By Anthony Risucci

On September 27, 2022, Governor Newsom signed Senate Bill (“SB”) 1162 into law. The law alters and expands pay reporting obligations to California’s Civil Rights Department (“CRD”)1 for private employers with 100 or more employees. The law also increases pay transparency obligations under Labor Code Section 432.3, including changes that apply to both public and private employers of all sizes.

As explained in more detail below, SB 1162 requires employers to do the following:

• Private employers with more than 100 employees must submit detailed “pay data reports” to the CRD by the second Wednesday of May every year. The pay data report submission obligation now exists independently of similar federal reporting obligations to the Equal Employment Opportunity Commission.
• All employers must provide pay scale information to employees and job applicants for their position upon request.
• All employers with more than 15 employees must publish pay scale information on every job posting for the position being filled.
• All employers must maintain pay history information for every employee for the duration of their employment, and for three (3) years beyond the date their employment ends.

Pay Data Reporting Requirements

A. Pay Data Reporting Requirements Before SB 1162
Prior to the enactment of SB 1162, private employers with 100 or more employees were required to file a “pay data report” to the CRD. Pay data reports are required to contain employee pay data for specific job categories broken down by race, ethnicity, and sex.  

California law allowed for this requirement to be met by filing an Employer Information Report (“EEO-1”) (a form specifically prepared for the Equal Employment Opportunity Commission for similar federal reporting requirements) on or before March 31 each year, so long as the EEO-1 report included substantially similar pay data information. California law also required employers with multiple establishments to submit a report for each establishment and a consolidated report that included all employees. The first such reports were due in 2021.  

B. New Pay Data Reporting Requirements
SB 1162 simultaneously streamlines and complicates pay data reporting requirements by amending Government Code Section 12999. That statute now requires private employers with more than 100 employees to submit a pay data report to the CRD. An EEO-1 form is no longer sufficient. (See Gov. Code § 12999, subd. (a)(1).) Private employers with 100 or more employees hired through labor contractors within the prior calendar year are also now covered by the reporting requirements (collectively referred to as “Covered Employers”).² (Gov. Code § 12999, subd. (a)(2).)   

Covered Employers must now submit pay data reports containing all of the following information:

1. The number of employees by race, ethnicity, and sex in each of the following job categories:

• Executive or senior level officials and managers;
• First or mid-level officials and managers;
• Professionals;
• Technicians;
• Sales workers;
• Administrative support workers;
• Craft workers;
• Operatives;
• Laborers and helpers; and 
• Service workers.

2. The number of employees by race, ethnicity, and sex whose annual earnings fall within each of the pay bands used by the United States Bureau of Labor Statistics in the Occupational Employment Statistics survey.

3. The median and hourly wage rate within each job category, for each combination of race, ethnicity, and sex.

4. A “snapshot” that counts all of the individuals employed in each job category by race, ethnicity, and sex during a single pay period of the employer’s choice between October 1 and December 31 of that reporting year.

5. A calculation of the total earnings, as shown on Internal Revenue Service form W-2, for each employee in the “snapshot,” for the entire reporting year, regardless of whether or not an employee worked for the full calendar year. The employer must tabulate and report the number of employees whose W-2 earnings during the reporting fell within each pay band.

6. The total number of hours worked by each employee counted in each pay band during the reporting year.

7. The employer’s North American Industry Classification (NAICS) code.

(Gov. Code § 12999, subd. (b).) Pay data reports must also include a section for employers to provide clarifying remarks on the information provided and be made available in a format that allows the CRD to search and sort the information using “readily available software.” (Gov. Code § 12999, subds. (d)-(e).) Covered Employers that hire employees through a labor contractor are also required to disclose the ownership names of all labor contractors used to supply employees. (Gov. Code § 12999, subd. (a)(2).)

Pay data reports must be submitted on or before the second Wednesday of May 2023 and on or before the second Wednesday of May each year thereafter.³ (Gov. Code § 12999, subd. (a)(1).) Covered Employers with multiple establishments are still required to submit pay data reports for each establishment but are no longer required to submit a consolidated report for all employees in addition to establishment-specific reports.⁴ (See Gov. Code § 12999, subd. (c).)

Failure to comply with pay data reporting requirements may subject an employer to one or more of the following: (1) an order requiring compliance (with all costs associated with seeking the order being recoverable by the CRD); (2) a civil penalty not to exceed one hundred dollars ($100) per employee for an initial failure to file a report; and (3) a civil penalty not to exceed two hundred dollars ($200) per employee for continued failure to file a report. (Gov. Code § 12999, subd. (f).)

C. Confidentiality of Pay Data Reports Submitted by Covered Employers
Earlier versions of SB 1162 would have required CRD to publish individual employers’ pay data reports on a publicly accessible website. That is not the case with the version of the bill that Governor Newsom signed. The public posting requirement was removed from the bill by the Assembly Appropriations Committee.  

As was the case prior to SB 1162, CRD is permitted to compile data from pay data reports and publish “aggregate reports” that are available to the public. (Gov. Code § 12999, subd. (i).) Importantly, such reports must be drafted so as to be “reasonably calculated to prevent the association of any data with any individual business or person.” (Ibid.)  

SB 1162 also makes it “unlawful” for CRD “to make public in any manner . . . any individually identifiable information obtained” from a pay data report unless an investigation or enforcement proceeding is initiated against an employer.⁵ (Gov. Code  § 12999, subd. (g).) Any individually identifiable information submitted to CRD is also considered “confidential information and not subject to disclosure pursuant to the California Public Records Act.” (Gov. Code Section 12999, subd. (h).)

Pay Transparency Obligations

SB 1162 also greatly increases employer obligations under Labor Code Section 432.3. Unlike the pay data reporting requirements of Government Code Section 12999, changes to Labor Code Section 432.3 apply to all public and private employers. 

