January 29, 2021
EEOC Updates Guidance On COVID Vaccines: Mandatory Vaccinations Permitted, With Some Exceptions
On December 16, 2020, the Equal Employment Opportunity Commission (EEOC) updated its COVID-19 Technical Assistance Questions and Answers to include information about COVID-19 vaccinations. This has been a hot topic for employers because of the recent emergency use authorization by the Food and Drug Administration (FDA) of vaccines developed by Pfizer-BioNTech and Moderna. The updated Guidance is found in Section K here.
Since last spring, the EEOC has issued multiple updates to its Q&A resources, advising employers how to navigate the potentially severe health and safety threat from COVID-19 while remaining compliant with workplace anti-discrimination laws, including the Americans with Disabilities Act (ADA); Title VII of the Civil Rights Act of 1964 (Title VII), the Age Discrimination in Employment Act (ADEA) and the Genetic Information Non-Discrimination Act (GINA). Employees are also protected under other federal and state laws.
The key takeaways from the updated Guidance are as follows:
K.1. For any COVID-19 vaccine that has been approved or authorized by the Food and Drug Administration (FDA), is the administration of a COVID-19 vaccine to an employee by an employer (or by a third party with whom the employer contracts to administer a vaccine) a “medical examination” for purposes of the ADA? (12/16/20)
The EEOC has indicated that administration of an FDA approved vaccine is not a medical examination.
The EEOC states that while the administration of a COVID vaccine is not a medical examination, the pre-screening vaccination questions may implicate the ADA provision on disability-related inquiries. If the employer administers the vaccine itself or engages a third-party to do so, the employer must show that the pre-screening questions are “job-related and consistent with business necessity.”
K.2. According to the CDC, health care providers should ask certain questions before administering a vaccine to ensure that there is no medical reason that would prevent the person from receiving the vaccination. If the employer requires an employee to receive the vaccination from the employer (or a third party with whom the employer contracts to administer a vaccine) and asks these screening questions, are these questions subject to the ADA standards for disability-related inquiries? (12/16/20)
Pre-vaccination medical screening is likely to elicit disability information. That means that such questions, whether asked by the employer or its agent, are “disability-related” under the ADA. The employer must demonstrate that the pre-screening questions are “job-related and consistent with business necessity.” In order to comply with this standard, the employer must have a reasonable belief, based on objective evidence, that an employee who does not answer the pre-screening questions and is not vaccinated, will pose a “direct threat” to the health or safety of himself or others. A direct threat is “a significant risk of substantial harm to the health or safety of the individual or others that cannot be eliminated or reduced by reasonable accommodation.”
There are two circumstances in which disability-related screening questions may be asked without needing to satisfy the “job-related and consistent with business necessity” standard. First, if the employer offers the vaccination to employees on a voluntary basis, the pre-screening questions must also be voluntary. An employer may not retaliate, threaten, or intimidate an employee who refuses to answer the screening questions, but they will likely not receive the vaccine. Second, if an employee receives the vaccine from a third-party unrelated to the employer, such as their own medical provider or a pharmacy, the ADA requirement that the questions be “job-related and consistent with business necessity, is inapplicable.
K.3. Is asking or requiring an employee to show proof of receipt of a COVID-19 vaccination a disability-related inquiry? (12/16/20)
No, simply asking employees for proof of vaccination is not a disability-related inquiry. But, if the employer asks follow-up questions, such as why the employee was not vaccinated, this may elicit information about a disability. Any such questions must be “job-related and consistent with business necessity.” Employers should instruct their employees not to provide any medical information that may be contained in a document that provides proof of vaccination.
K.4. Where can employers learn more about Emergency Use Authorizations (EUA) of COVID-19 vaccines? (12/16/20)
Employers should consult the FDA website for up to date information on vaccines issued an EUA. Also, this information is typically included in a patient fact sheet at the time the vaccine is administered. The FDA EUA page can be found here.
K.5. If an employer requires vaccinations when they are available, how should it respond to an employee who indicates that he or she is unable to receive a COVID-19 vaccination because of a disability? (12/16/20)
The ADA allows an employer to have a qualification standard that includes “a requirement that an individual shall not pose a direct threat to the health or safety of individuals in the workplace.” However, if a safety-based qualification standard, such as a vaccination requirement, screens out or tends to screen out an individual with a disability, the employer must show that an unvaccinated employee would pose a direct threat due to a “significant risk of substantial harm to the health or safety of the individual or others that cannot be eliminated or reduced by reasonable accommodation.” 29 C.F.R. 1630.2(r).
