California Consumer Privacy Act Update: What Has Changed and What Remains the Same?

by Brian Hengesbaugh, Michael Egan and Cristina Messerschmidt - Global Compliance News

The California legislative session ended with a bang on 13 September, when legislators passed several noteworthy amendments to the California Consumer Privacy Act (CCPA). The California governor has until 13 October to act on these amendments. We have outlined below the amendments that materially alter the original scope or requirements of the CCPA and that will impact CCPA compliance activities for many organizations.

Limited Personnel Exemption

Assembly Bill 25, the amendment exempting personal information collected from employees and other personnel from the scope of the CCPA, was passed in a revised form. Under this final version of the amendment, the rights of access, correction and opt-out of sale do not apply to employees, job applicants, owners, directors, staff, officers, contractors and medical staff (collectively, “personnel”). However, businesses will still be required to meet the notice requirements laid out in Section 1798.100 for personnel and personnel still benefit from the private right of action in the event of a data breach as provided in Section 1798.150. The same provisions apply to personal information collected from personnel in the context of providing benefits, as well as information related to personnel’s emergency contact information. Importantly, this limited exemption expires after one year. While California legislators have made an affirmative commitment that they will address employee data privacy during the course of the next year, if they fail to do so prior to 1 January 2021, personnel information obtained from personnel and/or in the context of benefits will then be subject to the full requirements of the CCPA.

Limited B2B Information Exemption

Assembly Bill 1355 provides business-to-business (B2B) companies a limited reprieve from complying with all the requirements of the CCPA in the context of communications and transactions with other companies, organizations, and government agencies. Personal information that is collected in the course of B2B communications or transactions from or about an employee, owner, director, officer or contractor of a business or government agency is exempt from most CCPA requirements. Notably, however, this exemption does not apply to the right to opt out of the sale of personal information, the obligation not to discriminate against a consumer for attempting to exercise other rights, or the private right of action in the event of a data breach. Like the limited personnel exemption, this exemption also expires after one year, at which point business contact information will be covered by the CCPA if the legislature does not take further action in the interim. This being said, B2B companies that do not sell (as this term is defined by the CCPA) business contact information will still have to closely re-examine their other California personal information collection, to determine if and to what extent they must comply with CCPA requirements for other types of personal information they collect, such as for marketing purposes with prospective customers.

Read more:

Credit reporting agencies sue Maine over two new consumer protection laws

by Caitlin Andrews - BDN

AUGUSTA, Maine (BDN) -- An association representing three of the nation’s largest credit reporting agencies sued the state of Maine in federal court last week over two new consumer protection laws that affect credit ratings and deal with medical debt and economic abuse.

The Consumer Data Industry Association, whose membership includes credit reporting agencies Experian, Equifax and TransUnion, said in a complaint filed Sept. 26 in U.S. District Court that two laws that went into effect a week earlier violate the Fair Credit Reporting Act and will “undermine the accuracy, integrity and reliability” of consumer report information.

One of the laws prevents reporting agencies from reporting medical debt on a consumer report until the debt is 180 days old and instructs agencies to treat medical debt the same as a credit transaction if the consumer is paying the debt off regularly.

The other instructs reporting agencies to investigate if a person claims their debt is the result of economic abuse. This can include instances where access to money or bank accounts is obstructed, resources like food or shelter are withheld or an abuser creates fraudulent debt in a victim’s name, according to the law’s text. If abuse is found, the agencies have to remove any references to debt generated as a result of the abuse from the victim’s credit report.

Read more:

It's Not Just California Anymore: State and Local Laws Challenge the Multijurisdictional Employer

by Rachel Powitzky Steely - The National Law Review

Did you know that employers can be sued in Michigan for height discrimination?  Or that in Maine, starting in 2021, employees can take paid time off for any reason at all?  States and cities have followed California’s lead in requiring tighter restrictions on employers and providing more rights to employees.  Is your company complying with these swiftly changing state and local restrictions?

Historically, employers viewed California as the only place with significantly more restrictive employment laws outside the federal norms. However, more and more cities and states are setting higher standards for employers and requiring strict compliance. Employers must therefore keep up with the rapidly changing regulation landscape on the state and local level.