Prior to SB 1162, Section 432.3 primarily served to prohibit an employer from seeking salary history information about a job applicant or relying upon such information as a factor in determining what salary to offer that applicant. (Lab. Code § 432.3, subds. (a)-(b).) SB 1162 left those prohibitions in place, but added additional requirements for employers aimed at increasing pay transparency.  

All employers are now required to provide the pay scale for a position to a job applicant upon their request.⁶ (Lab. Code § 432.3, subd. (c)(1).) Current employees are also entitled, upon request, to the pay scale for the position they are currently employed in. (Lab. Code § 432.3, subd. (c)(2).)  

If an employer has 15 or more employees, they are required to include the pay scale for a position on any job posting—a significant change to the prevailing practice of not including salary information on job postings. (Lab. Code § 432.3, subd. (c)(3).) Use of a third party to announce, post, publish, or otherwise make an employer’s job posting known does not eliminate the requirement to include the pay scale in the job posting. (Lab. Code § 432.3, subd. (c)(5).) 

Employers are required to maintain records of job title and wage rate history for each employee for the duration of their employment, and until 3 years after their employment ends. (Lab. Code § 432.3, subd. (c)(4).) These records are open to inspection by the Labor Commissioner. (Ibid.) Failure to keep such records creates a rebuttable presumption in favor of an employee’s claim that the Labor Code has been violated. (Lab. Code § 432.3, subd. (d)(5).) 

An employee or job applicant that claims a violation of this statute may file a written complaint with the Labor Commissioner within one year of the alleged violation, or file a civil action that can provide “for injunctive relief or any other relief the court deems appropriate.” (Lab. Code § 432.3, subds. (d) (1)-(2).) The Labor Commissioner may levy fines against violating employers between one hundred dollars ($100) and ten thousand dollars ($10,000) per violation. (Lab. Code § 432.3, subd. (d)(4).) First time violators, however, may avoid civil penalties by demonstrating that all job postings for open positions have been updated to include pay scales. (Ibid.)

Conclusion

SB 1162 is part of a growing wave of pay transparency laws, including recently enacted laws in New York City, Colorado, and Washington state. Employers should prepare for pay transparency obligations to continue to arise in various jurisdictions. Attorneys of Coblentz Patch Duffy & Bass LLP’s Labor and Employment practice group are familiar with the new requirements imposed by SB 1162 and can assist employers in complying with these changes in the law.

 

[1] Formerly known as the Department of Fair Employment and Housing (“DFEH”).
[2] SB 1162 defines “employee” as “an individual on an employer’s payroll, including a part-time individual, and for whom the employer is required to withhold federal social security taxes from that individual’s wages.” (Gov. Code § 12999, subd. (k)(1).) A “labor contractor” is defined as “an individual or entity that supplies, either with or without a contract, a client employer with workers to perform labor within the client employer’s usual course of business.” (Gov. Code § 12999, subd. (k)(2).) If an employer has both 100 or more employees and 100 or more employees hired through a labor contractor, the legislation appears to require two separate reports, one for each category of employees. (See Gov. Code § 12999, subd. (a)(2).)
[3] SB 1162 does not alter pay data reporting obligations for 2021 or 2022, which were due on or before March 31 of each of those years. (Gov. Code § 12999, subd. (m).) The legislation also does not eliminate the possibility of administrative enforcement actions for failure to comply with reporting requirements in those years. (Ibid.).
[4] An “establishment” is defined as “an economic unit producing goods or services.” (Gov. Code § 12999, subd. (k)(3).)
[5] “Individually identifiable information” means “data. . . that is associated with a specific person or business.” (Gov. Code § 12999, subd. (g).)
[6] A “pay scale” means the salary or hourly wage range that the employer reasonably expects to pay for the position. (Lab. Code § 432.3, subd. (m).)

Originally published to the Transnational Litigation Blog, May 25, 2022.

By Alexander Preve

Two law firms recently filed a class action lawsuit on behalf of Rohingya refugees in the United States seeking at least $150 billion in compensatory damages from Meta (formerly Facebook). The plaintiffs in Doe v. Meta allege that Meta’s algorithms were designed to promote hate speech and misinformation about the Rohingya, a Muslim-minority population in Myanmar that has long been subject to discrimination and scapegoated by the Buddhist majority as terrorist “foreigners.” In response, Meta argues that it is immune from suit under the Communications Decency Act (“CDA”).

Although the plaintiffs attempt to plead around the limits of the CDA and Ninth Circuit precedent, these efforts are likely to fail. In an effort to sidestep Section 230 immunity, the plaintiffs contend that the district court should conduct a choice-of-law analysis solely on the immunity issue. This post first surveys the doctrinal landscape relating to Section 230. It then explains why the plaintiffs’ choice-of-law arguments are flawed and why the plaintiffs err in ignoring the presumption against extraterritoriality. It concludes with a proposal for how Congress should amend the CDA to achieve greater accountability when technology companies transition from publishers of information to creators of content.

Section 230 Immunity

This is not the first time a suit has alleged that a technology company has incited violence through its machine-learning algorithms. The Ninth Circuit has held that technology companies like Facebook, Twitter, and Google are immunized from civil liability when they act as “publishers” of information posted by third parties. The immunity provision of the CDA at issue, 47 U.S.C. § 230(c)(1), provides that “[n]o provider or user of an interactive computer service shall be treated as the publisher or speaker of any information provided by another information content provider.” From this provision, the Ninth Circuit has developed a three-fold test: a technology company enjoys immunity under the CDA if it is “(1) a provider or user of an interactive computer service (2) whom a plaintiff seeks to treat, under a state law cause of action, as a publisher or speaker (3) of information provided by another information content provider.” However, the Ninth Circuit has also held that this grant of immunity only applies if the interactive computer service provider (like Meta) is not itself an information content provider, which the CDA defines as someone who is responsible (in whole or in part) for the creation or development of the offending content.

