Quarterly Compliance Update: Spring 2026

This quarter’s compliance article roundup highlights the growing intersection of technology, regulation, and workforce risk.

From new federal rules impacting commercial driver eligibility and evolving interpretations of employment law, to increased scrutiny of AI-driven hiring tools and data security obligations, organizations face heightened expectations across the compliance landscape.

At the same time, state and international regulators continue to introduce new privacy, background screening, and employment requirements, reinforcing the need for a proactive and informed compliance strategy.

Table of Contents

1. Federal Updates
2. State, City, County, and Municipal Updates
3. International Updates
4. Turning Compliance Complexity Into Confidence

FEDERAL UPDATES

FMCSA New Rule Cracks Down on Non-Citizen Commercial Driver’s Licenses, Creating Carrier Burdens

The Federal Motor Carrier Safety Administration (FMCSA) issued a new Final Rule that fundamentally changes the eligibility criteria for non-domiciled individuals seeking Commercial Learner’s Permits (CLPs) and Commercial Driver’s Licenses (CDLs) in the United States.

The Final Rule, released on Feb. 13, 2026, largely implements key features of the Interim Final Rule (IFR) issued in September 2025. That IFR was and continues to be subject to legal challenges and faced stiff pushbacks during the IFR public comment period. Enforcement of the IFR has been stayed in litigation pending in the U.S. Court of Appeals for the D.C. Circuit, and the Final Rule replaces the IFR. Neither the litigation nor comments from stakeholders significantly changed the Final Rule, however. On Feb. 12, 2026, the same group of plaintiffs challenging the IFR filed a new lawsuit in the D.C. Circuit challenging the Final Rule.

The effective date of the Final Rule is March 16, 2026, unless the D.C. Circuit enjoins enforcement of the Final Rule. Companies that employ drivers who hold non-domiciled CDLs should watch for developments in the new court action.

Key Provisions of the Final Rule

1. Eligibility strictly limited to certain employment-based visa holders

Only individuals holding H-2A (temporary agricultural workers), H-2B (temporary non-agricultural workers), or E-2 (treaty investors) nonimmigrant status are eligible for issuance, renewal, transfer, or upgrade of a non-domiciled CLPs or CDLs. FMCSA is presenting the vetting processes involved in obtaining these statuses as comparable to domestic CDL background checks. Drivers with a current, valid license and valid work authorization can continue to operate a commercial motor vehicle until the expiration of their current license.

2. Elimination of EADs as proof of eligibility

Employment authorization documents (EADs) alone are no longer accepted as sufficient proof of eligibility for a non-domiciled CDL. This change affects CDL eligibility only and does not alter underlying federal employment authorization.

3. Mandatory SAVE system verification

State Driver’s Licensing Agencies (SDLAs) must verify every applicant’s lawful immigration status using the Systematic Alien Verification for Entitlements (SAVE) system before issuing, renewing, or upgrading a non-domiciled CLP or CDL.

4. Document requirements, validity period

Applicants must present an unexpired foreign passport and a specific Form I-94/94A with an unexpired “Admit Until Date” indicating H-2A, H-2B, or E-2 status. The validity of the non-domiciled CLP or CDL cannot extend beyond the expiration of the applicant’s authorized stay on Form I-94. Issuance, transfers, renewals, or upgrades must be done in person, and all supporting documents must be retained by the SDLA for at least two years.

5. Mandatory downgrade, revocation

If an SDLA receives information from FMCSA, the Department of Homeland Security, the Department of State, or another federal agency with jurisdiction that an individual’s immigration status has changed or eligibility lapsed, the SDLA must downgrade or revoke the non-domiciled CLP or CDL within 30 days. 

Click Here for the Original Article

Supreme Court Holds That Restitution Is a Criminal Penalty; Decision Portends New Constitutional Arguments

On January 20, 2026, in Ellingburg v. United States, 607 U.S. ____ (2026), the Supreme Court considered whether the Ex Post Facto Clause applies to the Mandatory Victim Restitution Act (MVRA), the statutory basis for most orders of restitution in federal criminal cases. That determination turned on whether restitution was a criminal penalty. If restitution was a criminal penalty, the Ex Post Facto Clause applied; if restitution was solely a civil remedy, the Ex Post Facto Clause was not implicated.

