Stay informed, stay compliant.

Welcome to our quarterly compliance update, where we bring you excerpts and summaries from the latest news in the background screening industry that can impact your hiring process, HR practices, and operations.

Table of Contents

1. Federal Updates
2. State, City, County, and Municipal Updates
3. International Update 
4. Compliant Background Screening Program
   
   

Federal Updates

FTC Approves Compulsory Process for AI-Related Products and Services  

On November 21, the FTC voted 3-0 to approve the omnibus resolution authorizing the use of compulsory process in nonpublic investigations involving products and services that use or claim to be produced using artificial intelligence (AI) or claim to detect its use.

The resolution will make it easier for FTC staff to issue civil investigative demands (CIDs), which are a form of compulsory process similar to a subpoena, in investigations relating to AI, while retaining the Commission’s authority to determine when CIDs are issued. This resolution will be in effect for 10 years.  

Putting It Into Practice: The FTC’s resolution fits into a broader push by the Biden Administration to establish new standards for AI safety and security. The FTC is likely to continue scrutinizing AI practices and make companies responsible for any harm they cause to consumers or competition, including as a result of products or services that claim to involve AI.

The resolution aims to enhance the FTC’s ability to monitor and enforce compliance with existing laws and regulations that apply to AI, such as the FCRA, the COPPA and the FTC Act’s prohibition against UDAPs.

Note the FTC approved an earlier omnibus compulsory process resolution in September 2021 related to investigations involving unfair or deceptive acts or practices relating to algorithms, including bias in algorithms in violation of Section 5 of the FTC Act.

Companies utilizing AI should verify that they have proper AI policies and procedures to evaluate their practices. CLICK HERE. 

Click Here for the Original Article 

FTC Approves NPR Updating the COPPA Rule 

On December 20, 2023, the Federal Trade Commission (FTC or Commission) finally published its long-awaited proposed Notice of Proposed Rulemaking (NPR) updating the Children’s Online Privacy Protection Act Rule (COPPA Rule).  

The process to update the COPPA Rule began in 2019 when the FTC posted a Request for Comments, which garnered more than 175,000 submissions.

Some lawmakers and advocacy groups proposed expanding the Rule’s definition of “website or online service directed to children” and changing the Rule’s actual knowledge standard to constructive knowledge. In this NPR, the FTC explicitly rejects such changes as outside its statutory authority.

The FTC likewise did not change the definition of a persistent identifier or eliminate the “support for internal” operations exception but does impose new disclosure requirements on operators relying on the exception.

Importantly, the FTC proposes to allow operators to collect mobile phone numbers to provide notices and obtain parental consent, but the FTC also proposes to restrict use of mobile phones to call children.

The proposal involves a number of important changes to the COPPA Rule that will require companies offering child-directed online services to implement significant internal operational changes.  

Click Here for the Original Article 

US Congress Members Introduce Bill Compelling AI Model Data Transparency  

U.S. Representatives Anna Eshoo (D-CA) and Don Beyer (D-VA), who serve as Co-Chair and Vice Chair, respectively, of the Congressional Artificial Intelligence (AI) Caucus, introduced the AI Foundation Model Transparency Act, ambitious legislation to promote transparency in artificial intelligence foundation models. 

Foundation models are AI models trained on broad data; they power the generative AI websites and chatbots that have drawn international focus over the past year.

Information about the data these models are trained on generally is not available to the public, and AI models often produce inaccurate, imprecise, or biased responses due to limitations or biases in the model’s training data or how the model was trained.

This often results in racial or gendered bias, which can have serious real-world impacts in areas including health-related AI inferences, loan granting, housing approval, or predictive policing. 

The AI Foundation Model Transparency Act would direct the Federal Trade Commission (FTC), in consultation with the National Institute of Standards and Technology (NIST) and the Office of Science and Technology Policy (OSTP), to set standards for what information high-impact foundation models must provide to the FTC and what information they must make available to the public.