The plaintiffs in Doe v. Meta seek to leverage this distinction by characterizing Meta as an information content provider that created and proliferated anti-Rohingya hate speech through its machine-learning algorithms. It will be difficult for the plaintiffs to make this distinction in light of Ninth Circuit precedent. In Gonzales v. Google LLC, the plaintiffs sued Google, Facebook, and Twitter, alleging that these technology companies facilitated the terrorist activities of ISIS by recommending ISIS recruitment videos to users and enabling users to locate other videos and accounts related to ISIS. The Ninth Circuit found that the plaintiffs had not alleged (1) that Google’s algorithms had prompted ISIS to post unlawful content, or (2) that Google’s algorithms treated ISIS-created content differently than any other third-party created content. Thus, the Ninth Circuit held that these companies’ algorithms were “content-neutral” and entitled to Section 230 immunity. In Doe, the plaintiffs seek to distinguish Gonzalez by arguing that Meta’s algorithms in Myanmar were “far from neutral” because Meta developed a “dopamine-triggering reaction mechanism” that intentionally promoted the most hateful and divisive content regarding the Rohingya. The plaintiffs also argue that the theory of liability in Gonzalez (which relied on a “matchmaking” theory based on Google’s recommendations of terrorist content to other users) is different from the plaintiffs’ primary theory of liability, which alleges that Meta used reward-based algorithms that induced users to post harmful content.

These arguments are unlikely to succeed. The Ninth Circuit has interpreted Section 230 extremely broadly, particularly when it comes to machine-learning algorithms that recommend content and connections to users. The plaintiffs creatively argue that the CDA is inapplicable because they are suing Meta as the designer of a defective product rather than in its capacity as a publisher exercising editorial discretion. This is one of the plaintiffs’ stronger arguments. The Ninth Circuit recently considered the same argument in a lawsuit against Snapchat. In Lemmon v. Snap, Inc., the plaintiffs alleged that Snapchat negligently designed a “filter” that incentivized users to send photos while operating vehicles at high speeds. The Ninth Circuit held that Section 230 immunity did not apply because the plaintiffs sought to hold Snapchat liable for its distinct duty to design a reasonably safe product (rather than seeking to hold Snapchat liable as a publisher). The problem is that the legal theory in Doe rests on Meta’s acts and omissions as a moderator of third-party content, as opposed to Meta’s acts as the designer of an app.

The question of whether the district court will grant immunity to Meta is an interesting one. But there is also the question of when the court will rule on the immunity issue. It is unclear whether Section 230 immunity is like other forms of immunity (e.g., qualified immunity) that are frequently applied at the pleading stage to immunize defendants not just from liability, but from being subject to costly and potentially embarrassing discovery. Here, the plaintiffs contend that the immunity issue can be postponed to a later stage of the litigation. As the plaintiffs note, the Seventh Circuit has followed this approach and allowed discovery to proceed. If the district court denies Meta’s motion to dismiss and permits discovery, this could have broader implications for Meta (even if the Court later grants Section 230 immunity).

Doe v. Meta is being brought at a time when there is a growing consensus that Section 230 of the CDA, which was enacted in 1996, sweeps far too broadly. In Gonzalez, Judge Berzon concurred in the majority opinion but urged the Court “to reconsider [its] precedent en banc to the extent that it holds that section 230 extends to the use of machine-learning algorithms to recommend content and connections to users.” And as Professor Rebecca J. Hamilton notes in a recent article on accountability for platform-enabled crimes, there are bipartisan efforts to repeal or reform the CDA.

This case is a prime example of how times have changed. The plaintiffs in Doe note that the vast majority of Burmese citizens obtained cell phones in 2011, and Facebook arranged for them to use the Facebook app without incurring data charges. For many Burmese, Facebook was the internet, which made the dissemination of hateful rhetoric that much easier. The business reality today, when technology companies play a vital role in the dissemination of information, differs markedly from the reality that existed in 1996.

Presumption Against Extraterritoriality

The plaintiffs in Doe v. Meta argue that Section 230 does not apply on the facts presented. They claim that this statute conflicts with Burmese law, which (according to the plaintiffs’ expert declaration) does not immunize technology companies from liability for third-party content published on their platforms. The plaintiffs do not assert that Burmese law conflicts with the causes of action for strict product liability and negligence, which are governed by California law. Instead, the plaintiffs contend that a choice-of-law analysis is warranted solely for Meta’s asserted defense of immunity under the CDA, if the court finds that Section 230 immunity applies.

The plaintiffs’ arguments are flawed. The CDA is a federal statute, the applicability of which does not depend on state choice-of-law rules. To determine whether the CDA applies to claims arising out of Meta’s activities in Myanmar, the court should look instead to the federal presumption against extraterritoriality. The presumption against extraterritoriality is a canon of statutory interpretation that provides that, absent clearly expressed congressional intent to the contrary, federal laws are construed to only have domestic application. Under a two-step framework, courts first ask whether the statute provides a clear, affirmative indication that it applies extraterritorially. If not, then courts move on to the second step and ask whether the case involves a domestic application of the statute. To make that determination, courts look to the statute’s “focus.” The Supreme Court has defined the focus of a statute as the “object of its solicitude,” which can include the conduct the statute seeks to regulate and the parties or interests it seeks to protect or vindicate. If the conduct relevant to the statute’s focus occurred in the United States, then the case involves a permissible domestic application of the statute. But if the conduct relevant to the focus of the statute occurred in a foreign country, then the case involves an impermissible extraterritorial application of the statute.