Employers should conduct an individualized assessment of four factors in determining whether a direct threat exists: the duration of the risk; the nature and severity of the potential harm; the likelihood that the potential harm will occur; and the imminence of the potential harm. A conclusion that there is a direct threat would include a determination that an unvaccinated individual will expose others to the virus at the worksite. If an employer determines that an individual who cannot be vaccinated due to disability poses a direct threat at the worksite, the employer cannot exclude the employee from the workplace, or take any other action, unless there is no way to provide a reasonable accommodation (absent undue hardship) that would eliminate or reduce this risk so the unvaccinated employee does not pose a direct threat.
If there is a direct threat that cannot be reduced to an acceptable level, the employer can exclude the employee from physically entering the workplace, but the employer may not automatically terminate the worker. Employers will need to determine if any other rights apply under the EEO laws or other federal, state, and local authorities. For example, if an employer excludes an employee based on an inability to accommodate a request to be exempt from a vaccination requirement, the employee may be entitled to accommodations such as performing the current position remotely. This is the same step that employers take when physically excluding employees from a worksite due to a current COVID-19 diagnosis or symptoms; some workers may be entitled to telework or, if not, may be eligible to take leave under the Families First Coronavirus Response Act, under the FMLA, or under the employer’s policies.
Managers and supervisors responsible for communicating with employees about compliance with the employer’s vaccination requirement should know how to recognize an accommodation request from an employee with a disability and know to whom the request should be referred for consideration. Employers and employees should engage in a flexible, interactive process to identify workplace accommodation options that do not constitute an undue hardship (significant difficulty or expense). This process should include determining whether it is necessary to obtain supporting documentation about the employee’s disability and considering the possible options for accommodation given the nature of the workforce and the employee’s position. The prevalence in the workplace of employees who already have received a COVID-19 vaccination and the amount of contact with others, whose vaccination status could be unknown, may impact the undue hardship analysis.
Employers may rely on CDC recommendations when deciding whether an effective accommodation that would not pose an undue hardship is available, but as explained further in Question K.7., there may be situations where an accommodation is not possible. When an employer makes this decision, the facts about particular job duties and workplaces may be relevant. Employers also should consult the applicable Occupational Safety and Health Administration standards and guidance. Employers can find OSHA COVID-specific resources here.
It is unlawful for employers to disclose that an employee is receiving a reasonable accommodation or retaliate against an employee for requesting an accommodation.
K.6. If an employer requires vaccinations when they are available, how should it respond to an employee who indicates that he or she is unable to receive a COVID-19 vaccination because of a sincerely held religious practice or belief? (12/16/20)
Once an employer is on notice that an employee’s sincerely held religious belief, practice, or observance prevents the employee from receiving the vaccination, the employer must provide a reasonable accommodation for the religious belief, practice, or observance unless it would pose an undue hardship under Title VII of the Civil Rights Act. Courts have defined “undue hardship” under Title VII as having more than a de minimis cost or burden on the employer.
The EEOC guidance explains that because the definition of religion is broad and protects beliefs, practices, and observances with which the employer may be unfamiliar, the employer should ordinarily assume that an employee’s request for religious accommodation is based on a sincerely held religious belief. If, however, an employee requests a religious accommodation, and an employer has an objective basis for questioning either the religious nature or the sincerity of a particular belief, practice, or observance, the employer would be justified in requesting additional supporting information.
K.7. What happens if an employer cannot exempt or provide a reasonable accommodation to an employee who cannot comply with a mandatory vaccine policy because of a disability or sincerely held religious practice or belief? (12/16/20)
If an employee cannot get vaccinated for COVID-19 because of a disability or sincerely held religious belief, practice, or observance, and there is no reasonable accommodation possible, then it would be lawful for the employer to exclude the employee from the workplace. This does not mean the employer may automatically terminate the worker. Employers will need to determine if any other rights apply under the EEO laws or other federal, state, and local authorities.
K.8. Is Title II of the Genetic Information Nondiscrimination Act (GINA) implicated when an employer administers a COVID-19 vaccine to employees or requires employees to provide proof that they have received a COVID-19 vaccination? (12/16/20)
No. Administering a COVID-19 vaccination to employees or requiring employees to provide proof that they have received a COVID-19 vaccination does not implicate Title II of GINA because it does not involve the use of genetic information to make employment decisions, or the acquisition or disclosure of “genetic information” as defined by the statute. This includes vaccinations that use messenger RNA (mRNA) technology, which will be discussed more below. As noted in Question K.9. however, if the administration of the vaccine requires pre-screening questions that ask about genetic information, the inquiries seeking genetic information, such as family members’ medical histories, may violate GINA.