For example, many states and cities have passed various versions of “ban the box” laws that prohibit an employer from requesting criminal history on an application.  Detroit and New Orleans ban questions at the application stage, not after a conditional offer of employment, but only for contractors doing business with the city. New Mexico allows an employer to consider an applicant’s convictions only after reviewing the application and discussing employment with the applicant (interview).  Washington state requires employers to determine that the applicant is otherwise qualified for a position, but does not require that the employer conditionally offer employment to consider arrests, convictions, or background checks. Most states with ban the box regulations do allow inquiries of criminal history after a conditional offer of employment.

Read more:

For some prisoners, the past is in the past

by Greg Kozol - News-Press NOW

Anyone over a certain age recalls being told that a bad act would go down on your permanent record.

It turns out that this threat of everlasting, unshakable taint may be subject to some wiggle room. A movement to expunge or hide aspects of a person’s criminal past is gathering steam in Missouri and other states. It’s part of an effort to help former inmates find employment after release from prison.

“What offenders who are re-entering society are asking for is an equal opportunity,” said Suzanne Kissock, chair and program director of the legal studies program at Missouri Western State University. “Should a conviction stay with you, if it is a nonviolent offense, for the rest of your life?”

Two decades ago, politicians would have given a strong “yes” when asked that question. That consensus is starting to erode as Republicans seek to reduce prison costs and some Democrats see the issue as one of fairness for those who paid a debt to society.

Missouri lawmakers gave bipartisan support this year to a bill that allows four crimes to be expunged from a person’s record: first-degree property damage, stealing, possession of forging instruments and fraudulent use of a credit or debit device. The measure, which covers offenses that are common for people with drug addictions, became law in late August.

Read more:

U.S., Europe split over U.N. efforts to expand airport employee screening

by Allison Lampert - Reuters

The United States and Europe are divided over United Nations efforts to expand employee screening at airports, following broader calls to harden airports against threats from their own workers, four sources familiar with the matter said.

The United States, backed by Canada and Australia, opposes the new global standards, which if approved would have all workers screened when entering airports’ restricted areas, while Europe supports the change, said the sources who were not authorized to discuss the private talks.

Washington argues the proposal could increase passenger congestion and costs, and is not demonstrably more effective than its current practice of random screening, watch list vetting and background checks, two of the sources said.

The previously unreported debate comes weeks before global aviation security experts will meet at the UN’s International Civil Aviation Organization (ICAO) in Montreal.

Read more:

Jury awards $101,000 to Portland man who sued Wells Fargo for not fixing credit report due to ID theft

by Maxine Bernstein - The Oregonian/OregonLive

An identity thief opened a Wells Fargo car loan account in the name of Matthew Sponer, bought a BMW at a used car dealership in Southern California in July 2016, was caught that fall and convicted several months later.

Despite repeated attempts by Sponer and his lawyer to get his bank to delete the $29,000 debt that his credit report showed he owed for the car loan, Wells Fargo didn’t do it for 14 months. They finally followed through after Sponer sued the bank.

The delay came despite a detective confirming to the bank the identity theft, the thief’s guilty plea and sentencing, the bank’s receipt of a police report and Sponer’s credit card statements that showed he was out of the country when the car was purchased.

On Tuesday, a federal jury awarded Sponer $101,000 in noneconomic damages, finding Wells Fargo Bank negligently and willfully violated the Fair Credit Reporting Act. But the eight-member jury didn’t issue any punitive damages.

Jurors deliberated for about six hours after a four-day federal court trial in Portland.

“A consumer should not have to sue a bank like Wells Fargo to get it to do what the law requires,’’ Sponer’s lawyer, Robert S. Sola, said during his closing argument. “They ignored all the information in their own record.’’

Read more:

Due Diligence: It Applies Equally to Properties and Prospective Tenants

by Alex Hemani - Forbes

You wouldn’t invest in a property without first investigating the premises, comps and details of the deal. So don’t count on the performance of that investment without conducting some due diligence on the people who will be providing the revenue: your future tenants.