The Court held that restitution was “plainly criminal punishment” rather than solely a form of civil compensation for victims. As such, the Ex Post Facto Clause applied. While the Court’s holding was tailored to the narrow question presented in the case, its broader reasoning may set the stage for new sentencing arguments over whether a judge can impose restitution without specific findings by a jury.

Background

Holsey Ellingburg was convicted of bank robbery in 1996. Under the law in place when Ellingburg was convicted, the period to collect restitution had elapsed by the time he was released from prison. But after Ellingburg’s conviction, Congress adopted the MVRA, which, among other things, extended the permitted collection period. The government later sought to collect the restitution from Ellingburg under the MVRA. He objected on ex post facto grounds because he committed his crime before enactment of the MVRA.

The district court and Eighth Circuit rejected his claim, concluding that restitution under the MVRA was not a criminal punishment and therefore not subject to the Ex Post Facto Clause.

The Supreme Court reverses

On appeal, the Supreme Court reversed. In a short, unanimous opinion, the Court concluded that Congress intended for restitution to be a criminal penalty and thus the Ex Post Facto Clause applies. It based that finding on several factors, including that the MVRA explicitly refers to restitution as a “penalty,” restitution is imposed with other forms of criminal punishment such as imprisonment and fines, and the statute is codified in Title 18, which is titled “Crimes and Criminal Procedure.” Applying these findings to the facts, the Court found that Ellingburg could not be ordered to pay restitution after being released from prison because he was convicted before the MVRA was enacted.

Click Here for the Original Article

Groundbreaking Lawsuit Tests Whether AI Hiring Tools Trigger FCRA Compliance

A company selling artificial intelligence (AI)-powered applicant assessment tools has been hit with a lawsuit that may be the first of its kind to claim that such tools violate the federal Fair Credit Reporting Act (FCRA) and its California equivalent, the Investigative Consumer Reporting Agencies Act (ICRAA). This case could be the tip of the iceberg for lawsuits based on AI-powered tools that employers are increasingly using to make hiring and other employment decisions.

Quick Hits

• A proposed class action alleges that a widely-used AI-powered tool violates the federal FCRA and California’s ICRAA by compiling sensitive, individualized personal information on job applicants without their consent.
• The complaint contends that by evaluating applicants based on extensive data sources—such as LinkedIn profiles, publications, and job application history—the tool generates consumer reports subject to the disclosure, authorization, notification, and certification requirements of both statutes.
• The lawsuit could be the first of a new wave of class action litigation targeting AI-powered employment tools and similar automated decision-making technology.
• On December 19, 2025, Governor Hochul signed legislation amending New York’s General Business Law to restrict the use of an applicant’s/employee’s credit history in employment decisions, effective April 28, 2026.
• The new law prohibits employers from requesting or using credit reports for employees or job applicants unless they fall into specific exceptions, such as certain positions that will have regular access to trade secrets, and positions with fiduciary authority to enter financial agreements of at least $10,000 on behalf of the employer.
• Employers must ensure compliance by not inquiring into or using credit history information unless the position qualifies for an exception and should disclose the relevant exception to consumer reporting agencies.
• Certain organizations in Florida that work with children and vulnerable adults must link to the state’s Agency for Health Care Administration (AHCA) new public background checks resource in their job postings for any position that requires a screening through Florida’s Care Provider Background Screening Clearinghouse.
• AHCA’s Care Provider Background Screening Clearinghouse Education and Awareness webpage includes details on disqualifying offenses, exemption procedures, and timelines.
• AHCA has begun issuing bulletins to impacted employers regarding posting the link.

On January 20, 2026, a pair of job applicants filed a proposed class action lawsuit against Eightfold AI Inc. in a California state court. The complaint alleges that the company unlawfully compiles sensitive personal information on job applicants—including social media profiles, (e.g., LinkedIn), location data, internet and device tracking data, and data from online cookies—to build profiles about applicants and assess their “likelihood of success” for the job without their knowledge.

The lawsuit seeks to bring nationwide and California class claims under the FCRA, a federal law that regulates how employers collect and use third-party background check information and ensures accuracy, fairness, and privacy in hiring, as well as the similar California ICRAA.

Eightfold is one of a growing list of companies developing software and tools powered by AI and similar automated decision-making technology to aid in employment decisions, such as job applicant screening tools, which employers are increasingly using to improve efficiency. A recent LinkedIn study found that 93 percent of recruiters say they plan to increase their use of AI in 2026, and 59 percent say it is already helping them discover candidates with skills they would not have found before. Two-thirds of recruiters (66 percent) plan to increase their use of AI for pre-screening interviews in 2026, according to the survey.

