In the ever-evolving landscape of HR and talent management, staying on top of the latest federal and state regulations is imperative. Recent updates from federal bodies like the CFPB and FTC, along with significant state and municipal legislation, have brought to the forefront the critical importance of accurate background checks, data privacy, and fair employment practices.

Keep scrolling for compliance articles we're highlighting in Spring 2024.

Table of Contents

1. Federal Updates
2. State, City, County, and Municipal Updates
3. International Update

FEDERAL UPDATES 

CFPB Addresses Inaccurate Background Check Reports and Sloppy Credit File Sharing Practices 

The Consumer Financial Protection Bureau (CFPB) issued guidance to consumer reporting companies to address inaccurate background check reports, as well as sloppy credit file sharing practices. The two advisory opinions seek to ensure that the consumer reporting system produces accurate and reliable information and does not keep people from accessing their personal data. First, an advisory opinion on background check reports highlights that those reports must be complete, accurate, and free of information that is duplicative, outdated, expunged, sealed, or otherwise legally restricted from public access. Second, an advisory opinion on file disclosure highlights that people are entitled to receive all information contained in their consumer file at the time they request it, along with the source or sources of the information contained within, including both the original and any intermediary or vendor source. 

“Background check and other consumer reporting companies do not get to create flawed reputational dossiers that are then hidden from consumer view,” said CFPB Director Rohit Chopra. “Background check reports, and all other consumer reports, must be accurate, up to date, and available to the people that the reports are about.” 

Click Here for the Original Article 

FTC Finalizes Order with Global Tel*Link Over Security Failures that Led to Breach of Sensitive Data 

The Federal Trade Commission has finalized an order with prison communications provider Global Tel*Link Corp. and two of its subsidiaries settling charges they failed to secure sensitive data of hundreds of thousands of users and failed to alert all those affected by the incident. 

In a complaint first announced in November 2023, the FTC says that Virginia-based Global Tel*Link and two of its subsidiaries failed to implement adequate security safeguards to protect sensitive personal information they collect from users of its services, which enabled bad actors to gain access to unencrypted personal information stored in the cloud and used for testing. Global Tel*Link waited approximately nine months to notify affected customers and only contacted 45,000 users—even though the breach may have affected hundreds of thousands of additional customers—that their personal data may have been compromised as a result of the data breach.  

Click Here for the Original Article 

FTC Proposes New Protections to Combat AI Impersonation of Individuals 

The Federal Trade Commission is seeking public comment on a supplemental notice of proposed rulemaking that would prohibit the impersonation of individuals. The proposed rule changes would extend protections of the new rule on government and business impersonation that is being finalized by the Commission today. 

The agency is taking this action in light of surging complaints around impersonation fraud, as well as public outcry about the harms caused to consumers and to impersonated individuals. Emerging technology – including AI-generated deep-fakes – threatens to turbocharge this scourge, and the FTC is committed to using all of its tools to detect, deter, and halt impersonation fraud. 

The Commission is also seeking comment on whether the revised rule should declare it unlawful for a firm, such as an AI platform that creates images, video, or text, to provide goods or services that they know or have reason to know is being used to harm consumers through impersonation. 

“Fraudsters are using AI tools to impersonate individuals with eerie precision and at a much wider scale. With voice cloning and other AI-driven scams on the rise, protecting Americans from impersonator fraud is more critical than ever,” said FTC Chair Lina M. Khan. “Our proposed expansions to the final impersonation rule would do just that, strengthening the FTC’s toolkit to address AI-enabled scams impersonating individuals.” 

Click Here for the Original Article 

As Nationwide Fraud Losses Top $10 Billion in 2023, FTC Steps Up Efforts to Protect the Public 

Newly released Federal Trade Commission data show that consumers reported losing more than $10 billion to fraud in 2023, marking the first time that fraud losses have reached that benchmark. This marks a 14% increase over reported losses in 2022. 

Consumers reported losing more money to investment scams—more than $4.6 billion—than any other category in 2023. That amount represents a 21% increase over 2022. The second highest reported loss amount came from imposter scams, with losses of nearly $2.7 billion reported. In 2023, consumers reported losing more money to bank transfers and cryptocurrency than all other methods combined. 

"Digital tools are making it easier than ever to target hard-working Americans, and we see the effects of that in the data we're releasing today,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The FTC is working hard to take action against those scams." 

The FTC received fraud reports from 2.6 million consumers last year, nearly the same amount as 2022. The most commonly reported scam category was imposter scams, which saw significant increases in reports of both business and government impersonators. 