Under Title II of GINA, employers may not (1) use genetic information to make decisions related to the terms, conditions, and privileges of employment, (2) acquire genetic information except in six narrow circumstances, or (3) disclose genetic information except in six narrow circumstances.
Certain COVID-19 vaccines use mRNA technology. This raises questions about whether such vaccines modify a recipient’s genetic makeup and, therefore, whether requiring an employee to get the vaccine as a condition of employment is an unlawful use of genetic information. The CDC has explained that the mRNA COVID-19 vaccines “do not interact with our DNA in any way” and “mRNA never enters the nucleus of the cell, which is where our DNA (genetic material) is kept.” (See the CDC Website for a detailed discussion about how mRNA vaccines work). Thus, requiring employees to get the vaccine, whether it uses mRNA technology or not, does not violate GINA’s prohibitions on using, acquiring, or disclosing genetic information.
K.9. Does asking an employee the pre-vaccination screening questions before administering a COVID-19 vaccine implicate Title II of GINA? (12/16/20)
Pre-vaccination medical screening questions are likely to elicit information about disability, as discussed in Question K.2., and may elicit information about genetic information, such as questions regarding the immune systems of family members. It is not yet clear what screening checklists for contraindications will be provided with COVID-19 vaccinations.
If the pre-vaccination questions do not include any questions about genetic information (including family medical history), then asking them does not implicate GINA. However, if the pre-vaccination questions do include questions about genetic information, then employers who want to ensure that employees have been vaccinated may want to request proof of vaccination instead of administering the vaccine themselves.
GINA does not prohibit an individual employee’s own health care provider from asking questions about genetic information, but it does prohibit an employer or a medical provider working for the employer from asking questions about genetic information. If an employer requires employees to provide proof that they have received a COVID-19 vaccination from their own health care provider, the employer should warn employees not to provide genetic information as part of the proof. As long as this warning is provided, any genetic information the employer receives in response to its request for proof of vaccination will be considered inadvertent and therefore not unlawful under GINA.
Employers have been anxiously awaiting FDA approval of COVID vaccines. Now that two vaccines have been given EUA by the FDA, and others are likely to be approved as well, employers must consider whether to mandate employee vaccination or wait and see. Employers that are functioning remotely with little or no impact on productivity and that are able to do so for the foreseeable future may decide to delay imposing a vaccination mandate until more medical information is available. Other employers, such as those in retail, construction, or manufacturing, are likely to move ahead quickly with a vaccination mandate to mitigate the economic impact of the pandemic on their business. Both practical and legal issues will need to be resolved, but as of today, the EEOC has definitively signaled that mandatory COVID vaccinations are lawful for the vast majority of employees.
Can Employers Make Employees Get The COVID-19 Vaccine?
With two COVID-19 vaccines set to receive federal approval in the United States in the upcoming weeks, the next question is whether employers can make employees receive the vaccine. The short answer is…yes. And while the typical lawyer answer to any question is “it depends,” that concise “yes” does come with a few caveats. So, let’s go through them.
First, it is also worth noting that under the federal Occupational Safety and Health Act (OSHA) and many state laws, employers are obligated to provide a workplace free from serious recognized hazards. This means that employers have the right to establish legitimate health and safety standards and polices so long as they are job-related and consistent with business necessity. As such, a policy requiring vaccinations will depend heavily on the employer’s industry and physical location. Accordingly, courts in a number of jurisdictions have held that these workers can be required to receive vaccinations, such as rubella or flu vaccinations, as long as the requirement is job-related and consistent with business necessity. This is especially true in the healthcare context.
Second, even if an employer can require a vaccination due to a demonstrated legitimate health and safety requirement, we’ve learned from the flu vaccine that the Equal Employment Opportunity Commission (EEOC), which enforces the federal Americans with Disabilities Act (ADA), which protects employees from disability discrimination, and Title VII of the Civil Rights Act of 1964, as amended (Title VII), which protects employees from religious discrimination, has been clear that employers are already allowed to require employees to be vaccinated. However, workers who have a medical reason not to get the vaccine may request a medical exemption under the ADA and workers who have a sincere religious belief that taking the vaccine would violate their religious beliefs may request a religious exemption under Title VII.
For example, persons with certain health-related conditions, such as severe allergies to ingredients in the flu vaccine or disorders such as Guillain-Barré Syndrome, should not be vaccinated for the flu. Further, the EEOC advised that employers should accommodate pregnant employees’ requests not to be vaccinated.
