In our previous blog, we featured the California Privacy Rights Act’s Enhanced Cybersecurity Safeguards.[1] We now highlight significant privacy safeguards under the California Privacy Rights Act (“CPRA”) that will require advance planning in preparation for its January 1, 2023 effective date.[2] These new requirements will impact the collection and use of personal information across each organization. In particular, businesses, at a minimum, will need to assess and plan for:

  • the effective implementation of data minimization policies, practices, and technologies;
  • providing “consumers”[3] with notice and a right to opt out from cross-context behavioral advertising targeting surfing activity across websites;
  • meeting heightened requirements for the collection and use of sensitive personal information (e.g., government identifiers, geolocation data, racial or ethnic origin, biometrics, health data, sexual orientation or sex life), including providing consumers with notice of collection and the right to limit use of such information;
  • providing consumers with notice of how long the business intends to retain each category of personal information, including sensitive personal information;
  • the inclusion of statutorily mandated terms in contracts with “service providers” and “contractors” effectuating the deletion of personal information in the service provider’s or contractor’s possession at the business’ request and the right to audit their data privacy and cybersecurity practices;
  • providing notice to “third parties” to whom the business has sold or shared personal information to delete the personal information upon the business’ receipt of a consumer request; and
  • effectuating the new right by consumers to correct inaccurate personal information held by the business across its information systems and departments.[4]

“Data Minimization” Is Required In The Collection And Use Of Personal Information: The CPRA mandates that personal information should be collected “only to the extent that it is relevant and limited to what is necessary in relation to the purposes for which it is being collected, used and shared.” CPRA §3B(3). The “collection, use, retention and sharing” of personal information shall be “reasonably necessary and proportionate” to achieve the business purpose for which the information was collected or processed, and not retained for longer than is reasonably necessary. CPRA §1798.100(c).[5] Personal information shall not be processed in a manner that is “incompatible” with the originally disclosed purposes. CPRA §1798.100(c).

International organizations will quickly recognize the similarities here to GDPR principles relating to the processing of personal data. See GDPR Art. 5. To effectively satisfy these data minimization requirements, businesses should inventory all categories of personal information collected to ensure that collection and use is limited to only the information needed to accomplish the business purpose. The value of the information should be carefully assessed to determine whether certain information should not be collected because it is unnecessary or of low value to the business purpose. Identification of data flows across information systems and staff is a critical component to ensuring that information is used only in a manner that is consistent with the notice provided to the consumer. These “data minimization” requirements will significantly impact operations, including software engineering, product development, database management, workforce management, compliance and marketing.

Consumers Must Receive Advance Notice Of The “Sharing” Of Their Personal Information For Cross Context Behavioral Advertising And A Link To Opt Out: The use of third party cookies and tracking technologies for cross context behavioral advertising purposes is expressly addressed in the CPRA.[6] The CPRA finds that advertising technologies that track individuals across the internet and are used to create detailed profiles of their individual interests by monitoring their preferences across websites is not well-disclosed or able to be managed by the consumer. CPRA §2(I). Consumers should have the tools to prevent the selling or sharing of their personal information with organizations with which they may be unfamiliar. CPRA §2(I). Businesses must, therefore, provide notice to the consumer at or before the point of collection when personal information is “shared” for cross-context behavioral advertising and the right to opt out. CPRA §1798.100(a)(1), 1798.120(b). Under the CPRA’s new definition, “sharing” means disclosure by the business to a third party for “cross‐context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions between a business and a third party for cross‐context behavioral advertising for the benefit of a business in which no money is exchanged.” CPRA §1798.140(ah)(1).

The CPRA goes beyond the California Consumer Privacy Act’s (“CCPA”) current requirement of a “Do Not Sell My Personal Information” link on the homepage, requiring a new “Do Not Sell or Share My Personal Information” link to permit consumers to opt out of sharing for cross context behavioral advertising. CPRA §1798.135(a)(1) (emphasis added). These new requirements will directly impact website policies, privacy notices and marketing practices and related contractual arrangements and terms of service.

Consumers Must Receive Advance Notice Of Collection Of Sensitive Personal Information And A Link To Limit Use: Businesses must provide notice to the consumer at or before the point of collection whether sensitive personal information is collected, the categories of sensitive personal information collected or used, and whether such information is “sold” or “shared.” CPRA §1798.100(a)(2); see also CPRA §1798.121(a). “‘Sensitive personal information’ means:

(1) Personal information that reveals: (A) a consumer’s social security, driver’s license, state identification card, or passport number; (B) a consumer’s account log-in, financial account, debit card, or credit card number in combination with any required security or access code, password, or credentials allowing access to an account; (C) a consumer’s precise geolocation; (D) a consumer’s racial or ethnic origin, religious or philosophical beliefs, or union membership; (E) the contents of a consumer’s mail, email and text messages, unless the business is the intended recipient of the communication; [or] (F) a consumer’s genetic data; and

(2)(A) the processing of biometric information for the purpose of uniquely identifying a consumer; (B) personal information collected and analyzed concerning a consumer’s health; or (C) personal information collected and analyzed concerning a consumer’s sex life or sexual orientation.” CPRA §1798.140(ae) (emphasis added).