Click Here for the Original Article 

President’s Executive Order Seeks to Protect Certain “Bulk Sensitive Personal Data” from “Countries of Concern” 

On February 28, 2024, President Biden issued an Executive Order (EO) seeking to protect the sensitive personal data of Americans from potential exploitation by particular countries. The EO acknowledges that access to Americans’ “bulk sensitive personal data” and United States Government-related data by countries of concern can, among other things: 

…fuel the creation and refinement of AI and other advanced technologies, thereby improving their ability to exploit the underlying data and exacerbating the national security and foreign policy threats.  In addition, access to some categories of sensitive personal data linked to populations and locations associated with the Federal Government — including the military — regardless of volume, can be used to reveal insights about those populations and locations that threaten national security.  The growing exploitation of Americans’ sensitive personal data threatens the development of an international technology ecosystem that protects our security, privacy, and human rights. 

The EO also acknowledges that due to advances in technology, combined with access by countries of concern to large data sets, data that is anonymized, pseudonymized, or de-identified is increasingly able to be re-identified or de-anonymized. This prospect is significantly concerning for health information warranting additional steps to protect health data and human genomic data from threats. 

Click Here for the Original Article 

STATE, CITY, COUNTY AND MUNICIPAL UPDATES 

Columbus, Ohio Bans Employers from Inquiring About Salary History  

Columbus will soon join Cincinnati and Toledo as the only Ohio localities to implement a “salary history ban.” As the name suggests, a salary history ban generally prohibits employers from inquiring about a job applicant’s wage rates or salary history while working for a prior employer. Columbus’ salary history ban will go into effect March 1, 2024. 

The salary history ban applies to all employers with fifteen or more employees within the City of Columbus. The salary history ban protects all individuals applying for employment that will be performed within the City of Columbus, and whose application will be solicited, received, processed, or considered in the City of Columbus, regardless of whether the individual is ultimately interviewed by the employer. 

Prohibited Conduct 

Under the ordinance, employers are specifically prohibited from doing the following: 

1. Inquiring about the salary history of an applicant for employment.
2. “Inquiring” includes asking questions or making a statement to an applicant, an applicant’s current or prior employer(s), or a current or former employee or agent of the applicant’s current or prior employer(s) for the purpose of obtaining the applicant’s salary history information. An employer is also prohibited from searching public records to obtain an applicant’s salary history information.
3. Screening job applicants based on their current or prior wages, benefits, other compensation, or salary histories, including requiring that these categories satisfy minimum or maximum criteria.
4. Relying solely on the salary history of an applicant in deciding whether to offer employment, or in determining the salary, benefits, or other compensation for such applicant during the hiring process, including the negotiation of an employment contract.
5. Refusing to hire or otherwise disfavoring, injuring, or retaliating against an applicant for not disclosing their salary history.

The ordinance does, however, clarify that employers are permitted to engage in discussion with the applicant about the applicant’s expectations with respect to salary, benefits, and other compensation and to inform applicants of the proposed or anticipated salary associated with the position for which they have applied. 

Click Here for the Original Article 

First Lawsuit under CA’s Fair Chance Act Filed against Ralph’s Grocery Store: A Message for CA Employers to Comply  

In December 2023, the California Civil Rights Department (“CRD”) filed the first-of-its-kind lawsuit under the California Fair Chance Act (“Act”) against Ralphs Grocery Store (“Ralphs”) in the Los Angeles County Superior Court.   

The Act (sometimes referred to as the “Ban the Box” law) went into effect in 2018 and aims to combat discrimination and ultimately enhance public safety by reducing undue barriers to employment for people who have been previously involved in the criminal legal system. In passing the Act, the Legislature recognized that “employment is essential to helping formerly incarcerated people support themselves and their families” and reduces the likelihood of an individual reoffending. In general, the Act prohibits employers with five or more employees from asking about a job applicant’s conviction history before making a conditional job offer of employment; requires specific procedures for considering an applicant’s criminal history after a conditional job offer is made; and limits the types of convictions an employer can consider to  disqualify an individual – namely only those convictions that have a direct adverse relationship to the job responsibilities of the position applied for.   