Notably, not all health conditions are ADA-qualifying. In Hustvet v. Allina Health Systems, the Eighth Circuit held that an employer could terminate a healthcare worker after she refused to receive immunizations for measles, mumps, and rubella because of her alleged chemical sensitivities and/or allergies because there was not enough evidence that the employee’s alleged condition was actually a qualifying disability under the ADA. Because the vaccination requirement was job related and consistent with business necessity, however, the court ruled in favor of the employer.
In the religious accommodation context, in 2012 in Chenzira v. Cincinnati Children’s Hospital Medical Center, the Southern District Court of Ohio concluded that veganism qualifies as a sincerely held religious belief exempting an employee from having to receive the flu vaccine, which was produced from chicken products. The employer had discounted the employee’s request for exemption as a dietary preference or philosophical ideation rather than a sincerely held religious belief, but the court disagreed.
When an employer does receive an exemption request, whether due to disability or religious-related reasons, an employer must engage in an interactive process with the employee to determine if it can provide the employee with a reasonable accommodation that does not pose an undue hardship for the employer. The standard for what constitutes an undue hardship is different under the ADA and Title VII, with the disability accommodation being less strict. In any event, if an employee qualifies for an exemption under either the ADA or Title VII, the employer may have to provide the employee a reasonable accommodation to allow the employee to continue to work with vaccinated individuals, such as working remotely.
Although the EEOC could update its guidance materials, which it has done since the pandemic, it has not addressed the COVID-19 vaccine and its impact on workforces.
As for employer liability, should any employees develop any side effects from any required vaccine, those claims would likely be considered injuries obtained during the course and scope of employment and subject to review through each individual state’s workers’ compensation systems.
So, there you have it. Employers can legally require employees get the COVID-19 vaccine, subject to the reasonable accommodation protections for medical conditions under the ADA and religious accommodation exemption under Title VII. Bear in mind that the requirements to trigger these exceptions have been difficult for employees to meet in the case law. Lastly, just because an employer can require an employee to have the COVID-19 vaccination, it does not mean that an employer should require, and the EEOC has further recommended that employees consider encouraging employees to get vaccines rather than require them. However, given the scope of COVID-19 and the significant loss of life, it will be interesting to see how employers and the EEOC respond.
Tenant Background Report Provider Settles FTC Allegations That It Failed To Follow Accuracy Requirements For Screening Reports
A California-based company that provides background reports to property management companies will pay $4.25 million as part of a settlement with the Federal Trade Commission over allegations the firm failed to follow reasonable procedures to ensure the accuracy of its reports about potential tenants. In a complaint filed by the Department of Justice on behalf of the Commission, the FTC alleges that AppFolio, Inc. violated the Fair Credit Reporting Act (FCRA) by failing until at least April 2019 to implement reasonable procedures to ensure that criminal and eviction records it received from a third party vendor were accurate before including such information in its tenant screening reports. In addition, the FTC alleges AppFolio also violated the FCRA by including eviction or non-conviction criminal records more than seven years old in its reports.
“Consumers face enough hurdles in obtaining housing without the additional burden of inaccurate background checks,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “AppFolio and all background screening agencies must follow reasonable procedures to ensure that the background reports that they provide to their customers are as accurate as possible.”
Property managers use AppFolio’s reports for tenant screening. Under the FCRA, companies that provide tenant screening background reports on consumers are required to follow reasonable procedures to ensure the “maximum possible accuracy” of those reports and are prohibited from reporting certain obsolete information.
The FTC alleges that AppFolio failed to implement procedures to adequately review the accuracy of the information it received from its vendor before including the information in background reports.
As a result, AppFolio provided inaccurate information about some applicants such as records for individuals with a different name or birthdate; records with a missing or inaccurate offense name, type, or date; records with a missing or inaccurate disposition; and multiple entries for the same criminal or eviction action. The FTC alleges that some applicants may have been denied housing or other opportunities because of the inaccurate information included in background reports provided by AppFolio.
Despite receiving numerous complaints from consumers, AppFolio did not make changes to its procedures that addressed the problems with the reports, the FTC alleges. In addition to the $4.25 million monetary penalty, the proposed settlement prohibits AppFolio from providing non-conviction criminal or eviction records older than seven years and requires the company to maintain reasonable procedures to ensure the maximum possible accuracy of information included in its background reports.
