Posts

Some states allow a defendant convicted of a crime to apply for a court order limiting public access to the conviction record or to restore rights and remove disabilities caused by the conviction. This type of order is commonly referred to as an expungement; however, the qualifications for obtaining an expungement and the effect of the expungement vary among the states that allow expungements.

California has an expungement procedure set forth in Penal Code 1203.4. If a defendant meets the qualification of Penal Code 1203.4, the court will allow the defendant to withdraw a plea of guilty or no contest, to reenter a plea of not guilty, and to have the case dismissed. The defendant is also relieved from many of the negative consequences of a criminal conviction.

When reviewing California criminal records showing a conviction, it is important to note if there is also a reference to a Penal Code 1203.4 dismissal because this can impact whether the record is reportable in a background check for a California employer. For example, California law does not allow the reporting of criminal records that result in a non-conviction in employment-purpose reports. Even though the record shows a conviction, the Penal Code 1203.4 dismissal effectively means the conviction never happened.

The reference to the code section will typically be found on the case docket, dated a year or so after the conviction date.

The California Consumer Privacy Act of 2018 (CCPA) gives California residents more control over their personal information that businesses collect about them. The CCPA took effect on January 1, 2020, and final regulations for the statute were approved on August 14, 2020. Enforcement of the CCPA by the California Office of the Attorney General has begun and affected business not in compliance can be fined up to $2,500 per violation or $7,500 for each “intentional” violation.

Who has to Comply with the CCPA?

For-profit businesses doing business in California that collect and control California residents’ personal information must comply with the CCPA if they meet one of three requirements: (1) have annual gross revenues more than $25 million; (2) possess the personal information of 50,000 or more consumers; or (3) earn more than half of its annual revenue from selling consumers’ personal information. For further information about affected employers, see our previous article on the CCPA.

Compliance Strategies to Minimize Enforcement Risk

Businesses required to comply with the CCPA should consider several actions to avoid the risk of enforcement by the attorney general’s office:

  • Update existing privacy policy with information on how, why, and what personal information is collected and processed
  • Update existing privacy policy with information on how users can request access, change, or erase their personal data
  • Introduce a method to verify the identity of the person making requests to access or change their data
  • Introduce a “Do Not Sell My Personal Information” link on their home page to allow users to prohibit the sale of their personal data
  • Obtain consent from minors 13-16 years old before selling their personal data and obtain consent from parents for minors younger than 13

Responding to Consumer Requests and Protecting Personal Data

As more and more companies shift to remote work and digital systems, compliance with the CCPA has become more critical, and for some, burdensome. Companies with limited resources that are struggling to create remote work policies and procedures inside the office are now faced with the challenge of managing data beyond the office. It is important to note that under the CCPA, the California attorney general can also take enforcement action against a business for failing to respond to consumer requests to view or delete personal information, as well as for an unauthorized sale of a consumer’s personal information (or sharing of that data).

Avoiding these compliance pitfalls may require using artificial intelligence and implementing digital tools. Here’s how companies can adapt to CCPA requirements.

Look to analytics and automation technologies to meet consumer and auditor requests efficiently and affordably. Under the CCPA, consumers may request a copy of the data categories being gathered or for their data to be deleted. This is where digital solutions can come in handy. Virtual assistants can help employees ensure that requests are addressed by identifying which consumers have a higher compliance risk and placing them into an automated workflow. Furthermore, analytic tools can make it possible to identify all requests mentioning certain key words, such as “CCPA,” “personal information,” “remove,” or “disclose.” Such tools can ensure efficient and reliable compliance with consumer or auditor requests.

Ensure that third-party partners who collect consumer data are compliant with CCPA requirements. For companies that fail to store consumer data in one central location, they may find it harder to comply with CCPA regulations. Such companies often give third-party providers access to consumer data. In these scenarios, companies should make sure that the third-party providers themselves are compliant with the CCPA.

During these times especially, the CCPA has taken on a new urgency and this is probably just the beginning of the era of consumer data protection.

Unless a California employer has been hiding under a rock, chances are that the company is aware of the impending California Consumer Privacy Act (CCPA).

Signed into law in June 2018 as a quickly-enacted compromise to prevent an even stricter initiative from appearing on the ballot, the CCPA is the most far-reaching consumer privacy and data protection measure in the United States.