The CRD alleges that Ralphs has ignored and continues to ignore the Act’s requirements, including by screening out otherwise qualified applicants on the basis of criminal histories that do not have any adverse relationship with the duties of the job for which they were applying. The CRD claims that Ralphs repeatedly violated the Act’s procedural and substantive requirements and has done so since the law’s enactment. The CRD says that it obtained information during its investigation that indicates that multiple candidates lost their job offers based on convictions for a single misdemeanor count of excessive noise, and others were disqualified based on convictions from other states for simple cannabis possession. According to the CRD, these types of convictions, and hundreds more, have no adverse relationship    with the duties of working at a grocery store and were not legitimate grounds for withdrawing a conditional offer of employment. As part of the lawsuit, CRD is seeking monetary damages for the individuals who were denied jobs or lost jobs as a result of Ralphs’ screening practices, and a court order to require Ralphs to come into compliance with the Act. 

Click Here for the Original Article 

Employers, Beware: California Regulators Are Actively Enforcing the California Consumer Privacy Act 

California Attorney General Rob Bonta has been actively enforcing the California Consumer Privacy Act (CCPA) since July 2023, when he announced an “investigative sweep” through inquiry letters sent to large California employers only about six months after the amended law took effect and became applicable to employers. 

Quick Hits 

• • The California Office of the Attorney General has been actively enforcing the CCPA since July 2023, and the California Privacy Protection Agency has indicated that it will take a very active role in CCPA enforcement. 
  • Covered businesses may be subjected to civil penalties or administrative fines of $2,500 for each violation of the CCPA and $7,500 for each intentional violation, with penalties up to $7,500 for privacy violations involving minors (whether intentional or not). 
  • Enforcement actions or administrative fines are not limited to instances in which there is a data breach—the subject of the action or fine can be the failure to comply with any of the provisions of the CCPA. 

The CCPA, which was signed into law in June 2018, provides a host of disclosure obligations and consumer rights for California residents to control their personal information. In November 2020, California voters approved Proposition 24, the California Privacy Rights Act (CPRA), which, among other things, amended the CCPA to apply to the employer/employee relationship and to business-to-business transitions. The provisions making the CCPA applicable to all individuals (including employees) became effective on January 1, 2023. The CPRA also stepped up enforcement of the CCPA through the creation of the California Privacy Protection Agency, the state agency tasked with most CCPA rulemaking and separate enforcement mechanisms through administrative actions and fines. Although the examples of letters below have been issued by the attorney general, the agency has also signaled that it will be heavily involved in CCPA enforcement. 

Click Here for the Original Article 

Cannabis Legalization Efforts: How Far Did They Reach in 2023? How High Can They Go in an Election Year? 

As we enter another election year, cannabis legalization is sure to be a hot button issue at both the state and federal levels. A Gallup poll from November 2023 showed that public support for legalizing marijuana reached a record high of 70 percent, including majority support across party lines. Let’s look back and see how 2023’s progress positioned cannabis legalization as we enter the 2024 election cycle.  

2023 State Developments 

Last year saw continued growth in the legalization of cannabis at the state level. Kentucky’s General Assembly legalized medical cannabis for Kentuckians beginning on January 1, 2025. In doing so, Kentucky became the 40th state to legalize medical cannabis. In April 2023, Delaware’s Governor allowed companion bills to become law without his signature. House Bill 1 allowed for adult-use cannabis legalization effective April 23, 2023. In May 2023, Minnesota’s Governor signed an extensive cannabis bill legalizing adult-use cannabis in the state. The bill allowed for adult possession beginning on August 1, 2023. In November, Ohio voters passed (57%-43%) a citizen-initiated statute legalizing adult-use cannabis. Ohio became the 24th state to legalize cannabis for adult use. With legalization in Ohio, more than half of Americans now live in a state with legal cannabis. 

More than half of Americans now live in a state with legal cannabis. 

As voters go to the ballot boxes in 2024, campaigns currently exist in four states (Florida, Idaho, Nebraska, and South Dakota) to put adult-use or medicinal cannabis legalization in the hands of voters. Stalled legislative efforts (including adult-use legislation in Hawaii, New Hampshire, and Pennsylvania and medical cannabis legislation in Wisconsin, North Carolina, and South Carolina) are likely to be, or already have been, revived in 2024. 

Click Here for the Original Article 

Medical Marijuana Usage Is Not Protected Under the ADA, Vermont Federal Court Rules 

On February 14, 2024, a judge of the U.S. District Court for the District of Vermont dismissed a plaintiff’s Americans with Disabilities Act (ADA) discrimination and failure-to-accommodate case, holding that his medical marijuana usage was not protected under the ADA (Skoric v. Marble Valley Regional Transit District). 

Quick Hits 

• • A federal district judge in Vermont ruled that the ADA does not protect medical marijuana usage. 
  • Under the federal Controlled Substances Act, marijuana has “no currently accepted medical use” and therefore does not fall under the supervised use exception of the ADA. 