FTC Finalizes Settlement With Service Provider Over Alleged Privacy Shield Misrepresentations
The EU-U.S. Privacy Shield Framework, which provided a mechanism to legally transfer personal information from the EU to the United States, was invalidated on July 16, 2020, but the Federal Trade Commission (FTC) has made it clear that companies that claimed to be participants must still make good on their word. A case in point is the FTC’s recent settlement with NTT Global Data Centers Americas, Inc. (NTT) over charges that the company misrepresented its participation in the EU-U.S. Privacy Shield Framework after its certification had lapsed in January 2018. Businesses that transfer personal information from the EU to the United States rely on representations by service providers such as NTT that they comply with established privacy principles and that an approved adequacy mechanism is in place to facilitate such transfers. The settlement terms bar NTT from misrepresenting in any way its participation in or adherence to any privacy or data security program. They also require NTT to apply Privacy Shield or equivalent protections to all personal information the company collected during its membership in the framework or return or delete that information. The FTC has taken similar action against other companies over the years, and this decision reaffirms the importance of ensuring that claims about participation in the Privacy Shield, or any other privacy program, are made only when an application has been approved and a certification is current. All references to certification must be promptly deleted from privacy policies and other materials if a certification has lapsed. The Commission vote to finalize the settlement with NTT was 3-1-1. Commissioner Rebecca Kelly Slaughter did not take part, and Commissioner Rohit Chopra voted no and issued a statement in which he pressed the Commission to impose monetary fines on companies that mislead consumers about their participation in privacy programs.
Whether the FTC imposes heavier sanctions down the road or not, damage to reputation can cost a company dearly. The FTC’s settlement with NTT is also a reminder of the importance of “trust but verify.” The U.S. Department of Commerce’s Privacy Shield list provides a way to double check that an organization’s representations about compliance are true. The vast majority of Privacy Shield participants take their obligations seriously. The FTC’s focus on the few organizations that do not remain current in their Privacy Shield commitments enhances the reliability of the Privacy Shield even as discussions continue on possible alternative adequacy mechanisms to address data transfers from the EU to the United States.
CDC Updates Guidance On Quarantine After COVID-19 Exposure, But State Guidance May Differ
Since the onset of the COVID-19 pandemic, various federal, state and local government entities have issued and updated guidance relating to the health and safety of workplaces. The Centers for Disease Control and Prevention (CDC) has led the way, with other entities relying on its guidance. On October 21, the CDC updated the definition of an exposure that should result in quarantine; on November 16, the CDC updated its guidance on the need for critical infrastructure workers to quarantine after exposure to an individual with COVID-19; and on December 2, the CDC shortened its recommended length of quarantine from the initially recommended 14 days to as little as seven days.
CDC Guidance for Individuals Exposed to a Suspected or Confirmed Case of COVID-19
The CDC previously recommended that employees who were in close contact with a known or suspected case of COVID-19 (including those with symptoms or who are asymptomatic but have tested positive) quarantine for 14 days from the date of their last exposure to that individual. The CDC defined “close contact” in this context to mean being within six feet for a cumulative 15 or more minutes during a 24-hour period, whether or not either individual was wearing personal protective equipment.
For exposed individuals who are asymptomatic, a quarantine for 14 days may be onerous, especially when such individuals are unable to work from home. As such, the CDC has issued updated guidance to reflect that such individuals, if they remain asymptomatic, may discontinue quarantine after 10 days without testing, or after seven days if a test administered within 48 hours before discontinuing quarantine is negative. Individuals who discontinue quarantine must have no clinical evidence of COVID-19, continue to monitor symptoms daily for 14 days after they are no longer quarantined, and strictly adhere to all other transmission risk reduction guidelines for the full 14 days after exposure (including correct and consistent mask use, social distancing, hand and cough hygiene, environmental cleaning and disinfection, avoiding crowds, and ensuring adequate indoor ventilation). While the CDC indicates that the shorter quarantine periods will not as effectively eliminate the risk of transmitting COVID-19, the risk of transmission is 1% to 5% in the case of the 10-day quarantine without testing, and 5% to 12% in the case of a seven-day quarantine and negative test result.
symptomatic Critical Infrastructure Workers Exposed to COVID-19
For most of the pandemic, despite its general recommendation that exposed employees quarantine for 14 days, the CDC allowed exposed employees in “critical infrastructure” businesses who remained asymptomatic to continue to work as long as they followed certain safety protocols. Critical infrastructure businesses include financial institutions, information technology providers, healthcare workers, food and agriculture businesses, energy providers, and critical manufacturing services, among others. This blanket exemption for critical infrastructure employees ended with the CDC’s guidance issued November 16. Now, given the widespread transmission of COVID-19 by asymptomatic individuals, critical infrastructure employers may take advantage of the exemption from the 14-day quarantine only as “a last resort and only in limited circumstances, such as when cessation of operation of a facility may cause serious harm or danger to public health or safety.” In such limited circumstances, critical infrastructure employees may continue to work if they continue to be asymptomatic, have not tested positive and additional precautions are observed. These additional precautions include employees pre-screening themselves before arriving at work; employers screening employees again upon their arrival at work; regularly monitoring and asking employees to self-monitor for symptoms; requiring the use of masks, social distancing and good hand hygiene; and routine cleaning and disinfecting of all work areas.
