ORDER A REPORT
SECURE FILE UPLOAD

Social media is a collection of web‑based platforms and mobile applications that enable users to publish content, connect with others, participate in online communities, and engage in two‑way communication. Social media supports activities such as messaging, posting updates, sharing multimedia, live broadcasting, and participating in interest‑based groups.

Businesses use social media for brand awareness, customer engagement, advertising, reputation management, and market research, while individuals use it for communication, entertainment, networking, and self‑expression.

Googling Job Applicants: Legal? Yes. Risky? Yes.

In today’s hiring landscape, it’s almost second nature for employers to type an applicant’s name into Google or check out their social media. If the information is public, it must be fair game, right?

Not exactly. While you can look, doing so without a structured process can expose your organization to significant legal and compliance risks.

Public Information Is Accessible But Comes With Hidden Liability

Employers may view publicly available online content without obtaining specific authorization. However, a simple search can unintentionally reveal protected characteristics such as age, race, religion, disability status, or pregnancy. Once discovered, this information could fuel discrimination claims if the applicant later challenges a hiring decision. The principle is simple: what’s seen can’t be unseen, and that creates risk.

Private Accounts Are Off-Limits

No employer should ever:

  • Request social media passwords
  • Ask applicants to access private accounts
  • Send “friend” requests to gain entry
  • Ask for screenshots of private content

In California, these actions are illegal under Labor Code § 980. Many other states have enacted similar protections.

FCRA Applies If Using An Outside Service

If an employer hires any third-party service to review an applicant’s online presence, the process becomes a consumer report under the Fair Credit Reporting Act (FCRA).That means employers must:

  • Provide a standalone written disclosure
  • Obtain written authorization
  • Follow pre-adverse and adverse action procedures before rejecting based on the report

Ignoring FCRA obligations is one of the most common and expensive hiring pitfalls.

Best Practices To Reduce Risk

To protect your organization and ensure a fair, compliant hiring process:

  • Create a structured, consistent process for any online screening.
  • Use a “firewall” between the person viewing online content and the final decision-maker.
  • Limit reviews to public, job-related information only.
  • Document your screening approach and maintain it across roles.
  • Apply the same process to all candidates to avoid disparate treatment.

 

Disclaimer: This communication is for general informational purposes only and does not constitute legal advice. The summary provided in this alert does not, and cannot, cover in detail what employers need to know about the amendments to the Philadelphia Fair Chance Law or how to incorporate its requirements into their hiring process. No recipient should act or refrain from acting based on any information provided here without advice from a qualified attorney licensed in the applicable jurisdiction.

February 24th, 2026|Categories: Compliance Corner for Employment Decisions|Tags: , , |

New Draft Guidelines Attempt to Clarify Territorial Scope of the GDPR

Since the adoption of the General Data Protection Regulation (GDPR) by the European Union (EU) in May 2018, businesses established outside of the EU have grappled with the question of whether the GDPR’s strict rules apply to them. Many commentators have noted that the GDPR provisions and recitals do not have an easy answer. The European Data Protection Board (EDPB) recently attempted to provide some clarification by publishing draft guidelines that include a commentary on the territorial scope of the GDPR. The EDPB’s guidelines also address the related issue of whether a non-EU company subject to the GDPR must have an EU-based representative.

GDPR’s Targeting Criteria

Arguably the most significant change to the regulatory landscape affecting an individual’s data privacy is the territorial scope of the GDPR’s Article 3 (2). Generally described as the GDPR’s “targeting criteria,” your business must be GDPR compliant if it engages in processing activities of an EU individual’s data (data subject) related to (1) offering goods or services to data subjects, or (2) monitoring data subjects’ behavior. Although the EDPB’s guidelines state that the targeting criteria is applied on a case-by-case basis, the guidelines provide several examples showing how the targeting criteria can be applied that clarify some basic points, such as:

  1. The data subject’s nationality or citizenship is irrelevant. The GDPR protects data subjects geographically located within the EU, without regard to the data subject’s nationality or citizenship. Conversely, data subjects outside of the EU, including EU citizens, are not protected by the GDPR.
  2. Geographic allocation and timing are critical. For purposes of applying the GDPR, thedata subject’s geographic location is assessed atthe moment when your activity occurs; e.g., when your goods or services are offered, or your monitoring of the datasubject’s behavior begins.
  3. Charging for services is irrelevant. The GDPR protects data subjects regardless of whether your services are free.
  4. Cookies are considered monitoring. TheGDPR protects data subjects that your business profiles or undertakes someanalysis by using cookies or similar technologies.