Marble Valley Regional Transit District terminated Ivo Skoric’s employment after he failed a random drug test. According to his lawsuit, Skoric has a medical marijuana prescription to treat chronic pain and depression. Following his dismissal, Skoric sought unemployment benefits from the Vermont Department of Labor, which were denied. 

Skoric filed his lawsuit pro se, alleging claims under the ADA for discrimination and failure to accommodate against Marble Valley, as well as seeking the denied unemployment benefits from the Vermont DOL. The unemployment claim was dismissed by the court for lack of subject matter jurisdiction. 

Click Here for the Original Article 

Reminder — New York Social Media Privacy Protections Went into Effect March 12, 2024 

New York joined California, Colorado, Illinois, and a number of other states that protect employees’ and job applicants’ social media privacy. These protections are part of a bill that was signed into law by New York Governor Kathy Hochul on September 14, 2023. 

Starting March 12, 2024, employers in New York are prohibited from requesting or requiring employees and job applicants to disclose their usernames, passwords, or login information to personal social media and other “personal accounts” as defined by the Act. The new legislation also prohibits employers from requiring employees and job applicants to access their social media accounts in the employers’ presence. The Act also defines “personal account” broadly to include “an account or profile on an electronic medium where users may create, share, and view user-generated content” that “is used by an employee or an applicant exclusively for personal purposes.” 

Employers may not retaliate against employees by firing, disciplining, or otherwise penalizing employees for refusing to disclose their personal social media account information or accessing their accounts in front of their employer. Likewise, employers may not refuse to hire job applicants who refuse to disclose this information. 

As our previous article reported, there are a number of exceptions to this prohibition, and employers will still be permitted to: 

• • Screen job applicants using information from publicly available social media accounts found without asking applicants to disclose their usernames. 
  • Access electronic devices it provides to an employee, as long as the employer provides prior notice of this access right, and the employee agrees to such conditions. Employers may not access an employee’s personal social media accounts on any employer-provided electronic device, however. 
  • Restrict employees’ access to certain websites while using the employer’s network or an employer-provided electronic device. 
  • Require employees to disclose login information for the employer’s business social media accounts and its internal IT systems. 
  • Accept voluntary friend or other contact requests from employees and job applicants. 
  • Comply with court orders to obtain or provide information from or access to an employee’s personal social media accounts. 

If an employer operates in the State of New York, then it is likely subject to the new prohibitions. 

Click Here for the Original Article 

INTERNATIONAL UPDATES 

Review of international data flows: EU reports on adequacy decisions 

The European Commission recently conducted a comprehensive review of the adequacy decisions granted to 11 countries or territories prior to the implementation of the General Data Protection Regulation (GDPR). This post provides an analysis and commentary on the findings of the review. 

The digitization of society and globalization have led to an exponential increase in international data flows. To ensure the protection of individuals' rights in personal data, the EU's GDPR requires that transfers to third countries guarantee an equivalent level of protection. Adequacy decisions, granted by the European Commission, enable the free flow of personal data from the EU to countries that meet the required level of protection. 

• • Scope of the review: The review focused on developments in both the EU data protection regime and the data protection frameworks of the relevant countries and territories since the adoption of the adequacy decisions. The Commission assessed legislative and regulatory reforms, enforcement practices, case law, and changes in the data protection landscape of each country. 
  • Findings: The review found that each of the 11 countries or territories remained compliant and provided an adequate level of protection in line with the EU's evolving data protection framework. In most cases, there was further convergence with the EU's framework regarding government access to personal data and related oversight and redress mechanisms. Several countries, such as Israel and Uruguay, adopted new privacy rules, while others clarified existing privacy rules based on enforcement practice or case law. 
  • Future monitoring: While the review had positive outcomes, the Commission emphasized that adequacy decisions are not an endpoint, but a mechanism for ongoing dialogue and cooperation on data flows and digital matters. The Commission will continue to monitor developments in the protection frameworks and actual practice of the in-scope jurisdictions. 

Click Here for the Original Article 

Stay Compliant with Your Background Screening Program

Staying informed about legislative updates is crucial for talent management in regulated industries. These changes impact background checks, data protection, hiring fairness, and adaptation to evolving cannabis laws. To ensure your organization stays ahead of these challenges, speak with a Cisive expert. Our team is equipped to provide you with the insights and solutions needed to navigate these changes effectively, ensuring your talent management practices are both compliant and competitive.

As always, please consult your legal team when determining how these updates may impact your background screening program and policies.