Consumer Reporting Agency Allegations

According to the complaint, Eightfold generates reports on applicants using “AI-powered tools that assemble and evaluate information on prospective employees” and assess their “suitability” for a job based on factors such as “work history, projected future career trajectory, culture fit, and other personal characteristics.” The company then allegedly “sells these reports to employers for use in making employment decisions.”

To generate these reports, the complaint alleges, information is fed into the company’s Large Language Model (LLM), which incorporates over 1.5 billion data points from job titles, skills, and “the profiles of more than 1 billion people working in every job, profession, [and] industry.”

The complaint asserts that “Eightfold’s Evaluation Tools then evaluate and rank job applicants using the data gathered from job applicants during the application process, the employer’s internal data, external data, and Eightfold’s proprietary LLM.”

Specifically, the complaint alleges that the evaluation includes not only the candidate’s profile and resume, but “supplemental candidate data gathered from public sources about the candidate’s professional history (such as blogs, publications, conferences, job application history, etc.),” data from other comparable employees, predictions about the candidate, and “data used to train Eightfold’s AI.”

Further, the complaint alleges that once an applicant applies for a job with an employer using the Eightfold tool, Eightfold retains that applicant’s data and uses it to evaluate other applicants for the same job, unrelated positions, or “for that same job applicant for other positions in the future.”

Click Here for the Original Article

STATE, CITY, COUNTY, AND MUNICIPAL UPDATES

Voluntary Disclosure by Applicant of Criminal Conviction History Triggers Protections Under State Ban-the-Box Law (US)

Records of criminal convictions can last a lifetime and thus can bring a lifetime of difficulty for employees with a criminal conviction history in finding employment, leaving them significantly disadvantaged before they even make it into the interview room. Lack of employment or difficulty assimilating after spending time in the criminal justice system can further increase the chances of re-offending, exacerbating the problem. These issues prompted a wave of state and local “ban-the-box” legislation – laws that delay employers from inquiring into or considering a job applicant’s criminal history until later in the hiring process.

The nearly 40 states and more than 150 cities and counties that have enacted ban-the-box laws, orders or ordinances have taken different approaches to the language of the legislation and how it functions. But the bottom line generally is the same: prohibiting any “box” on a job application that an applicant must check to indicate whether they have a criminal history and deferring any inquiry into an applicant’s criminal history until at least an interview has been held, or a conditional offer of employment has been extended. When criminal history can be considered, these laws also direct employers to evaluate the duration of time since the offense, the applicant’s rehabilitative history and the relation if any between the offense of conviction and the duties and responsibilities associated with the position sought, as well as to engage in a dialogue with the applicant to ensure that qualification and fit take priority over criminal history when assessing an applicant’s competitiveness for a position.

Given the newness of these ban-the-box laws, it’s no surprise that lawsuits have followed. In some cases, these lawsuits have clarified obligations and prohibitions as well as shaped enforcement of these laws. A recent case involving Pennsylvania’s ban-the-box law provides insight into a novel issue arising under that state’s law.

Click Here for the Original Article

Governor Hochul Signs Bill Greatly Restricting Use of Consumer Credit History in Employment Decisions

On December 19, 2025, Governor Kathy Hochul signed into law Senate Bill 3072 (S3072) amending New York’s General Business Law to substantially restrict the use of an applicant’s/employee’s credit history in employment decisions. The new law, which takes effect on April 28, 2026, prohibits employers and/or their agents from requesting or using credit reports unless they fall within a handful of narrowly defined exceptions.

Quick Hits

The new law takes an expansive view of credit history and includes any information touching on an applicant’s/employee’s creditworthiness, credit standing, credit capacity, or payment history, regardless of whether it is obtained through a credit check or credit score. It also includes information obtained directly from an applicant/employee concerning the individual’s credit accounts (including the number of credit accounts, late/missed payments, charged-off debts, items in collection, credit limit(s), and prior credit report inquiries), bankruptcies, judgments, and/or liens.

Click Here for the Original Article

New Florida Law Compels Certain Employers to Include Background Check Resource in Job Listings

Certain organizations in Florida that work with children and vulnerable adults must link to the Agency for Health Care Administration’s (AHCA) new background checks resource in their job postings for any position that requires screening through Florida’s Care Provider Background Screening Clearinghouse, commonly referred to as Level 2 Background Screening. The resource includes details on disqualifying offenses, exemption procedures, and timelines.