In Gonzalez, the Ninth Circuit applied the presumption against extraterritoriality to Section 230. Since the CDA does not contain a clear, affirmative statement that it applies extraterritorially, the Ninth Circuit moved on to the second step and analyzed the focus of Section 230. Because the object of the CDA’s solicitude is to encourage providers of interactive computer services to monitor their websites by limiting their liability, the court held that “the relevant conduct occurs where immunity is imposed, which is where Congress intended the limitation of liability to have an effect, rather than the place where the claims principally arose.” The Ninth Circuit therefore concluded that the Gonzalez plaintiffs’ claims involved a domestic application of Section 230 and that the defendants were entitled to immunity.

The district court is likely to follow this reasoning and find that the Doe plaintiffs’ claims against Meta similarly involve a domestic application of Section 230. The plaintiffs seek to circumvent this analysis, arguing that “Gonzalez addressed the CDA extraterritoriality argument … [which is] an argument that Plaintiff[s] [are not] making here.” Unfortunately for the plaintiffs, the Ninth Circuit’s prior interpretation of Section 230 binds the district court regardless of whether the plaintiffs raise the presumption against extraterritoriality in their complaint.

The notion that the court must engage in a choice-of-law analysis under California law to determine whether a federal statute—the CDA—applies to the claims fundamentally misunderstands the nature of the inquiry. Courts do not apply state choice-of-law rules to determine the applicability of federal statutes. In support of their choice-of-law argument, plaintiffs cite Bassidji v. Goe, which applied California choice-of-law rules to decide whether an Executive Order prohibiting U.S. citizens from doing business with Iran applied to a contract made in Hong Kong. In Bassidji, however, the court ultimately held that federal law did apply by utilizing California’s public policy exception. Regardless of whether the Ninth Circuit was correct in Bassidji to examine the question through the lens of state choice of law rules, the plaintiffs have not cited any case in which courts have used such rules to displace federal law in favor of foreign law.

Conclusion

Doe v. Meta is a stark reminder of the need for Section 230 reform. Technology companies such as Meta exercise enormous influence over the dissemination of information, particularly in developing countries with low rates of digital literacy. Machine-learning algorithms can facilitate violence, misinformation, and atrocity crimes, and there is bipartisan consensus that the current system of self-regulation is outdated.

To address these issues, Congress should amend Section 230 of the CDA to provide that an individual or entity acts as an information content provider when it employs algorithmic friend-suggestion features. The Doe v. Meta complaint notes that Meta’s algorithms provide “friend suggestions” based on an analysis of users’ existing social connections on Meta and other behavioral and demographic data. The plaintiffs allege that Facebook’s friend suggestion algorithms connected violent extremists and susceptible potential violent actors who were sympathetic to the anti-Rohingya cause. By tailoring friend suggestions to individual users, Meta was arguably creating its own content rather than acting as a publisher exercising editorial discretion, which is the function that the CDA immunizes from liability. Friend-suggestion features are a creature of online social networks, which were virtually nonexistent when the CDA was enacted in 1996. By excluding friend-suggestion features from Section 230 immunity, Congress can modernize the CDA to (1) ensure some level of accountability when social media companies facilitate atrocity crimes and (2) more accurately capture the conduct that makes an individual or entity the publisher of third-party content.

As with every new year, California rolled out new laws affecting the workplace beginning January 1, 2022. Below is a summary of some of the most relevant changes that may affect your business. As always, please reach out to any of our labor and employment attorneys at Coblentz if you have any questions or concerns about new legislation or amendments to existing laws.

California’s Minimum Wage Increase – SB 3: Effective January 1, 2022, California’s state minimum wage will increase to $15 per hour for employers with more than 25 employees, and it will increase to $14 per hour for employers with 25 or fewer employees. As a result, the minimum monthly salary for California exempt-status employees will increase to $5,200 per month, or $62,400 annual salary (which is equal to twice the minimum wage based on a
40-hour workweek). Note, however, that many cities and counties in California have their own minimum-wage requirements, but the minimum salary threshold is based on California law.

Expansion of California Family Rights Act (CFRA) – AB 1033: The CFRA requires employers with five or more employees to provided up to 12 weeks of leave in a 12-month period for an employee to attend to his or her own serious medical condition or to care for a family member with a serious medical condition. This bill expands the list of covered family members to include parents-in-law. Additionally the bill clarifies the requirements for the mediation of claims alleging a violation of a job protected leave by employers of five to 19 employees.

Non-Disparagement And Non-Disclosure Provisions in Settlement And Separation Agreements (“Silenced No More Act”) – SB 331: This bill amends Code of Civil Procedure § 1001 to prohibit non-disclosure provisions in settlement agreements involving any form of prohibited workplace discrimination, harassment, or retaliation under the Fair Employment and Housing Act. This requirement is in addition to Section 1001’s existing prohibition of any settlement agreements that prevent the disclosure of information pertaining to a civil or administrative claim related to sexual assault, harassment, or other sex-based workplace discrimination or retaliation.

The bill also amends Government Code § 12964.5 to limit the use of non-disparagement or other contractual provisions in employment agreements, including separation agreements, even if no civil action or complaint is filed. Any non-disparagement agreement or other contractual provision that restricts an employee’s ability to disclose information related to conditions in the workplace must include: “Nothing in this agreement prevents you from discussing or disclosing information about unlawful acts in the workplace, such as harassment or discrimination or any other conduct that you have reason to believe is unlawful.” Additionally, employers, under Section 12964.5, must include written notification of the employee’s right—even if they are above the age of 40—to consult counsel and a consideration period no fewer than five business days in separation agreements. The changes offered by SB 331 are not retroactive; instead, they apply to agreements entered into after January 1, 2022.

