|What is this about:||As reported in our previous alert, effective January 22, 2017, the Fair Chance Initiative for Hiring (“LAFCIH”) ordinance prohibits employers from inquiring about an applicant’s criminal history until a conditional job offer has been extended and imposes significant compliance obligations. The Department of Public Works Bureau of Contract Administration (the “Department”), which bears administrative responsibilities for the LAFCIH, in addition to its rules and regulations (the “Regs”) to guide covered employers (and city contractors/subcontractors) in meeting compliance requirements published last month, has now posted an “individualized assessment and reassessment form.” It is unclear whether the Department expects employers to use this form as provided or whether modifications are permitted. Certain other items in the Regs also remain unclear, and the Department has yet to issue anticipated further guidance. (A link to the form is provided below.)|
|Notable amplifications and clarifications:||1) “Applicant” means an individual who submits an application or other documentation for employment to an employer regardless of location.
2) “Employee” means any individual who performs at least two hours of work on average each week within the geographic boundaries of the City for an employer. Average week is determined by the last four complete weeks before the position is advertised.
3) An individual who lives in the City and performs work for an employer from home, including telecommuting, is an employee.
4) An individual who works from a home that is outside of the City is not an employee even if he/she works for a Los Angeles-based company, unless the individual also works at least two hours on average per week within the geographic boundaries of the City.
5) The LAFCIH applies to employees regardless of an employer’s designation of an employee as an independent contractor, and labeling a worker as an independent contractor is not conclusive for the purpose of the LAFCIH.
|Criminal history:||According to the Regs, “a conviction shall include a plea, verdict, or finding of guilt regardless of whether sentence is imposed by the court. In the State of California, an employer is prohibited from asking about any arrest information, unless it results in a conviction, and otherwise specified.” Note: the definition above cites California Labor Code §432.7(a)(1). The first sentence is correct; however, the second sentence is not, as that statute expressly allows inquiries about pending cases,stating that “nothing [in this section] shall prevent an employer from asking . . .about an arrest for which the employee or applicant is out on bail or on his or her own recognizance pending trial.” Nevertheless, the Regs, in a section titled “Employer Assessment of Criminal History,” go on to state that “arrests cannot be considered in employment decisions.”|
|Other guidance items:||The Regs amplify other definitions and aim to explain the various employer requirements, including, but not limited to, the application and interview procedure, assessment of criminal history, the “Fair Chance” process, notice and posting, recordkeeping, enforcement and exceptions. See below for links regarding this new guidance:
Read the Regs here.
Access the notice to applicants/employees regarding the LAFCIH here.
Access the LAFCIH’s “individualized assessment and reassessment” form here.
Access the Department’s sample letter to rescind a job offer here.
The Swiss-U.S. Privacy Shield Framework (the “Framework”) made its debut on January 12, 2017 without much fanfare when Swiss federal councillor Johann Schneider-Ammann announced the Framework’s approval as a valid legal mechanism to comply with Swiss requirements for transferring personal data from Switzerland to the United States. The Framework, designed by the U.S. Department of Commerce (the “DOC”) and the Swiss government to align with the EU-U.S. Privacy Shield, will immediately replace the U.S.-Swiss Safe Harbor. The DOC will begin accepting self-certifications starting April 12, 2017 to give organizations ample time to review the new Framework’s principles and compliance requirements. For more of Scherzer International’s coverage of the EU-U.S. Privacy Shield, click here.
A perennial trendsetter with regard to data security and privacy, California has updated its state law with tweaks that expand the scope of the privacy protections for state residents.
A.B. 1710 made three changes to existing law that go into effect January 1, 2015: first, businesses that maintain “personal information” about California residents must “implement and maintain appropriate and reasonable security procedures and practices” to protect the data from “unauthorized access, destruction, use, modification, or disclosure.” Personal information is defined to include an individual’s first name or first initial and last name, Social Security number, driver’s license number, as well as medical and financial account information.
Second, if a person or business was “the source” of a data breach and offers to provide identity theft prevention and mitigation services to affected individuals, the business must offer the services at no cost for at least 12 months. Some controversy has swirled around this provision, with debate on whether the language actually requires businesses to provide one year of free identity theft protection and mitigation services or if the law simply requires that if the services are offered, they last for 12 months and are provided gratis. Additional guidance may be forthcoming.
Finally, the new legislation prohibits a business from “selling, offering for sale, or advertising for sale” Social Security numbers. Limited exceptions were noted in the bill, including “if the release [not necessarily a sale] of the Social Security number is incidental to a larger transaction and is necessary to identify the individual in order to accomplish a legitimate business purpose” or “for a purpose specifically authorized or specifically allowed by federal or state law.”
The law’s scope reaches well beyond the borders of California, as it applies to businesses that maintain any personal information about a state resident. Companies would be well advised to familiarize themselves with the new requirements.
To read AB 1710, click here.
Effective January 1, 2014, California will have two new data privacy laws: AB 370, which mandates disclosure of “do not track” and other tracking practices in online privacy policies, and SB 46, which amends the state’s data security breach notification law.
AB 370 adds to the California Online Privacy Protection Act (“CalOPPA”) a requirement for companies that collect personally identifiable information online to include disclosures regarding (1) how they respond to a web browser’s “do not track” (DNT) signal, and (2) if third-parties can collect personal information across a network of sites. The law does not require websites to honor browser DNT signals or block third-party tracking; it simply tries to increase transparency about the site’s practices.
SB 46 adds a new category of data triggering California’s breach notification requirements, to wit: “a user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.” The new law requires notification of unauthorized access to user credential information even if that information is encrypted.