Excerpted from a Forbes article by Alonzo Martinez
As of July 1, 2024, employers across the U.S. will face a series of new laws affecting employment practices, particularly in the areas of background checks and data privacy. These changes demand immediate attention and necessitate that employers update their policies to ensure compliance.
Three new data privacy laws are set to take effect on July 1, in Florida, Oregon and Texas, each establishing responsibilities and privacy protection standards for businesses collecting personal data. These laws share a common goal of safeguarding consumer privacy while including exceptions for background checks conducted in accordance with the Fair Credit Reporting Act.
Florida SB 262: Florida Digital Bill of Rights (FDBR)
The FDBR applies to for-profit entities operating in Florida that collect personal data of Florida residents, control data processing, and have annual global revenues exceeding $1 billion. It specifically targets businesses that:
- Derive 50% or more of their global annual revenue from online advertisement sales;
- Operate consumer-smart speaker and voice command services with an integrated virtual assistant connected to cloud computing, activated hands-free; or
- Run an app store or digital distribution platform with at least 250,000 different software applications for consumers to download and install.
The FDBR grants consumers the right to access, correct, delete, and opt out of the sale of their personal data and targeted advertising. It includes provisions related to the data of children under 18, sensitive data consent, data minimization, annual privacy notice updates, data retention schedules, and impact assessments, and prohibits government officials from moderating content.
Oregon SB 619: Consumer Privacy Act (OCPA)
The OCPA applies to entities that either:
- Collect personal data from at least 100,000 Oregon residents (excluding payment transaction data); or
- Process personal data from at least 25,000 Oregon residents and derive over 25% of their revenue from data sales.
The OCPA grants consumers the rights to access, obtain, correct, delete, and opt out of the sale of their personal data, targeted advertising, and certain profiling. Additionally, the OCPA includes provisions for data minimization, children’s data, sensitive data consent, opt-out preference signals, and data protection assessments.
Data controllers must provide consumers with a clear and accessible privacy notice. This notice must list the categories of personal data processed, the purposes for processing, how consumers can exercise their rights, categories of data shared with third parties, and all categories of third parties with whom data is shared.
Texas HB 4 (HB 1844): Data Privacy and Security Act (TDPSA)
The TDPSA applies to entities that determine the purpose and means of processing personal data and:
- Conduct business in Texas by providing products or services consumed by state residents;
- Process or sell personal data; and
- Are not small businesses as defined by the U.S. Small Business Administration unless the small business sells sensitive data.
The TDPSA grants consumers rights to access, correct, delete, and opt out of the sale of their personal data and targeted advertising. It also includes provisions for data minimization, sensitive data consent, biometric data, and impact assessments.
Although the TDPSA does not provide a private right of action, it is enforced by the Texas Attorney General, who has a 30-day cure period for violations. The Attorney General may seek various forms of relief, including declaratory judgment, injunctive relief, civil penalties, attorney fees, and investigative costs. Civil penalties can reach up to $7,500 per violation, with treble damages for willful or knowing violations.
Parting Thoughts
The new laws, effective July 1, 2024, bring significant changes to employers conducting background checks across various states. If your organization is not yet prepared to comply with these regulations, it is crucial to take immediate action to revise your policies and procedures. Swift compliance is essential to avoid potential legal issues.
For the full story, please click here.