Arbitration Invoice Payment Requirements – SB 762: This bill amends Code of Civil Procedure §§ 1281.97 and 1281.98 to require that all arbitrator invoices are due upon receipt, if the parties’ arbitration agreement is silent on the number of days the parties have to pay the arbitrator’s fees. Under the amended sections, any extensions for invoice payments must be agreed upon by all parties to the arbitration.

Personnel Records Retention – SB 807: This bill extends the current personnel records retention requirement from two to four years from the date of creation, date of termination, or date of non-hire for an applicant. If a complaint has been filed with the Department of Fair Employment and Housing (DFEH), then the employer must retain the at-issue personnel records until the employer is notified that the action has been fully resolved or the first date after the statute of limitations for filing a civil action (or related appeal) has expired. SB 807 makes several procedure modifications to the DFEH’s enforcement rules, such as authorizing the use of electronic service of administrative complaints, extending the time for the DFEH to complete its investigation of group or class discrimination claims to two years before issuing a right-to-sue letter, and permitting group or class discrimination claims to be filed in any county within California.

Criminalization of Wage Theft – AB 1003: This bill creates Penal Code § 487m and makes the intentional theft of wages, including gratuities, in an amount greater than $950 from any one employee, or $2,350 in the aggregate from two or more employees, by an employer in any consecutive 12-month period punishable as grand theft and imprisonment for up to 3 years. Because this bill includes independent contractors within the meaning of employee, the misclassification of a service provider bears significantly greater risk.

Food Delivery Platforms And Workers’ Tips – AB 286: Beginning January 1, 2022, this bill will make it unlawful, among other things, for a food delivery platform to retain any portion of tips or gratuities paid from the customer to the delivery worker.

Owners of Real Property Subject to Liens for Wage Violations – SB 572: This bill will add Section 90.8 to the Labor Code to permit the Labor Commissioner to create and implement a lien on real property to recover amount due wage-and-hour violations stemming from final citations, findings, or administrative decisions. Preexisting law permitted the Labor Commissioner to obtain a lien on real property to only recover amounts due under final court orders.

Garment Workers Excluded from Piece-Rate Pay – SB 62: Beginning January 1, 2022, employers may no longer pay their employees who are engaged in garment manufacturing by the piece. Rather, employers must pay garment workers at least the minimum wage for all hours worked. This bill also expands wage-and-hour violation liability to “brand guarantors,” which is defined as any person contracting for the performance of garment manufacturing. SB 62’s expansion could hold clothing brands liable for violations that take place in manufacturing facilities by their vendors, in essence creating a joint-employer relationship.

Unionized-Janitorial Private Attorneys General Act (PAGA) Exemption – SB 646: This bill enacts Labor Code § 2699.8 to create an exemption that precludes janitorial employees covered by a collective bargaining agreement from bringing a representative action under PAGA. In order for the exemption to apply, the CBA must (1) provide total hourly compensation; (2) prohibit the Labor Code violations that are actionable and offer a collective grievance procedure with binding arbitration to address such Labor Code violations on a representative basis; (3) expressly and unambiguously waive PAGA claims; and (4) allow the arbitrator to award remedies under the Labor Code, except for penalties payable to the Labor & Workforce Development Agency (LWDA). The janitorial employer must inform the LWDA of such a CBA within 60 days of the enactment of this statute.

Electronic Transmission of Workplace Notices – SB 657: As remote working becomes more prevalent, the myriad of mandated state and federal workplace notice postings (e.g., Wage Orders, payday schedules, whistleblower rights, etc.) may now also be delivered to employees as an attachment to an email. Employers must still continue to adhere to their obligations to post such notices physically.

Recall Obligations for COVID-19 Layoffs – SB 93: While not new to 2022, this bill went into effect on April 16, 2021 and expires on December 31, 2024. It requires certain employers to rehire employees who were laid off due to COVID-19 if they worked at least six months prior to their layoff. Employers under SB 93 include the following employers: (1) hotels with 50 or more guest rooms; (2) private clubs with 50 guest rooms for overnight lodging; (3) event centers with 50,000 square feet or 1,000 seats; (4) airport hospitality operations and service providers; and (5) office services, e.g., janitorial and security services. Reopened positions must be offered to laid-off employees within 5 business days of the opening.

CAL-OSHA Presumption Creation – SB 606: This bill creates a rebuttable presumption that a workplace safety violation committed by an employer with multiple worksites is enterprise-wide if the employer has a written policy or procedure that violates certain health and safety regulations, or Cal-OSHA finds evidence of a pattern or practice of safety violations at more than one of the employer’s worksites. Additionally, the bill adds a definition of “egregious violation” which carries added penalties and expands Cal-OSHA’s enforcement power to issue and enforce a subpoena if an employer fails to promptly provide requested information.

Warehouse Distribution Employees – AB 701: Under newly-enacted Labor Code §§ 2100–2112, employers with 100 or more employees at a single warehouse distribution center or 1,000 or more employees at one or more warehouse distribution centers in California are required to provide nonexempt employees, either upon hire or within 30 days of this new law’s enactment, with a written description of each quota they are subject to (e.g., quantified number of tasks to be performed or materials to be handled) within a defined period of time and any potential adverse employment action that may result from failure to meet the quota. This bill prohibits adverse employment actions against employees who fail to meet their quota if the quota was not properly disclosed to the employee. AB 701 prohibits quotas that prevent an employee from taking his or her meal or rest breaks, use of restrooms, or that interfere with compliance with California’s occupational health and safety laws.

Independent Contractor Exemptions Expanded – AB 1561: This bill offers several changes. First, it extends the expiration date for the statutory exemptions granted to licensed manicurists and construction trucking subcontractors in AB 5 from January 1, 2022 to January 1, 2025. Second, the bill also extends the exemption for newspaper publishers and distributors through January 1, 2025. Third, the bill clarifies that Labor Code § 2782 does not apply to the relationship between a data aggregator and a research subject, and it removes the requirement that research subjects are to be paid minimum wage for the research task that they have willingly engaged. Fourth, Labor Code § 2783 is amended to expand exemptions for individuals who provide claims adjusting or third-party administration for insurance or financial service industries.