Thorough tenant screening is critical to protecting your investment, helping you treat everybody equally and avoiding a potential fair housing inquiry or violation. Large property owners do it, and singe-family rental owners should too, especially since people who know they have a credit or rental history problem will look for properties from independent investors hoping you won’t check to find out the sordid details.

There’s no way to be certain whether a tenant-landlord relationship will work out, but that doesn’t mean you should simply flip a coin or “go with your gut.” People who seem personable and responsible in an interview can turn out to be difficult renters. Giving somebody a break could mean they just became your newest charity case, or reveal a pattern of inconsistent decisions you’ve made that could lead to a fair housing complaint. That’s why you have to perform your due diligence on people you are considering renting to, just like you would on a property you are considering buying. Fail to do so, and you increase your risk and jeopardize your rental revenue stream.

GDPR One Year On: How Have Data Companies Fared?

by Amnon Drori - International Business Times

For some, it was a time of concern and even panic. The European Union's GDPR was coming, and companies were given the clear message: Make sure you follow privacy protection rules, or you could end up like Google – which was about to be fined a record $5 billion for violating EU antitrust regulations. GDPR had teeth, and it was set to bite anyone who pushed it.

In early 2018, firms had copious amounts of data on people stored on long-forgotten servers and databases. Properly known as the General Data Protection Regulation, the rules require that companies that have data on individuals grant them the right to data portability or erasure. Companies are also required to hire a dedicated data officer, and to notify customers almost immediately if there is a breach that leads to a leak of their data. Violators could be fined €20 million ($22 million), or 4 percent annual global turnover – whichever is greater.

The regulations loomed especially large for data companies that relied on machine learning to gather data. They meant that these companies would need to be much more careful about their data collection, whereas many had previously engaged in massive, careless hoarding and sharing of data.

GDPR went into effect on May 25, 2018, so we've had more than a year to judge its impact. There's no doubt that the regulations have already had an impact on both consumers and businesses. In a nine-month summary of the effects of GDPR, the European Data Protection Board said that as of March, there were 206,326 complaints reported, with nearly 100,000 complaints relating to data privacy. GDPR supervisory agencies in 11 countries issued fines, totaling €55,955,871 (over $6.3 million).

Columbia Won't Ask Criminal, Wage History on Initial Job Applications

by Chris Trainor - FreeTimes

The City of Columbia has passed a law that it will not ask for job seekers’ criminal history on initial employment applications, and it will encourage vendors that do business with the city to also eliminate criminal history from their applications.

The new law also stipulates that the city will not ask for a prospective employee’s wage history when considering that person for a job.

Columbia City Council unanimously passed final reading on the new law at an Aug. 6 meeting.

The practice of omitting a criminal history question on an application is commonly known as “banning the box.” According to the National Employment Law Project, 35 states and more than 150 cities and counties have adopted a “ban the box” policy, essentially choosing to eliminate the question of a person’s criminal history from initial job applications. Richland County Council voted to establish such a policy in early June. 

The theory is that, if an employer sees on an application that a person has a criminal background, they could develop an opinion about that person before ever taking a closer look into their qualifications and abilities. Banning the box could help eliminate that initial barrier. The City of Columbia has been practicing “ban the box” in its own internal hiring practices for about three years, per city officials. The new measure formally makes it city law, and takes the extra step of encouraging the entities that do business with the city to follow the same practices.

Employing the Formerly Incarcerated: A Global Perspective

by Jathan Janove, J.D. - SHRM

Much attention has been focused recently on second-chance employment in the United States. But what is happening in other countries regarding employing the formerly incarcerated?

The Society for Human Resource Management (SHRM) "is committed to learn more about how countries around the globe have addressed second-chance employment," SHRM President and Chief Executive Officer Johnny C. Taylor, Jr., SHRM-SCP, said, "so we find responsible ways to bring the formerly incarcerated back to the workplace while ensuring worker and customer safety."

Internationally, second-chance employment depends on a country's background-check laws, data-privacy laws and laws banning discrimination on the basis of conviction history, according to Darren Gardner, an attorney with Seyfarth Shaw in San Francisco.