Information identified for increased transparency would include training data used, how the model is trained, and whether user data is collected in inference. 

“AI offers incredible possibilities for our country, but it also presents peril. Transparency into how AI models are trained and what data is used to train them is critical for consumers and policy makers,” said Eshoo. “The AI Foundation Model Transparency Act directs the Federal Trade Commission and NIST to establish standards for data sharing by foundation model deployers. This critical legislation will provide necessary information and empower consumers to make well informed decisions when they interact with AI. It will also provide the FTC critical information for it to continue to protect consumers in an AI-enabled world.”

“It is our hope that the information contained in these reports will assist federal agencies in understanding long-standing challenges that the persons with arrests and convictions face when trying to obtain life-changing employment,” said Dexter Brooks, associate director of the EEOC’s Office of Federal Operations. “As the nation’s largest employer, the federal government is uniquely positioned to demonstrate how to improve opportunities for this underserved community.” 

Click Here for the Original Article 

HHS Announces Planned Cybersecurity Initiatives for Healthcare Sector 

On December 6, 2023, HHS released a “concept paper,” “Healthcare Sector Cybersecurity: Introduction to the Strategy of the U.S. Department of Health and Human Services,” outlining four new and ongoing steps HHS will take to “advance cyber resiliency in the healthcare sector,” especially with respect to high-risk targets like hospitals. 

HHS noted that healthcare providers are especially vulnerable to cybersecurity attacks and hold large amounts of sensitive health data of patients, making them “attractive targets for cyber criminals.”

According to the HHS Office for Civil Rights (OCR), reported large data breaches increased 93 percent from 2018 to 2022, including a 278 percent increase in reported large breaches involving ransomware. 

• • HHS released a concept paper outlining four key steps the department will take to improve cybersecurity across the healthcare sector and provide resources and financial support to implement best practices. 
  • The paper states HHS’s goals to work with Congress to increase its funding to provide financial support to hospitals to implement cybersecurity practices, expand its enforcement authority, and increase civil monetary penalties for HIPAA violations. 
  • The performance guidelines include “essential goals” to define “minimum foundational practices for cybersecurity” and “enhanced goals” that serve as the best practices for data security. 

Click Here for the Original Article 

DEI Under Scrutiny, Part IV: Could the ‘Background Circumstances’ Rule for Discrimination Be Primed for Supreme Court Review? 

On December 4, 2023, the Sixth Circuit in Ames v. Ohio Department of Youth Services rejected a heterosexual woman’s claims under Title VII of the Civil Rights Act of 1964 that she was discriminated against based on her sexual orientation after she was allegedly denied a promotion and demoted in favor of LGBTQ+ candidates. 

The panel decision affirmed the trial court’s holding that the woman’s Title VII employment discrimination claims failed because she lacked evidence of “background circumstances” to support sex-based discrimination and that she lacked evidence of a pretext for sex discrimination. 

The case highlights the issue of whether plaintiffs from majority groups must meet a higher evidentiary standard to support a discrimination claim under Title VII than plaintiffs from minority groups or other groups historically understood to have faced discrimination. 

While the Sixth Circuit applied a heightened “background circumstances” rule relying upon precedent, one of the judges sharply criticized the rule’s continued use, calling it “not a gloss upon the 1964 Act, but a deep scratch across its surface.” 

Click Here for the Original Article 

State, City, County, and Municipal Updates

2023 Round-Up on State Consumer Data Privacy Laws 

Looking back sometimes means looking forward. That is absolutely the case for new comprehensive data privacy statutes enacted in a number of U.S. states during 2023, including Indiana, Tennessee, Montana, Florida, Texas and Oregon.

While these states have now codified a range of consumer rights with respect to their personal data, as well as new obligations imposed on covered businesses collecting and processing that data, the new laws do not take effect until the middle of 2024 or beyond.

All the same, companies who may be subject to these laws in the future should start preparing now to comply with what are becoming increasingly standardized requirements across many U.S. states.  