The CDC further recommends that critical infrastructure businesses, where possible, reduce the need to reintegrate exposed critical infrastructure employees into the workplace by identifying and prioritizing job functions essential for continued operations, cross-training employees on critical job functions, and determining which if any existing workers possess skills necessary to perform critical job functions should employees unexpectedly need to be absent.
BEWARE: Local Jurisdictions May Follow Different Guidance
The CDC guidance is not binding, and the guidance of state and local authorities should be followed. Some states’ guidance specifically requires that employers follow CDC guidance, while others’ guidance incorporates CDC guidance and/or are more restrictive than CDC guidance. For example, as of the date of publication:
The legal landscape related to COVID-19 has changed rapidly and will likely continue to do so given the current resurgence throughout the country and world. As always, employers should confer with legal counsel to ensure they comply with the applicable obligations in their jurisdiction.
A Brief Guide To California’s Latest Employer COVID-19 Reporting Obligations
California employers are now subject to three new COVID-19 related reporting obligations when there is a COVID-19 positive employee or employees in their workplaces, including: reporting to their (1) workers’ compensation carrier, (2) employees and other workers, and (3) local public health authority. We address each briefly below.
Employers Must Act Now:
California employers should update their COVID-19 compliance policies and procedures immediately to ensure the new notification measures are addressed.
Florida Governor Signed SB 664: Verification Of Employment Eligibility Into Law That Requires Private Employers To Use E-Verify Or To Use The Form I-9 And Maintain Copies Of The Documents Used To Complete The Form I-9 For Three (3) Years
Effective January 1, 2021 private employers in Florida must (a) use the E-Verify system; or (b) duplicate the Form I-9 process by requiring the documents employees presented during the Form I-9 completion be presented in order to comply with Florida law. If the latter, employers must maintain those documents for at least three (3) years after the date of hire. (See, Section 2 of SB 664). The new law has the potential to create a two-track system for private employers with operations and licensed to do business in Florida when completing their Forms I-9. Or, in the alternative, require them to change their Form I-9 processes to photocopy documentation presented by the employee for Section 2 purposes. Employers currently not photocopying documents presented by new hires when completing the Form I-9 (which is not generally required), are most directly impacted by this new requirement. They either have to change their practices with respect to Form I-9 completion and begin photocopying documents or run the risk of an enforcement action by Florida authorities. Non-compliance with Florida law may lead to suspension or revocation of a company’s license to do business in the state. Generally, unless an employer uses E-Verify, photocopying the documents presented for Form I-9 Section 2 purposes is not required. Employers may, but are not required to, photocopy the document(s) presented by the new hire when completing the Form I-9. (See, 8 U.S.C.A. section 1324a(b)(4); 8 C.F.R. section 274a.2(b)(3)). Click here to read the text of the bill.
Two Recent Ninth Circuit Cases Provide Guidance On FCRA Disclosure And Authorization Form Requirements
The Federal Reserve anticipates an approximate two percent reduction in unemployment by June 2021, envisioning rapid mass-hiring by employers once governments lift the more stifling COVID-19 restrictions. Businesses requiring pre-employment background checks may be uniquely exposed to liability under the Fair Credit Reporting Act (“FCRA”) if minor mistakes are amplified by mass-hiring events.
The FCRA requires, among other things, that an employer inform and obtain consent from an applicant regarding the employer’s intent to obtain a consumer report. Specifically, the employer must provide a “clear and conspicuous disclosure…in writing…in a document that consists solely of the disclosure.” Two recent Ninth Circuit cases further explicate this standard, and when it applies.
In Walker v. Fred Meyer Inc., 953 F.3d 1082 (9th Cir. 2020), the court addressed the standalone disclosure, and found that an employer may provide a “concise explanation” of what the consumer report may be used for. The Court held that “beyond a plain statement disclosing ‘that a consumer report may be obtained for employment purposes,’ some concise explanation of what the phrase means may be included.” In other words, an employer may concisely explain to an applicant or employee what the report entails, how it will be obtained, and for which type of employment purposes it may be used.