The new law applies to any for-profit company doing business in the state that (1) collects consumers’ personal information (PI) solely or jointly with others and (2) either (i) exceeds $25 million in annual gross revenues; (ii) annually transacts in the PI of 50,000 or more consumers, households or devices; or (iii) derives half or more of its annual revenues from PI sales.

“Personal information” includes an IP address, Internet activity, geolocation, education information and biometrics, among other data. A “consumer” is defined as “a natural person who is a California resident,” easily encompassing both employees and job applicants.

Covered entities are required to provide consumers with access to the data collected about them as well as the ability to opt out of the sale of their information to third parties and request that their PI be deleted. Businesses must disclose and deliver the information to consumers free of charge within 45 days of receiving a verifiable request.

Violations of the CCPA are actionable by the California Attorney General’s Office and a limited private right of action also exists for data breaches, with civil penalties of up to $7,500 per violation.

The expansive definitions and broad reach of the law have many employers concerned about the application of the CCPA to their business when the statute takes effect on January 1, 2020.

But – for those employers that do fall under the statute’s coverage – a last-minute amendment to the CCPA will provide a one-year reprieve.

In an effort to alleviate the burden on employers, state lawmakers enacted Assembly Bill 25 in September. The measure amended the CCPA to provide a one-year exemption for the personal information “collected from a natural person by a business in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business.”

This tweak grants employers 12 months of breathing room as long as they are collecting the data of employees and job applicants solely for purposes relating to employment. Governor Gavin Newsom signed the bill into law on October 11, 2019.

Despite the reprieve, covered employers would be well-served to continue preparing themselves to comply with the law. The requirements of the CCPA will still apply with regard to PI about non-employees and/or non-exempt uses of employee and applicant data. And the statute will take full effect for employee and applicant data as of January 1, 2021, absent some future change to the law if lawmakers decide to extend the exemption or make it permanent.  

One of the hottest trends in employment in recent years has been the passage of “ban-the-box” and salary inquiry prohibitions in states and cities across the country.

Limitations on salary inquiry have popped up in recent years as part of the legislative fight against wage discrimination and the gender pay gap. Proponents of such prohibitions argue that salary history questions feed into the discrepancy between what male and female employees are paid by continuously repeating history.

Currently, California, Delaware, Massachusetts, Oregon and Puerto Rico have banned inquiries about prior salary, as have cities including New Orleans, New York and Philadelphia, with dozens of other states and local governments considering such measures.

The colloquial term “ban-the-box” refers to a box that applicants check to indicate they have a criminal record on standardized application forms. About 20 states and more than 150 local entities have already enacted legislation addressing inquiries into criminal history. The trend even went federal in 2015 with the Fair Chance Act introduced in Congress. Although the measure did not pass, it demonstrated the popularity of the movement.

The proposed federal legislation also shined a light on the situation facing multistate employers, with different laws in different states and in some situations, different laws in different cities or municipalities within the same state. One law may contain an outright ban on inquiries into salary or criminal history while another may place restrictions on the timing of the questions. Some laws define covered employers to include businesses with five or more employees; another may not apply its limitations to employers with less than 50 workers.

As an example, although the state already limited employers’ ability to ask job applicants about any juvenile court matters, the California legislature broadened its ban-the-box protections for employees with a new law in 2017. Employers in the state are restricted from making hiring decisions based on an applicant’s convictions records and forbidden from considering conviction history until a conditional offer of employment has been extended.

If an employer elects not to hire an applicant because of a prior conviction, the employer is required to conduct an individualized assessment to determine whether the history has a “direct and adverse relationship” with the job duties that justifies denial of the position. Written notice must be provided to an applicant that his/her conviction history has disqualified the applicant from employment, along with five days to respond and dispute the decision. A second notice must be provided with the final decision not to hire.

In contrast, Vermont’s ban-the-box measure takes a different approach, allowing employers to question applicants about their criminal records during the job interview, albeit providing an applicant with the opportunity to explain their record. And under New York City’s law, an employer commits a per se violation of the statute by using recruiting materials of any kind (including advertisements, solicitations or applications) that express, directly or indirectly, any limitation or specification regarding criminal history.

While the overarching principle remains consistent, the details of the laws vary from jurisdiction to jurisdiction. For multi-state employers, coping with such a patchwork of legal requirements poses a serious challenge.

As the number of state and local jurisdictions with laws addressing salary inquiries or criminal history continues to expand, multi-state employers should brace themselves for a giant compliance puzzle – and consider getting help from an expert.