GDPR Compliance and an EU-based Representative

A significant point clarified by the EDPB’s guidelines is that a non-EU company subject to the GDPR must appoint an EU-based representative, even though the not have a physical location within the EU. A company’s Data Protection Officer, who can be an existing employee of the company under the GDPR, cannot fulfill the requirements for an EU-based representative. The purpose of the requirement is to ensure that a qualified individual or entity is located within the EU to whom regulatory authorities can address compliance issues. The guidelines also make clear that the EU-based representative can even be held liable for any non-compliance, including being fined or otherwise sanctioned.

Consultation Period

The territorial scope and appointment of an EU-based representative poses two of the most critical issues that a non-EU based company faces regarding GDPR compliance. The EDPB’s draft guidelines address several other GDPR issues in addition to these, and a full version of the guidelines can be found here. The EDPB is taking public comments on the draft guidelines until January 18, 2019. Comments should be sent to the EDPB at EDPB@edpb.europa.eu.

December 12th, 2018|Categories: Compliance Corner for Employment Decisions|Tags: , , , , , |

Class action charges LinkedIn with violations of FCRA

According to a new putative class action filed in California federal court, social networking site LinkedIn runs afoul of the Fair Credit Reporting Act (FCRA).

The plaintiffs claim that LinkedIn’s reference search functionality allows prospective employers, among others, to obtain reports on job applicants with profiles on the site. LinkedIn’s dissemination of “Reference Reports” – that are created based on a user’s profile and connections to form a list of former supervisors and co-workers as possible references – are available for users who pay a monthly or annual subscription fee.

“LinkedIn has created a marketplace in consumer employment information, where it sells employment information, that may or may not be accurate, and that is has obtained in part from unwitting members, and without complying with the FCRA,” according to the complaint, which noted the site has more than 300 million members and one million jobs listed.

The Reference Reports bring LinkedIn within the purview of the FCRA, and yet the company fails to comply with a host of statutory requirements, according to the complaint.

Specifically, the complaint alleges that the site violates Section 1581(b) by furnishing consumer reports for employment purposes without obtaining the certifications required by the statute or a summary of the consumer’s rights and also does not maintain any of the procedures required by Section 1681e(a) to limit the furnishing of consumer reports to the limited purposes of the statute. In addition, Section 1681e(b) mandates that all consumer reporting agencies follow reasonable procedures to assure the maximum possible accuracy of consumer report information, Section 1681e(d) requires that a user notice be provided to individuals when a report is provided about them, and Section 1681b states that reports can only be provided after an inquiry to ensure the report is used for a “permissible purpose.” None of these statutory requirements were met by LinkedIn, the suit alleges.

“[A]ny potential employer can anonymously dig into the employment history of any LinkedIn member, and make hiring and firing decisions based upon the information they gather, without the knowledge of the member, and without any safeguards in place as to the accuracy of the information that the potential employer has obtained,” Sweet and the other plaintiffs claim. “Such secrecy in dealing in consumer information directly contradicts the express purposes of the FCRA.”

The main plaintiff alleges that she located a job opening on the site and submitted her resume through LinkedIn. She received a notification from the site that the general manager of the employer had viewed her profile and she was offered the job after an interview. The general manager declined the plaintiff’s offer to provide a list of references but later called back to rescind the offer, telling her that he had checked some of her references and changed his mind.

The plaintiffs seek to certify a nationwide class of LinkedIn users who had a Reference Report run on them as well as a subclass of users who applied for employment via the site and had a Report generated by a potential employer. As for remedies, the putative class requests actual, statutory, and punitive damages, as well as attorney’s fees and costs.

To read the complaint in Sweet v. LinkedIn Corporation, click here.

December 3rd, 2014|Categories: Compliance Corner for Employment Decisions|Tags: , , , |

FFIEC finalizes guidance for social media risk management

 

The Federal Financial Institutions Examination Council (FFIEC) released on December 11, 2013 final guidance on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by banks, savings associations, and credit unions, as well as nonbank entities supervised by the Consumer Financial Protection Bureau. The guidance provides considerations that financial institutions may find useful in performing risk assessments and developing and evaluating policies and procedures regarding social media. 