Quick Hits

On June 4, 2025, Governor Ron DeSantis signed into law a bill that requires the AHCA to create and maintain a webpage for background screening education and awareness. The AHCA had until January 1, 2026, to activate this webpage, which is now live. The agency is required to update the webpage by October 1, 2026, and then by October 1 each year, to incorporate any changes to law, the employment screening process, or the Care Provider Background Screening Clearinghouse, which retains fingerprint data and allows the results of criminal history checks to be shared among certain entities that provide care or placement services for children or vulnerable adults.

Click Here for the Original Article

A Reminder About Florida’s Ban on Offshore Health Data Storage: What Providers and Vendors Should Know

 In May 2023, Florida enacted a significant change to its health data laws. Senate Bill 264 amended the Florida Electronic Health Records Exchange Act restricting where certain patient data can be stored and accessed. Codified at Section 408.051(3) of the Florida Electronic Health Records Exchange Act, the change mandates that:

In addition to the requirements in 45 C.F.R. part 160 and subparts A and C of part 164, a health care provider that utilizes certified electronic health record technology must ensure that all patient information stored in an offsite physical or virtual environment, including through a third-party or subcontracted computing facility or an entity providing cloud computing services, is physically maintained in the continental United States or its territories or Canada. This subsection applies to all qualified electronic health records that are stored using any technology that can allow information to be electronically retrieved, accessed, or transmitted.

In other words, the law requires healthcare providers using certified electronic health record technology (CEHRT) to ensure that patient information stored outside their facilities—whether in a physical data center, virtual environment, or cloud service—is maintained only in the continental United States, its territories, or Canada.

Note this compliance requirement also comes with a statutory obligation (Section 408.810(14)) for any license under Chapter 408 of the Florida Public Health Law to sign an affidavit of compliance upon initial application and future renewals:

The licensee must sign an affidavit at the time of his or her initial application for a license and on any renewal applications thereafter that attests under penalty of perjury that he or she is in compliance with s. 408.051(3). The licensee must remain in compliance with s. 408.051(3) or the licensee shall be subject to disciplinary action by the agency.

This amendment makes clear its intent that the new rule go beyond the requirements in the well-known federal privacy and security regulations for healthcare providers, the Health Insurance Portability and Accountability Act (HIPAA). HIPAA generally does not impose geographic restrictions on where protected health information (PHI) may be processed or stored, so long as appropriate safeguards and agreements are in place. Likely considered a more stringent protection for PHI, the Florida amendment would appear to survive HIPAA preemption.

The law applies broadly across the healthcare sector, including hospitals, clinics, ambulatory surgical centers, home health agencies, hospices, nursing homes, labs, pharmacies, and many individual licensed practitioners—from physicians and nurses to therapists and pharmacists.

And, this restriction does not stop with covered providers. It extends to vendors and subcontractors that support healthcare operations. Managed service providers, IT vendors, scheduling support services, and other contractors that store or access patient information must also ensure that the data remains within the permitted geographic boundaries.

Click Here for the Original Article

Seven Years in the Making: Oklahoma Enacting Comprehensive Consumer Privacy Law

Senate Bill 546 cleared the Oklahoma House 84–4, positioning the state to become the 21st to enact a comprehensive privacy framework.

After nearly a decade of legislative effort, Oklahoma moved decisively toward enacting a comprehensive consumer data privacy law on February 19, 2026, when the Oklahoma House of Representatives passed Senate Bill 546 by an overwhelming 84–4 vote. The bill, authored by Senator Brent Howard (R) and co-sponsored by House Majority Leader Josh West (R), now awaits Senate concurrence on House amendments before proceeding to Governor Kevin Stitt for signature.

The road to passage was anything but swift. West first introduced privacy legislation in 2019—at a time when California stood as the only state with a comprehensive data protection law. Earlier iterations of the bill, modeled after California’s Consumer Privacy Act, stalled repeatedly in the Senate. The current version pivots to a Virginia-style framework: the same “Consensus Privacy Approach” adopted by 18 other states and favored by both industry groups and the U.S. Chamber of Commerce. “This time, it’s not as voodoo as it was back in 2019 when we started talking about it,” West remarked on the House floor.