Click Here for the Original Article 

New Pennsylvania Legislation and Philadelphia Ordinance Amendment Tackle Pardoned Convictions, Expunged Records, and Negligent Hiring Liability 

Enacted on December 14, 2023, and effective February 12, 2024, Pennsylvania’s House Bill No. 689 amends Pennsylvania law relating to the expungement of certain criminal history information and employer immunity when hiring individuals with expunged records. 

First, the legislation immunizes employers from liability for any claim related to the effects of expunged records or the lawful use of criminal history information when job applicants voluntarily discloses an expunged conviction.

This helps clarify a potential ambiguity under existing state law regarding whether an employer still might face negligent hiring liability for hiring job applicants with expunged criminal records where the individual goes on to commit some misconduct, such as injuring a third party.

Previously, a negligent hiring lawsuit might contend that if the employer learned about an expunged criminal record by means other than a formal background check or official court records, the employer should have used the record to disqualify the person, and by not doing so, was negligent.

Such a stance would seemingly be contrary to the purpose behind expunging criminal records, and the new legislation seems intended to prevent such an incongruous argument from surviving dismissal. 

Second, the law extends the availability of automatic expungements to pardons. The law requires that the Pennsylvania Board of Pardons, which administers pardons, to notify the Administrative Office of Pennsylvania Courts (AOPC) on a quarterly basis of any pardons, and then requires the AOPC to notify the relevant Court of Common Pleas to order the record expunged. Under the law as amended, criminal history record information that has been expunged or granted limited access cannot be used by private entities for employment, housing, or school matriculation purposes, unless required by federal law.

If the law works as intended, employers should simply not see the pardoned cases because they are supposed to be unavailable to the public. However, given the number of required steps in the process and different entities involved, it is not inconceivable that a candidate may believe an offense has been expunged, when it fact it remains available in the public record.

Moreover, several pieces of this process remain unclear, such as how quickly the AOPC will act upon receipt of information from the Board of Pardons, whether individuals will be notified that their pardoned convictions were expunged, and whether the court docket will be changed to reflect a pardon status while expungement is in process. 

Third, the law expands eligibility for Pennsylvania’s pre-existing limited access status for criminal histories. Now, certain individuals who are free from conviction for seven years and otherwise meet requirements can petition for limited access; previously, the minimum threshold was 10 years. The law also clarifies categories of offenses that are and are not eligible for limited access petitions. 

Notably, this statewide legislation does not amend the existing requirements on an employer’s general use of criminal history.

Under existing law, Pennsylvania employers generally are required to use only job-related misdemeanor and felony convictions in making hiring decisions. 

Click Here for the Original Article 

New Cybersecurity, Privacy, and Automated Decision-Making Rules Coming Soon to California 

Substantial changes to the California Consumer Privacy Act (CCPA) are coming soon through five sets of proposed regulations governing (1) cybersecurity audits, (2) privacy risk assessments, (3) artificial intelligence/automated decision-making technology (ADMT), (4) revisions to existing regulations and (5) new rules for insurance companies.

On December 8, 2023, the California Privacy Protection Agency (CPPA) voted to advance the proposed cybersecurity audit regulations to formal rulemaking but sent the other regulations back to agency staff to refine.

The proposed regulations are expansive and likely to be finalized in 2024, so businesses should start planning now for upcoming changes. 

Click Here for the Original Article 

New York City Employers Must Make Room for Another Notice Distribution and Posting Requirement 

New York State and City law already impose a myriad of posting and notice distribution requirements on New York City employers. Beginning July 1, 2024, New York City employers must distribute to employees and “conspicuously post” a notice provided by city agencies that lists employee rights under federal, state, and local laws. The notice will identify which laws apply to workers regardless of immigration status and include information about union organizing right. 