January 17th, 2014|Categories: Compliance Corner for Employment Decisions|Tags: |

New Jersey enacts law for social media password protection

Continuing a nationwide momentum of restricting employers’ access to personal social media content of applicants and employees, in August 2013, New Jersey passed Act 2878 joining eleven other states (Maryland, Illinois, California, Michigan, Utah, New Mexico, Arkansas, Colorado, Washington, Oregon, and Nevada) with similar laws. Dozens more states and the U.S. Congress are considering comparable legislation. New Jersey’s new law, which becomes effective December 1, 2013, prohibits employers from asking or requiring that applicants or employees “provide or disclose any user name or password, or in any way provide the employer access to a personal account through an electronic communications device.”

September 12th, 2013|Categories: Compliance Corner for Employment Decisions|Tags: , |

California limits social media use by employers and educational institutions

Effective January 1, 2013, California will join Maryland and Illinois in significantly restricting employers’ access to their employees’ and job applicants’ social media accounts. Signed into law by Governor Jerry Brown on September 27, 2012 and fittingly announced via Twitter, AB 1844 provides that an employer cannot require or request an employee or applicant to do any of the following:

  • disclose a username or password for the purpose of accessing personal social media;
  • access personal social media in the presence of the employer;
  • divulge any personal social media, except as provided in subdivision.

The law also prohibits an employer from discharging, disciplining, or otherwise retaliating against an employee or applicant for not complying with a request or demand by the employer that violates these provisions. However, an employer is not prohibited from terminating or taking an adverse action against an employee or applicant if otherwise permitted by law.

The law does preserve an employer’s rights and obligations to request that an employee divulge personal social media information reasonably believed to be relevant to an investigation of allegation(s) of employee misconduct or violation of applicable laws and regulations, provided that the information is used solely for purposes of that investigation or a related proceeding. An employer is also not precluded from requiring or requesting that an employee disclose a username or password for the purpose of accessing an employer-issued electronic device.

A companion law, AB 1349 that establishes similar requirements for postsecondary education institutions in regard to their students also goes into effect on January 1, 2013.

January 7th, 2013|Categories: Compliance Corner for Employment Decisions|Tags: , , |

Controversy abounds in employment decisions based on social media searches

In May 2011, the Federal Trade Commission (FTC) ruled that companies providing social media information to employers – and employers who use the reports – must follow the same Fair Credit Reporting Act (FCRA) regulations that apply to more traditional sources. The FTC also stated that postings on any social media site can be saved by on-line background screening companies for up to seven years.

According to the FTC’s letter dated May 9, 2011 to a company that sells information from social networking sites for employment purposes, such a company is considered a Consumer Reporting Agency (CRA) and thus must take reasonable steps to ensure the accuracy of the information obtained from online social networks (as well as other sources) and positively identify it with the subject. It also must comply with other FCRA provisions, such as providing a copy of the report to the subject and maintaining an established protocol if the subject disputes the reported information. As with “traditional” background investigations, employers who use a report prepared by a CRA must certify to the CRA that the report will not be used in violations of federal or state equal employment opportunity laws or regulations. Additionally, both the CRA and the employer have a legal obligation to keep and dispose of the reports securely and properly. (For more information, see the FTC blog, “The Fair Credit Reporting Act & Social Media: What Businesses Should Know.”)

Social media legal experts and various literature point to a multitude of issues and risks faced by both the CRA and the employer who uses social media checks, which include, but are not limited to:

  • Problems under FCRA section 607(b) in exercising “reasonable procedures to assure maximum possible accuracy” of the information.
    Since the information on social media sites is self-reported and can be changed at any time, it is often difficult if not impossible to ascertain that the information is accurate, authentic and belongs to the subject. Online identity theft is not uncommon, as are postings under another person’s name for the purpose of “cyber–slamming” (which refers to online defamation, slander, bullying, harassment, etc.)
  • Information may be discriminatory to job candidates or employees, or in violation of anti-retaliation laws.
    Social sites and postings may reveal protected concerted activity under the National Labor Relations Act (NLRA,) and protected class information under Title VII of the Civil Rights Act and other federal laws, such as race, age, creed, nationality, ancestry, medical condition, disability, marital status, gender, sexual preference, labor union affiliations, certain social interests, or political associations. And while the information may have no impact on the employment decision, the fact that the information was accessed may support claims for discrimination, retaliation or harassment.
  • Accessing the information may be in violation of the federal Stored Communications Act (SCA).
    To the extent that an employer requests or requires an employee’s login or password information, searches of social networking sites may implicate the SCA (18 U.S.C. § 2701) and comparable state laws which prohibit access to stored electronic communications without valid authorization. A California court recently ruled that the SCA also may protect an employee’s private information on social networking sites from discovery in civil litigation.
  • Assessing the information may violate terms of use agreements and privacy rights.
    While certain social media sites have stricter privacy controls than others, most if not all limit the use of their content. The terms of use agreements typically state that the information is for “personal use only” and not for “commercial” purposes. Although the definition of “commercial” in connection with employment purposes is interpretive, most legal experts indicate that employment screening fits that scope.
  • Information may be subjective and irrelevant to the employment decision.
    Blogs, photos and similar postings often do not provide an objective depiction of the subject or predict job performance. The California Labor Code, for example, specifically provides that an employer is prevented from making employment-related decisions based on an employee’s legal off-duty conduct. Employers may use such information only if the off-duty conduct is illegal, if it presents a conflict of interest to the business or if it adversely affects the employee’s ability to do his/her job. And the evidence of such activities must be clear.