By Scott Hall & Mari Clifford

Download a PDF version of this report here.

Although we are just a few months in, 2021 has already been another busy year for data privacy developments. From new regulations and legislation to court decisions impacting privacy rights, let’s take a look at a few of the key data privacy developments so far this year.

New CCPA Regulations

Just when you thought the CCPA regulations were finalized, on March 15, 2021, the California Attorney General (“AG”) approved additional regulations intended to enhance consumer protections for opt-outs. Most significantly, the regulations ban “dark patterns” that complicate the opt-out process and prohibit businesses from burdening consumers with confusing language or unnecessary steps.

The revisions implement the following changes:

• Offline Collection and Notices: Businesses that sell personal information collected offline are now required to inform consumers in an offline method of their right to opt-out. This includes providing instructions on how to submit an opt-out request.
• Ban on Dark Patterns or Complications to the Opt-Out Process: Opt-out requests must “be easy for consumers to execute and shall require minimal steps to allow the consumer to opt-out.” The new regulations prohibit businesses from using any method that is designed to, or has the effect of, preventing a consumer from opting out. Specifically, businesses cannot require consumers to scroll through a privacy policy or listen to reasons why they should not opt-out before confirming their request. Additionally, the opt-out process cannot require more steps than the process to opt-in to the sale of personal information after having previously opted out, or use confusing language.
• Opt-Out Icon: Businesses may use an opt-out icon in addition to, but not in lieu of, notice of a right to opt-out or a “Do Not Sell My Personal Information” link.
• Requests from Authorized Agents: A business may require an authorized agent who submits a request to “know” or “delete” to provide proof that the consumer gave the agent signed permission to submit a request.
• Children’s Information: The regulations added the word “or” to section 999.332. As a result, businesses that sell personal information (“PI”) of children under the age of 13 “and/or” between the ages of 13 and 15 are now required to define in their privacy policies how consumers can make an opt-in to sale requests.

CPRA Preparation and Compliance

In November 2020, Californians voted to enact Proposition 24, also known as the California Privacy Rights Act (“CPRA”). The CPRA expands on the California Consumer Privacy Act of 2018 (CCPA), establishes a new privacy regulatory agency called the California Privacy Protection Agency (CPPA), provides new rights for consumers, and imposes new obligations on businesses.

The CPRA’s enforcement is set to begin on July 1, 2023, but the act has a look-back period to January 1, 2022. This means that data collected from January 1, 2022, is subject to the act, so businesses shouldn’t wait to develop the requisite policies and procedures in response to new requirements. CPRA compliance should be a priority for every covered business. Here are a few key points that businesses need to be thinking about:

Modification to the Scope of the CCPA

The CPRA modifies the CCPA’s scope in that it applies to businesses that (1) have annual gross revenue over $25 million in the preceding calendar year; (2) buy, sell, or share personal information of 100,000+ consumers or households; or (3) derive at least 50% of their annual revenue from selling or sharing consumer PI. Notably, the CPRA’s threshold of 100,000 consumers or households doubles the previous threshold under the CCPA of 50,000 consumers, households, or devices, and therefore could significantly reduce the scope of the act and its impact on smaller businesses.

Cross-Context Behavioral Advertising

The CPRA introduces the concept of data “sharing,” which is defined as “sharing, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross-context behavioral advertising for the benefit of a business in which no money is exchanged.” (Emphasis added.) The CPRA explicitly requires businesses to provide notice to consumers about data sharing practices and extends consumer opt-out rights to the sharing of personal information by a business to a third party.

Data Minimization

The CPRA introduces data minimization principles similar to those in the GDPR by prohibiting businesses from collecting more personal information than “reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed . . .”[1]  The CPRA also requires that businesses not retain personal information for longer than is reasonably necessary for the purpose for which it was collected, as well as to identify retention periods of data in the privacy notice to consumers.[2] Thus, all businesses should focus on making changes to limit data collection and processing of personal information to only what is reasonably necessary for the business.

Creation of California Privacy Protection Agency (CPPA)

The CPRA establishes a new enforcement agency, the CPPA. As the first agency of its kind in the United States, the CPPA will have the authority to investigate potential breaches and violations, draft enforcement regulations, and issue fines. This transfers the current CCPA and CPRA responsibilities from the Office of the Attorney General to the CPPA. Importantly, the CPRA cancels the grace period of 30 days that businesses have after being notified of an alleged breach or violation and raises the maximum on fines for violations.

Expanded Consumer Rights

Expansion of the Private Right of Action

The CPRA has expanded the scope of the private right of action by adding a cause of action for the unauthorized access and exfiltration, theft, or disclosure of an email address in combination with a password or security question and answer that could permit access to content. The act also clarifies that the implementation and maintenance of reasonable security procedures and practices following the breach do not constitute a cure.

New Consumer Rights Under the CPRA

• Right to correct: California residents have the right to correct inaccurate personal information the business holds about them. This mirrors the right to correction under the GDPR.
• Right to know about and opt-out of automated decision making: California residents can request access to and knowledge about how automated decision technologies work and what their outcomes are, and have a right to opt-out of the use of their PI for automated decision making.
• Right to opt-out of data “sharing”: In addition to being able to opt-out of data “selling,” consumers will be able to opt-out of data “sharing” for cross-context behavioral advertising purposes.
• Right to limit use of sensitive personal information: The CPRA introduces a new category of personal information called “sensitive personal information.” This includes precise geolocation data, race, religion, sexual orientation, social security numbers, and certain health information outside the context of HIPAA. Consumers may limit the use and disclosure of sensitive personal information by businesses. Businesses may also need to add another link to their website homepage to allow consumers to exercise their rights to limit the use of their sensitive information.