New employees must be provided this notice on or before the employee’s first day of work. Businesses that operate online and cannot physically post the notice must comply by posting the notice online where its employees can see. Notices must be provided in English, as well as any language spoken as a primary language by at least five percent of an employer’s employees. 

This notice and distribution requirement is part of the City’s “Workers’ Bill of Rights,” Int. 569-B, which was passed by the New York City Council on Nov. 2, 2023. On Dec. 4, 2023, Mayor Eric Adams returned the bill. As a result, it became law. 

Click Here for the Original Article 

Utah Consumer Privacy Act: Effective as of December 31, 2023! 

Happy 2024 folks! As we turn the page on 2023, we mustn’t overlook the dynamic changes in state privacy laws as we step into the New Year. 

In March 2022, Utah became one of the early states to enact a consumer data privacy law. While the Utah Consumer Privacy Act (UCPA) is perceived as being more favorable to businesses compared to its predecessors — the CCPA/CPRA, VCDPA, and the CPA — businesses operating in Utah must keep in mind key regulations required by UCPA. 

Click Here for the Original Article 

Ohio Passes Recreational Marijuana Law: What Employers Should Know 

Joining 23 other states, Ohio has passed a recreational marijuana law. On November 7, 2023, Ohioans voted to pass an initiative legalizing and regulating the cultivation, sale, purchase, possession, use, and home growth of recreational marijuana.

The new law does not require an employer to “accommodate an employee’s use, possession, or distribution of adult use cannabis.” 

The ballot language allows the sale, purchase, and possession of marijuana by Ohio residents aged 21 and older. In December, adults can legally possess up to 2.5 ounces of marijuana, possess up to 15 grams of cannabis extract, and grow up to six marijuana plants in their primary residence, or up to 12 plants per residence with two or more adult residents. 

Ohioans purchasing recreational marijuana are subject to a 10 percent excise tax, along with state and local sales taxes. According to the ballot text, some of the revenue collected from these taxes will support social equity and jobs programs. 

Ohio’s medical marijuana program remains in effect and unchanged by the new law. 

The law will become effective 30 days after the vote, on December 7, 2023. Further, the new law authorizes Ohio’s Department of Commerce to create rules on how the program will work. 

Click Here for the Original Article 

International Update

CJEU Rules on Processing of Sensitive Data and Compensation Under the GDPR 

On December 21, 2023, the Court of Justice of the European Union (“CJEU”) issued its judgment in the case of Krankenversicherung Nordrhein (C-667/21) in which it clarified, among other things, the rules for processing special categories of personal data (hereafter “sensitive personal data”) under Article 9 of the EU General Data Protection Regulation (“GDPR”) and the nature of the compensation owed for damages under Article 82 of the GDPR. 

The case related to the processing of an incapacitated employee’s personal data, including health data, by the medical service provider (“MDK”) of a health insurance fund in Germany. Under applicable law, the MDK draws up reports on the capacity of individuals insured by the health insurance fund to work. These may include reports concerning the health of MDK’s own employees.

After becoming aware of the fact that a report concerning himself had been prepared, an employee of MDK sought compensation under Article 82 of the GDPR. “Supporting this decision, the US Attorney General, on September 18, designated the UK as a ‘qualifying state’ under Executive Order 14086.

This will allow all UK individuals whose personal data has been transferred to the US under any transfer mechanisms (i.e. including those set out under UK GDPR [General Data Protection Regulation] Articles 46 and 49) access to the newly established redress mechanism in the event that they believe that their personal data has been accessed unlawfully by US authorities for national security purposes.” 

Click Here for the Original Article 

Stay Compliant with Your Background Screening Program

The evolving landscape of compliance continues to bring forth new challenges and obligations for businesses globally. Cisive's experts are here to keep you aware of the ever-changing legal landscape and how it impacts your employment background checks. Should you need further insights on how these updates may impact your background check process, don't hesitate to reach out. Contact a Cisive expert today for personalized guidance and solutions.

As always, please consult your legal team when determining how these updates may impact your background screening program and policies.