The popularity of employment-related background checks that include social media searches is growing rapidly. But the unreliable and unverifiable information from these sources is a potential landmine of legal liabilities.

August 8th, 2011|Categories: Compliance Corner for Employment Decisions|Tags: , , |

More on legal troubles from employer misuse of social media information

Legal experts say that litigation resulting from employer misuse of social media information is likely to rise, at least until more case law is established. And even if the company prevails in such lawsuits, there may be reputational risks as the cases grab national spotlight.

Media sources reported that next week, for example, a National Labor Relations Board judge will rule whether American Medical Response of Connecticut illegally fired a worker after she criticized her boss on
Facebook. In what labor officials and lawyers view as a ground-breaking case involving employees and social media, the NLRB stepped in to argue that workers’ criticisms of their supervisors or companies on social networking sites are generally a protected activity and
that employers are violating the law by punishing workers for such statements. According to media reports, American Medical denied the board’s allegations, stating they are without merit, and that “the
employee was discharged based on multiple, serious complaints about her behavior.” The company added that “the employee was also held accountable for negative personal attacks against a coworker posted publicly on Facebook…”

Media sources reported on another pending case, filed in Georgia against a school district, a former high school teacher is claiming that she was essentially forced to resign over Facebook photos that
showed her drinking alcohol during a European vacation.

And in a case settled in 2009, two workers in New Jersey sued their employer, Hillstone Restaurant Group, after they were fired for violating the company’s core values. According to court documents, their supervisors gained access to postings on a password-protected
Myspace page meant for employees but not managers. The jury found that the employer violated the federal Stored Communications Act and the equivalent New Jersey law, and awarded the employees $3,403 in back pay and $13,600 in punitive damages. Hillstone appealed before the parties reached an undisclosed settlement.

Labor relations pros caution that before taking any adverse action based on social media postings, the employer should consider whether the information could be construed as a complaint or report of inappropriate or unlawful behavior. This includes, but is not limited
to discrimination, harassment, unpaid overtime and other wage violations, or any activities that may trigger an employee’s whistleblower protection.

January 23rd, 2011|Categories: Compliance Corner for Employment Decisions|Tags: , |

Lawsuit shows legal risks in using information from social media

Media sources reported that a settlement was reached January 18, 2011 in a civil rights case re C. Martin Gaskell v. University of Kentucky, whereby the University agreed to pay Gaskell and his attorneys $125,000. Gaskell was a leading candidate in 2007 to be the director of a new observatory at the University of Kentucky; however, he was denied employment allegedly in part because of his apparent views on evolution. Media reports and court documents stated that during the candidate selection process, committee members conducted searches on Gaskell on the Internet, and discovered his personal Web which contained an article entitled “Modern Astronomy, the Bible, and Creation” among other notes. The sources also reported that “Gaskell had given lectures to campus religious groups around the country in which he said that while he has no problem reconciling the Bible with the theory of evolution, he believes the theory has major flaws. He recommended students read … critics

[of evolution] in the intelligent-design movement.”

According to the Courier-Journal, the University “acknowledged that concern over Gaskell’s views on evolution played a role in the decision to choose another candidate.” But it argued that this was a valid scientific concern, particularly with regard to the prospect that “Gaskell’s views on evolution would interfere with his ability to serve effectively as director of the observatory. And there were other  factors, including a poor review from a previous supervisor and UK faculty views that he was a poor listener.”

January 19th, 2011|Categories: Compliance Corner for Employment Decisions|Tags: , |
© 2012- SCHERZER INTERNATIONAL | ALL RIGHTS RESERVED
Go to Top