In Walker, the relevant issue was whether the employer willfully violated the FCRA by providing an unclear disclosure form encumbered by extraneous information. Plaintiff Walker claimed the disclosure form was confusing because it included information rendering him “unable to meaningfully evaluate and understand the nature of the report.”
The Walker Court held that beyond a plain statement disclosing “that a consumer report may be obtained for employment purposes” an employer may include a concise explanation of what that phrase means without violating the FCRA’s “standalone” requirement. The Court found that a statement specifying the use of investigative reports did not violate the FCRA’s standalone requirement because investigative reports are a subcategory or specific type of consumer report.
However, the Court disapproved of two other portions of the employer’s disclosure, which explained: how an applicant may inspect the Credit Reporting Agency’s (“CRA”) files, how the CRA will help the applicant understand the files, and if the CRA obtains any information by interview, that the applicant has the right to obtain a disclosure of the scope and nature of the investigation performed. The Court found these statements could pull an applicant’s attention away from his privacy rights protected by the FCRA, were more than merely a ‘concise statement’ and therefore violated the FCRA’s ‘standalone’ requirement.
The second case, Luna v. Hansen & Adkins Auto Transport, Inc., No. 18-55804 (April 24, 2020), drew a distinction between the FCRA requirements applicable to a disclosure versus an authorization form. Plaintiff Luna alleged that Defendant-employer violated the FCRA by (among others) failing to place the FCRA authorization on a standalone document. There, the authorization appeared at the end of the employment application and included other notices, waivers, and agreements, unrelated to acquiring the consumer report.
The Court rejected Plaintiff’s argument that, by including the authorization form within the employment application and among other waivers, the Defendant-employer violated the FCRA’s ‘standalone’ requirement. Instead, the Court held that the “standalone” requirement only applies to the disclosure form, not the authorization.
In sum, employers should review the content of their disclosure forms, and ensure that no information is included beyond explaining what a consumer report entails, how it will be obtained, and for which type of employment purpose it may be used. Anything more may violate the FCRA. In the view of the Ninth Circuit, employers may, however, include FCRA authorizations within the employment application, which may facilitate more quickly expanding their workforce once the economic headwinds shift.
Supreme Court Grants Cert On Major FCRA Standing Issue
Back in August, CPW reported on a developing issue in the consumer privacy space—one of the “big three” consumer reporting agencies (“CRAs”) was sued for using “matching technology” against the “Specially Designated Nationals” list maintained by the U.S. Department of the Treasury’s Office of Foreign Assets Control, and similar “terrorist watch lists,” on consumers’ credit reports. This practice occasionally resulted in consumers incorrectly being presented as “potential” matches against these lists on their credit reports. The Ninth Circuit found in Ramirez v. TransUnion LLC, 951 F.3d 1008 (9th Cir. 2020) that TransUnion’s failure to use additional identifiers, such as date of birth, to verify the matches could be found to be objectively unreasonable.
In a first of its kind ruling, the Ninth Circuit also found in Ramirez that every class member needed to have Article III standing at the final stages of a damages suit. It determined that the class of 8,185 consumers who had received inaccurate reports using the matching technology could obtain money damages, although Judge McKeown penned a dissent concluding that only the 1,853 consumers whose credit reports were requested by a potential credit grantor had standing to assert a claim. The Court also reduced the punitive damages award per class member, finding the sum to be excessive in violation of due process. TransUnion appealed both issues and petitioned the Supreme Court for a writ of certiorari in September.
This morning, the Supreme Court granted Transunion’s’ petition. While it declined to take up the punitive damages issue, it granted cert for the question: “Whether either Article III or Rule 23 permits a damages class action where the vast majority of the class suffered no actual injury, let alone an injury anything like what the class representative suffered.” This decision is sure to impact future class action litigation and issues of standing, especially for claims under the FCRA.
Federal Court Holds State-Imposed Credit Reporting Restrictions Preempted By The FCRA
A federal court in Maine recently held that the FCRA preempts burdensome credit reporting restrictions imposed by the Maine Fair Credit Reporting Act. “By seeking to exclude additional types of information” from consumer credit reports, the Court said, “the Maine Amendments intrude upon a subject matter that Congress has recently sought to expressly preempt from state regulation.” The case is Consumer Data Industry Association v. Frey, 2020 U.S. Dist. LEXIS 187061 (D. Me. Oct. 8, 2020).
