monetary loss, the misuse of data, nor that a third party stole their PII. Plaintiffs’ alleged injuries rest entirely on the future possibility that an unauthorized third party will, at some undetermined time, misuse their PII. Based on the facts of the Complaint, this potential harm is not sufficiently threatening to establish an “injury in fact.” Katz, 672 F3.d at 71.

In footnotes, the court noted that Webb had not made a “plausible connection between the data breach and the filing of the [tax] return” filed by an unknown and unauthorized third-party and rejected a theory that plaintiffs were harmed by the loss of their personal information’s “black market value.”

The court’s decision is especially notable in that it comes on the heels of the First Circuit’s recent decision in Laufer v. Acheson Hotels LLC, which overturned the dismissal of and thus revived a class action on standing grounds based on the dignitary harm caused by website accessibility barriers. As discussed in a prior post on informational injury, the First Circuit rejected the lower court’s reasoning, holding that “[d]ignitary harm or stigmatic injuries caused by discrimination have long been held a concrete injury in fact.”

It remains to be seen whether Webb, like Laufer, will make its way to the First Circuit docket and, if so, how the First Circuit will apply its recent logic from Laufer to the data breach context. Of particular interest would be the First Circuit’s analysis of the alleged informational injury that occurred when, according to the allegations set forth in the complaint, the “Defendant breached its duties by failing to provide reasonably timely notice of the Data breach to Plaintiffs and members of the Class.” Regardless of whether an appeal proceeds in Webb, there will certainly be more occasions for the First Circuit to consider the limits of constitutional standing in the aftermath of the Supreme Court’s ruling in TransUnion LLC v. Ramirez.

Click Here for the Original Article

Former Employee Was Not Injured By Alleged Violation Of FCRA

Limon v. Circle K Stores Inc., 2022 WL 14391789 (Cal. Ct. App. 2022)

Plaintiff Ernesto Limon was employed by Circle K (which operates gas stations and convenience stores in California) for just one month before filing this putative class action lawsuit against his former employer, alleging violation of the Fair Credit Reporting Act (FCRA).  Limon alleged that Circle K’s standard form in which it seeks a job applicant’s consent to conduct a background check violated FCRA’s “standalone disclosure” requirement because it contained “extraneous provisions” and, further, that he was “confused regarding the nature of his rights under the FCRA.”  After suing Circle K in federal court (and losing), Limon initiated this action in state court.  The trial court also dismissed Limon’s action based on Limon’s inability to establish he had suffered a concrete injury as a result of Circle K’s actions.  The Court of Appeal affirmed on the ground that Limon had not suffered a sufficient concrete or particularized injury to have standing to sue Circle K.

Click Here for the Original Article


‎EU Cyber Resilience Act

On September 15, 2022, the European Commission published its Proposal for a Cyber Resilience Act (CRA) which sets out new requirements for hardware and software products in the EU.

The CRA applies to hardware and software that contain digital components and whose intended use includes a connection to a device or network and applies to all digital products placed on the EU market (including imported products).

Main Requirements

  • Digital products are broken down into certain risk allocations, with Class II critical products including identity management software, password managers, VPNs, network traffic monitoring systems, and remote access software.
    • Class II critical products include microprocessors, routers, IOT devices, smart meters, and operating systems.
  • Manufacturers will need to assess the cyber risk of their digital hardware and software and take continued action to fix problems during the lifetime of the product. In addition, before placing any digital product on the market, manufacturers will be required to conduct a formal ‘conformity assessment’ of such product and implement appropriate policies and procedures documenting relevant cybersecurity aspects of the products.
  • Companies will have to notify the EU cybersecurity agency (ENISA) of any exploited vulnerability within the product, and any incident impacting product security, within 24 hours of becoming aware. Manufacturers will also be required to notify users of any incident impacting product security without delay. These notice requirements apply regardless of whether the incident would constitute a data breach under applicable privacy laws.
  • EU importers and distributors of products will need to verify that digital products conform with the CRA.
  • EU Member State authorities will be permitted to monitor compliance with the CRA, and maximum fines of up to EUR 15 million (approx. $15mm) or 2.5% of global annual turnover, whichever is higher) can be applied.

Additional Provisions

  • The CRA specifies further cybersecurity requirements for products, including requirements for products to be delivered with a secure by default configuration, ensure appropriate access control mechanisms, protect availability of essential functions (including protection against, and mitigation of, denial of service acts), and be designed to reduce the impact of a security incident.
  • The CRA also requires manufacturers of digital products to comply with various vulnerability handling requirements, including identifying and documenting vulnerabilities in the product and addressing and remediating them without delay.
  • Certain information and instructions are required to be provided to users of digital products, including the full contact details of the manufacturer, a point of contact where vulnerabilities can be reported and received, disclosure of cyber security risks, and detailed instructions (or a website URL referring to such detailed instructions) on security-related aspects of the product.

Next Steps

The draft proposal will not be examined by the European Parliament and Council of the EU. It is likely to take some years before the CRA is adopted, but once it is companies will have two years to implement its requirements.

Click Here for the Original Article

New York to Require Human Trafficking Recognition Training for Certain Hospitality Employees

New York State Governor Kathy Hochul recently signed into law eight pieces of legislation designed to combat human trafficking. These laws require many hospitality industry employers to provide specific anti-human-trafficking awareness training to employees. They also require certain hospitality and transportation industry employers to post information regarding services available to human trafficking victims.

The new laws require employers that are required to provide employees with alcohol awareness training to include a human trafficking curriculum in such training; require lodging facilities to train their client-facing employees to recognize human trafficking victims; and require the Thruway Authority, airports, truck stops, port authority, and port authority bus terminals to post informational signs and cards concerning services for human trafficking victims in public restrooms. In addition, establishments that serve alcoholic beverages must display signs about the illegality of human trafficking and the assistance hotline.

The law requiring lodging facilities to provide human trafficking awareness training to employees applies to any inn, hotel, motel, motor court or other establishment that provides lodging to transient guests. Client-facing employees are lodging facility employees who are likely to come into contact with guests in their facility.

A list of approved training programs will be posted online by the division of criminal justice services and the office of temporary and disability assistance, which are working in consultation with the New York state interagency task force on human trafficking. The training will cover, at a minimum: the nature of human trafficking, how human trafficking is defined in law, how to identify victims of human trafficking and who employees should contact if a victim is identified. All client-facing employees must receive this training by November 20, 2023, four months from the law’s July 20, 2023 effective date. After that, all new client-facing employees must receive the training within 60 days of their start date.

The training may be administered as a standalone unit or as part of the facility’s existing training program. Employers must pay client-facing employees for attending the training, which is to take place on-site. Each lodging facility must maintain records that indicate its client-facing employees completed the training and maintain such records for the duration of each employee’s employment and one year following separation.

Click Here for the Original Article