Key Provisions of SB 546

SB 546 covers any business operating in Oklahoma that controls or processes the personal data of at least 100,000 consumers, or the data of at least 25,000 consumers, and derives more than 50% of its gross revenue from the sale of personal data. The bill grants Oklahoma residents a core set of data subject rights, including the right to access, correct, and delete their personal data, and to obtain a portable copy of it, as well as the right to opt out of targeted advertising, the sale of personal data, and profiling decisions with significant legal effects.

Controllers are required to conduct and document data protection assessments for high-risk processing activities. Enforcement is vested exclusively in the Oklahoma Attorney General, accompanied by a 30-day right to cure that does not sunset—a design that mirrors the Virginia model and provides companies a compliance correction window before penalties attach. The maximum civil penalty is $7,500 per violation. There is no private right of action. A 30-day right-to-cure period is great (if passed) in Oklahoma.

Standard entity-level exemptions apply, shielding HIPAA-covered entities, GLBA financial institutions, non-profits, and governmental bodies from the law’s reach. A House floor amendment also added an exemption for personal data covered by the Controlled Substances Act. Notably absent from the final text are recognition of universal opt-out mechanisms (such as the Global Privacy Control) and enhanced children’s privacy protections—provisions that have appeared in more recently enacted state laws.

Click Here for the Original Article

The Delta-8 Dilemma: What Mississippi Employers (and Maybe Those in Other States) Need to Know About Drug Testing Policies and THC Products

Walk into many convenience stores across the country, and you’ll likely see gummies, vapes, and tinctures labeled “Delta-8.” These THC-infused products are quickly becoming more and more accessible, and this accessibility is bringing increased attention to workplace drug policies.

In Dupree v. Mississippi Department of Employment Security, the Mississippi Court of Appeals recently concluded that an employee’s use of Delta-8 outside of work did not violate company policy because there was no evidence she was impaired at work. The decision provides some helpful reminders for employers when drafting their drug and drug-testing policies.

What Exactly Is Delta-8?

Delta-8 means Delta-8 THC, where THC is the primary psychoactive ingredient in marijuana. The most common form of THC in cannabis plants is Delta-9 THC. The Agriculture Improvement Act of 2018 (known as the 2018 Farm Bill) legalized hemp and derivatives with no more than 0.3% of Delta-9 THC. Delta-8 is such a legally approved derivative.

The Facts

Mandy Dupree, a City of Bay Springs employee, purchased Delta-8 gummies over the counter. Although she did not have a medical marijuana card, she said her doctor recommended she take THC for pain management.

An administrative city employee who was considered a “covered pipeline employee” subject to U.S. Department of Transportation drug testing regulations, Dupree was required to take a drug test after taking a call relating to a problem with the city’s gas line. After completing a routine test, she tested positive for THC. The city terminated her employment due to the positive drug test, and Dupree then applied for unemployment benefits through the Mississippi Department of Employment Security. The agency denied benefits, concluding her termination resulted from misconduct related to her work. Dupree appealed.

Under Mississippi law, employees discharged for “misconduct connected with their work” such as a violation of their employer’s policy are disqualified from receiving unemployment benefits. Under the city’s drug policy, “the use, possession, or sale of intoxicating beverages, marijuana, or hallucinogenic drugs while on duty or at work under the influence may result in immediate discharge.” In addition, the drug policy prohibited use of illicit drugs, abuse of legal drugs, “arrival to work under the influence of drugs,” or “consuming illicit drugs or alcohol while working.” Even so, the city did not have any evidence, such as a signed acknowledgment form, showing that Dupree had received the policy handbook.

The Holding: Dupree Gets Benefits

THC can remain in a person’s system long after use, and the appellate court appeared to implicitly recognize this in its ruling. Despite Dupree’s admission that she had taken Delta-8 gummies and smoked marijuana in the past, the court did not find that the positive drug test equaled misconduct. The court distinguished this case from Mississippi Department of Employment Security v. Clark, 13 So. 3d 866, 871 (Miss. Ct. App. 2009), where benefits were properly denied when “the employee admitted to drinking three beers before work and showing up to work smelling like alcohol.” The court pointed out that, unlike in Clark, there was no evidence that Dupree “ever showed up to work smelling of marijuana, nor were there any reports indicating she was high on the job.” Further, there was no evidence that Dupree had received the policy even if she had violated it.