As Troutman Pepper reported previously, the Maine legislature passed two amendments to the Maine Fair Credit Reporting Act in 2019 prohibiting consumer reporting agencies from including certain kinds of information in a consumer’s credit report (the “Maine Amendments”). Specifically, these amendments prohibit reporting medical debts less than 180 days old, medical debts that have been settled or paid, and debts that are the product of “economic abuse.” Me. Rev. Stat. Ann. tit. 10, §§ 1310-H(4), 1310-H(2-A) (2019). Both laws would require a credit reporting agency to engage in burdensome investigations of the underlying circumstances, conditions, and status of a consumer’s debts to determine whether those debts are reportable. The Consumer Data Industry Association (“CDIA”) filed suit against the Maine Attorney General and the Superintendent of the Maine Bureau of Consumer Credit Protection, seeking declaratory judgment that both laws are preempted by the FCRA. The parties filed cross-motions for judgment on a stipulated record in April 2020.
This October, the U.S. District Court for the District of Maine ruled in favor of the CDIA, holding that the Maine Amendments are preempted by the FCRA. Engaging in a detailed analysis of the language and history of the FCRA’s preemption provisions, the court rejected a narrow construction advocated by the State of Maine that would limit preemption to the specific types of information already regulated by the FCRA. “In the Court’s reading, the amended language and structure of [the FCRA’s preemption provisions] reflect an affirmative choice by Congress to set ‘uniform federal standards’ regarding the information contained in consumer credit reports.” Accordingly, the court held that the FCRA preempts any state regulation of information contained in consumer reports. Because the Maine Amendments place additional prohibitions on the kind of information that may be included in a consumer report, they concern the exact subject matter expressly preempted by Congress.
Although the immediate effect of this decision is limited to the State of Maine, the court’s analysis and persuasive reasoning has substantial ramifications for other states seeking to impose their own restrictions on consumer credit reports. The Defendants have filed an appeal of the district court’s decision, which will give the First Circuit Court of Appeals an opportunity to rule definitively on this issue. Troutman Pepper will continue to monitor and report further developments.
CNIL Fines Two Companies Of The Carrefour Group €3.05 Million For GDPR And Cookie Violations
Carrefour France and Carrefour Banque are both affiliates of the French retail group, the Carrefour Group. The group has diversified its activities into the banking and insurance, travel agency and e-commerce sectors. Between June 8, 2018 and April 6, 2019, the CNIL received 15 complaints from individuals relating to the exercise of their data protection rights with affiliates of the Carrefour Group. The complainants argued that Carrefour (1) did not comply with their data access or erasure requests; (2) sent them direct marketing communications despite the fact that the complainants had objected to receiving those communications; or (3) in one case, did not allow the complainant to unsubscribe to marketing emails. The CNIL carried out online inspections on the carrefour.fr and carrefour-banque.fr websites and onsite inspections at the premises of Carrefour France and the parent company of the group, Carrefour SA. These inspections aimed to verify whether Carrefour France and Carrefour Banque were in compliance with all provisions of the GDPR and the French Data Protection Act.
The CNIL’s inspections revealed that both companies infringed several obligations of the GDPR and the cookie law requirements of Article 82 of the French Data Protection Act when processing customer or web user data. On November 18, 2020, the CNIL imposed a fine on each company for these infringements. The CNIL did not impose other sanctions, such as an injunction to bring the data processing activities in question into compliance, as both Carrefour companies made huge efforts during the proceedings to remedy the non-compliance.
GDPR and Cookie Violations
In its decision against Carrefour France, the CNIL found that the company failed to comply with basic GDPR requirements and its obligations as a data controller, including the (1) storage limitation requirement; (2) obligation to facilitate the exercise of individuals’ data protection rights; (3) obligation to provide notice to individuals about the processing of their personal data in an easily accessible form, using clear and plain language and in a comprehensive manner (i.e., with all information required by the GDPR); (4) obligation to comply with subject right requests; and (5) obligations to ensure the security of personal data and to notify personal data breaches. Further, the CNIL found that Carrefour France infringed cookie law requirements by automatically setting cookies on the user’s device when the user visited the home page of the carrefour.fr website.
In its decision against Carrefour Banque, the CNIL found that the company failed to comply with the (1) obligation to process personal data fairly; (2) obligation to provide notice in an easily accessible form, using clear and plain language and in a comprehensive manner; and (3) cookie law requirements.
Highlights from the CNIL’s decisions are detailed below.
Interestingly, in setting the fine against Carrefour France, the CNIL relied upon the concept of “undertaking” within the meaning of EU competition law to take into account not only the revenues of Carrefour France but also the higher revenues of its two subsidiaries who benefited from the data processing activities in question. Carrefour France and Carrefour Banque may now appeal the CNIL’s decisions within two months before France’s highest Administrative Court (Conseil d’Etat).