Next Steps For Businesses

Update Website Links

Covered businesses will need to (1) update their “Do Not Sell My Personal Information” links to read “Do Not Sell or Share My Personal Information,” and (2) include a separate link titled “Limit the Use of My Sensitive Personal Information” where such information is collected. The CPRA encourages businesses to make “a single, clearly-labeled link” that allows a consumer to swiftly and simultaneously opt-out of sale or sharing of PI and limit the use or disclosure of the consumer’s sensitive PI. If a business complies with automated opt-out signals sent from browsers or other extensions then a business will not need to provide such links.

Update Contracts

Businesses will need to impose expanded duties on their service providers and contractors to protect information, comply with audit requests, and assist businesses in responding to consumer requests or other obligations. The CPRA requires all sales, sharing, and disclosures of personal information for a business purpose to be made pursuant to a contract. Even disclosures of deidentified information to any recipient will require a contract setting out clear restrictions on attempts at reidentification. To comply with these new CPRA provisions, businesses will need to (1) develop the necessary contracting materials in preparation for a contracting exercise; (2) assess all transfers of personal information to identify which provisions are required for which recipients; and (3) begin the process of updating and negotiating the required agreements.

Conduct Additional Data Mapping

Businesses will need to identify any information that is shared, not just sold. To meet the CPRA’s data minimization requirements, businesses will need to establish and comply with document retention periods. Additionally, businesses need to understand what algorithms or automated decision-making processes are being performed on personal information collected and maintained by the business.

Adjust Responses to Data Subject Access Requests

The CPRA now requires businesses to use commercially reasonable efforts to correct inaccurate personal information in response to a verifiable consumer request. As a result, businesses must be prepared to adjust their response procedures or be ready to explain why they cannot meet a consumer request because “doing so proves impossible or would involve a disproportionate effort.”

Businesses should also start preparing processes for how they will respond to California consumers who exercise their new privacy rights which include “do not share” requests, correction requests, and requests to limit the use of sensitive data. Finally, with more state privacy laws looming, many businesses will need to consider whether a “California versus everyone else” approach still makes sense for their business.

Assess High-Risk Activities

Per the CPRA, the California AG will at some point issue regulations requiring businesses whose processing poses “significant” risks to consumer privacy and security. These “high-risk” businesses will then need to perform annual security audits and submit regular risk assessments to the new CPPA. Companies that collect large volumes of sensitive data should start designing internal audit procedures in anticipation of this requirement. More details on this to come.

Update Do-Not-Track and Advertising Models

Businesses will need to anticipate and prepare their models for what advertising looks like with fewer cookies, tags, and pixels. They will also need to start reacting to Do-Not-Track signals and may need to adopt new opt-in marketing strategies. Given the volume of work this may entail, businesses should commence this earlier rather than later so as not to run into compliance issues when enforcement of the CPRA begins.

More State Legislation Regarding Data Privacy

The landscape of privacy law and compliance issues is changing rapidly as many states beyond California are enacting or contemplating new, more comprehensive privacy legislation similar to the CCPA/CPRA.

Virginia Privacy Law

Virginia became the second state to pass comprehensive data privacy legislation when it enacted the VCDPA on March 2, 2021. The VCDPA applies to entities that conduct business in Virginia or produce products or services that are targeted to Virginia residents and either (1) control or process the personal data of at least 100,000 consumers during a calendar year, or (2) control or process the personal data of at least 25,000 consumers and derive at least 50% of gross revenue from the sale of personal data. The VCDPA provides consumers rights of access, correction, deletion, data portability, appeal, and exclusion. Because the Act does not provide for any exceptions to these rights, businesses are expected to comply regardless of the hardship posed or the impractical nature of the request.

To best prepare for these eventualities, businesses will need to update their policies that address the new obligations imposed upon them under the VCDPA including data minimization, purpose limitations, security controls, express consent requirements, and data protection assessments. Given that the VCDPA goes into effect in two years, businesses are strongly advised to start evaluating their current data processing activities and begin developing a compliance program that meets the requirements of the VCDPA.

Other States Introducing Privacy Laws

As the internet and new technologies continue to raise questions about privacy and use of PI, state lawmakers are trying to keep up by addressing novel privacy issues through legislation.

California’s and Virginia’s legislatures are not the only ones paying attention to these shifting tides in the privacy law landscape. Several states, including Washington, Oklahoma, Connecticut, Florida, Illinois, and New Jersey currently have active bills awaiting committee hearings or votes. Other states such as Alabama, Arizona, Colorado, Kentucky, Maryland, Massachusetts, Minnesota, New York, Rhode Island, South Carolina, Texas, Utah, Vermont, and West Virginia recently introduced comprehensive privacy acts to state legislatures. Progress on these laws should be monitored closely over the next few months.

Status of a Federal Privacy Law

And, of course, no update would be complete without monitoring federal privacy legislation. Congresswoman Suzan DelBene (WA) introduced the Information Transparency and Personal Data Control Act on March 10, 2021, which would create a national data privacy standard for the protection of personal information, including information related to financial, health, genetic, biometric, geolocation, sexual orientation, citizenship and immigration status, social security numbers, and religious beliefs, as well as information about minors.

Given the potential patchwork of state laws mentioned above, many businesses would welcome a uniform standard, but the timing of when a comprehensive federal law will actually be enacted remains unclear.  For now, businesses must closely monitor the various state laws being passed and determine what laws they may need to comply with.

Recent Court Decisions Regarding Privacy

Data privacy litigation remains active, and recent court decisions have provided some clarity and guidance regarding the scope of certain privacy laws.