Click Here for the Original Article

INTERNATIONAL UPDATES

North Korean Threat Groups Using AI in Remote Technical Employee Schemes

Microsoft Threat Intelligence issued a report on March 6, 2026, entitled, “AI as tradecraft: How threat actors operationalize AI,” which outlines how threat actors, including those from North Korea, are “operationalizing AI along the cyberattack lifecycle…to bypass safeguards and perform malicious activity.” The threat actors are adopting AI “as operational enablers, embedding AI into their workflows to increase the speed, scale, and resilience of cyber operations.”

The report details how North Korean remote IT worker schemes dubbed Jasper Sleet and Coral Sleet provides the threat actors with “sustained, large-scale misuse of legitimate access through identity fabrication, social engineering, and long-term operational persistence at low cost.” The threat actors are also toying with the agentic AI use, which could “complicate detection and response.”

The report outlines how the threat actors have incorporated automation into their schemes across the attack lifecycle to ensure North Korean threat actors are “hired, stay hired, and misuse access at scale” at global companies.

The report is a must read for any company that has been hit before by the North Korean tech worker scheme, or those who have not yet been hit, but recruit remote workers for technology positions.

Click Here for the Original Article

Towards a Contextual Concept of Personal Data Under the GDPR: the Commission Moves Forward, the EDPB and EDPS Push Back

The European Data Protection Board (EDPB) and the European Data Protection Supervisor (EDPS) adopted on 10 February 2026 a joint opinion (Joint Opinion 2/2026) on the European Commission’s Digital Omnibus initiative (described by the Commission as “a set of technical amendments to a large corpus of digital legislation, selected to bring immediate relief to businesses, public administrations, and citizens alike, and to stimulate competitiveness”).

Although both bodies welcome (and largely endorse) the Commission’s proposals set out in the initiative (subject to certain caveats), the opinion expresses marked unease with the proposed approach to redefining personal data, which would be recalibrated to align with the CJEU’s most recent interpretation of the concept [Case C-413/23 (EDPS v SRB)].

In this decision, the CJEU’s introduces a more “relative” approach to the concept of personal data, holding that pseudonymized data do not necessarily qualify as personal data in all circumstances. Instead, the assessment must be made from the perspective of the specific recipient and the actual, lawful means available to them for re-identification.

While the Court confirmed that the obligation to inform data subjects must be assessed at the time of collection and from the perspective of the original controller, it also clarified that pseudonymized data may fall outside the scope of personal data for a recipient who lacks realistic means of re-identification. In practice, this does not remove the need for a lawful basis when transferring data, but it does mean that where re-identification is merely theoretical, the non-personal character of the data from the recipient’s perspective should weigh in favor of permitting the disclosure, particularly where the transfer relies on legitimate interests.

With this in mind, the Commission’s proposal under the Digital Omnibus initiative is to add a new paragraph to article 4(1) of the GDPR, which would read as follows:

“Information relating to a natural person is not necessarily personal data for every other person or entity, merely because another entity can identify that natural person. Information shall not be personal for a given entity where that entity cannot identify the natural person to whom the information relates, taking into account the means reasonably likely to be used by that entity. Such information does not become personal for that entity merely because a potential subsequent recipient has means reasonably likely to be used to identify the natural person to whom the information relates.”

In the eyes of both the EDPB and the EDPS, the Commission’s proposal risks reducing the material scope of the GDPR by narrowing the notion of personal data beyond the limits recognized in Case C-413/23 (EDPS v SRB), which in fact confirms a much broader definition of personal data, and, in doing so, overlooking earlier rulings that have consistently endorsed a broad interpretation of identifiability.

They argue that data should not be considered non-personal simply because only a later recipient (rather than the current holder) has the means to identify the individual concerned. In this regard, they recall that the CJEU stated in that decision that “impersonal data may become personal in nature when they are put at the disposal of a recipient (any recipient) with means reasonably likely to be used to identify a data subject,” and note that this statement is made without limiting its scope to a specific context of “making available” or data transfer.

Click Here for the Original Article

Turning Compliance Complexity Into Confidence

As compliance requirements become more complex and technology-driven risks accelerate, organizations must take a more strategic and proactive approach to workforce screening and data governance. Cisive helps you stay ahead of regulatory change, strengthen your compliance programs, and mitigate risk across the hiring lifecycle. With deep expertise in background screening and global compliance, we help you eliminate blind spots and hire with confidence.