Scope of CCPA’s Private Right of Action

Certain recent court rulings have limited the scope of the CCPA’s private right of action.  For example, in Gardiner v. Walmart Inc. et al, No. 4:20-cv04618 (N.D. Cal.), defendants secured a ruling rendering a narrow interpretation of the CCPA. In Gardiner, a Walmart customer sued the retail company under the CCPA for failing to implement and maintain reasonable and appropriate security procedures and practices to protect information he gave to Walmart to create an account on the company’s website. Gardiner claimed that his personal information had been subject to unauthorized exfiltration on Walmart’s website and sold on the dark web, exposing him to purportedly ongoing risk of financial fraud and identity theft. On March 5, 2021, the District Court for the Northern District of California dismissed Gardiner’s claim for damages under the CCPA on two grounds. First, the court could not determine whether the alleged breach occurred before or after the effective date of the CCPA because the complaint did not specifically allege a date when the purported breach occurred. Second, the court held that in order to state a viable CCPA claim, a plaintiff must allege specific, unauthorized disclosure of “personal information.” This could indicate that courts will strictly interpret the CCPA to apply only where the specific categories of personal information listed in the law are actually exposed in a data breach. However, it is important to note that the court granted the Plaintiff leave to amend, allowing the Plaintiff to potentially cure the complaint’s shortcomings and perhaps get a second shot at litigating his claims.

In McCoy v. Alphabet, Inc. et al., No. 5:20-cv-05427 (N.D. Cal.), the court held that there is no general private right of action under CCPA. Plaintiff Robert McCoy had filed a class action complaint against defendants Alphabet Inc. and Google LLC for monitoring and collecting the sensitive personal data of Android Smartphone users when they interact with non-Google applications on their smartphones, without first obtaining users’ consent. In its February 2, 2021 order denying in part and granting in part the Defendants’ motion to dismiss, the court emphasized that the Plaintiff had not pled a data security incident and had conceded during arguments that the CCPA claims should be dismissed because no data breach occurred. The order states that the CCPA, “confers a private right of action for violations of section [Cal. Civ. Code § 1798.150](a), which is related to personal information security breaches. Further, it explicitly states that ‘[n]othing in this title shall be interpreted to serve as the basis for a private right of action under any other law.’ Cal. Civ. Code § 1798.150(c).” Whether this reasoning is adopted in other cases remains to be seen.

Standing in Data Privacy Cases

At the Circuit Court level, there is currently ongoing dialogue regarding whether data breach victims can establish a right to sue merely by showing that they are at increased risk of identity theft.

The Second Circuit Court of Appeals recently issued a decision in McMorris v. Carlos Lopez & Assocs., 2021 U.S. App. LEXIS 12328 (2d Cir. Apr. 27, 2021) clarifying that the risk of identity theft after a data breach may be grounds to sue. The latter notwithstanding, the court affirmed the dismissal of a proposed class action against a veteran’s health services company over an accidentally sent email that contained workers’ social security numbers. In the summer of 2018, Defendant’s employee accidentally sent an email to 65 others at the company. Attached to the email was a spreadsheet containing sensitive personally identifiable information of approximately 130 current and former employees. Three plaintiffs whose information had been disclosed filed suit. They asserted claims for negligence, negligence per se, consumer protection, and other state law claims on behalf of California, Florida, Texas, Maine, New Jersey, and New York classes. Upon the Defendant’s motion, the District Court dismissed the case for lack of subject matter jurisdiction. An appeal to the Second Circuit followed.

On appeal, the Second Circuit noted that it has been “suggested” that there is a circuit split on standing in the data breach context concerning whether a plaintiff may establish standing based on a risk of future identity theft or fraud stemming from the unauthorized disclosure of that plaintiff’s data. However, the court found that “requiring plaintiffs to allege that they have already suffered identity theft or fraud as the result of a data breach would seem to run afoul of the Supreme Court’s recognition that ‘[a]n allegation of future injury may suffice’ to establish Article III standing ‘if the threatened injury is certainly impending, or there is a substantial risk that the harm will occur.’” The Second Circuit then went on to hold that in the abstract, “plaintiffs may establish standing based on an increased risk of identity theft or fraud following the unauthorized disclosure of their data.”

The Second Circuit’s decision contrasts somewhat with the Eleventh Circuit’s recent opinion in Tsao v. Captiva MVP Restaurant Partners, LLC, 986 F.3d 1332, 1339 (11th Cir. 2021) holding that a plaintiff alleging a threat of future identity theft or other harm lacks Article III standing unless the hypothetical harm alleged is either certainly impending or there is a substantial risk of such harm taking place. (Emphasis added) The Tsao case arose out of a security breach at PDQ, a group of American restaurants owned by Captiva MVP Restaurant Partners. Within two weeks, PDQ posted a notice notifying its customers that its systems had been a victim of a cyber-attack. Tsao filed suit to recover damages stemming from the breach. The dispute in the class-action lawsuit was based on two questions. First, whether Tsao and the class of patrons of the restaurant had standing to sue because they were exposed to the future risk of identity theft, despite not suffering any misuse of their information. Second, whether Tsao’s efforts to mitigate the risk of future identity theft presented a concrete injury sufficient to establish standing. The Eleventh Circuit answered no to both issues.

Conclusion

In sum, we’re off to a fast and furious start to 2021, but more is coming. This ever-changing area of the law requires businesses to take proactive measures now to prepare themselves for the compliance obligations coming their way. Stay tuned for further developments. If your company needs assistance with any privacy issues, Coblentz Cybersecurity and Data Privacy attorneys can help. Please contact Scott Hall at shall@coblentzlaw.com for further information or assistance.

Download a PDF version of this report here.

 

[1] CPRA, Section 1798.100(c).

[2] CPRA, Section 1798.100(a)(3).