Publicly available information or lawfully obtained, truthful information that is a matter of public concern does not constitute “sensitive personal information.” CPRA §1798.140(ae).

Consumers have a right to limit the “use” and “disclosure” of their sensitive personal information to that which would be reasonably expected to receive the goods or services requested. CPRA §1798.121(a). Businesses that use or disclose sensitive personal information beyond that necessary to perform the services or reasonably to be expected for the goods or services requested, or beyond certain enumerated purposes, such as to ensure security, to fulfill the order, for the business’ internal short term transient use, or to maintain the quality or safety of the product, must provide additional notice to the consumer (i) that the information may be used for additional disclosed purposes or disclosed to a service provider or contractor, and (ii) the consumer’s right to limit such use or disclosure. CPRA §1798.121(a), 1798.140(e)(2),(4),(5),(8). The overarching data minimization principles apply here specifically as to the particular categories of sensitive personal information collected. CPRA §1798.100(a)(2).

The business’ website will need to provide a “Limit The Use Of My Sensitive Personal Information” link to afford consumers the right to limit the use or disclosure of sensitive personal information beyond that reasonably to be expected by the consumer. CPRA §1798.135(a)(2); see also §1798.121(a). The CPRA provides for these enhanced notice and opt out requirements, because the unauthorized use or disclosure of sensitive personal information “creates a heightened risk of harm to the consumer.” CPRA §3(A)(2). The data inventory and assessment becomes particularly important here in identifying the collection and use by entities and individuals outside the business of this sensitive information. Organizations should conduct a risk assessment of their collection and use of sensitive personal information.

Businesses Will Need To Notify Consumers For How Long They Will Retain Their Personal Information: Businesses shall, at or before the point of collection, inform consumers as to the length of time the business intends to retain each category of personal information, including sensitive personal information. CPRA §1798.100(a)(3). If specification of the retention period is “not possible,” then the criteria used to determine the retention period shall be provided in the notice. Data minimization principles apply as a business shall not retain personal information or sensitive personal information “for each disclosed purpose for which the personal information was collected for longer than reasonably necessary for that disclosed purpose.” CPRA §1798.100(a)(3). Businesses will need to align their data retention practices and policies with their consumer facing notifications.

Service Providers and Contractors Will Have Contractual and Statutory Obligations To Delete Personal Information At The Direction Of The Business: Service providers and contractors are required to cooperate with the business in responding to a consumer deletion request, and “at the direction of the business” shall delete personal information about the consumer. CPRA §1798.105(c)(3). Service providers and contractors will also have downstream obligations – i.e., they must notify any of their service providers, contractors or third parties who may have accessed such personal information through the service provider or contractor (unless the information was accessed at the direction of the business) to delete the consumer’s personal information unless this proves impossible or involves disproportionate effect. CPRA §1798.105(c)(3). The contracts with the service provider or contractor must include terms to comply with applicable CPRA obligations, including to provide the same level of privacy protections as required under the CPRA. CPRA §1798.100(d).

Contracts with service providers and contractors shall also include clauses permitting the business to monitor compliance, including through ongoing manual reviews and automated scans, and regular assessments, audits, or other technical or operational testing at least once every twelve (12) months. CPRA §1798.140(j)(1)(C),(ag)(1). Agreements with service providers and contractors will need to be reviewed to ensure that they contain these provisions mandated under the CPRA as of the effective date.

Notice Of Deletion Requests To Be Provided To Third Parties: Businesses must provide notice to third parties to whom the business has sold or shared personal information of a consumer’s request to delete personal information, except where “this [notice] proves impossible or involves disproportionate effort.” CPRA §1798.105(c)(1). Again, it will be difficult for a business to comply with this provision, unless the organization inventories and tracks personal information transmitted to third parties through “sale” or “sharing” and has negotiated relevant contractual provisions to effectuate the business’ notice obligations.

Consumers Have A New Right To Correct Inaccurate Personal Information: Businesses must provide notice to consumers that they have the right to correct personal information. CPRA §1798.106(a)(b). Businesses shall use “commercially reasonable efforts to correct inaccurate personal information, as directed by the consumer.” CPRA §1798.106(c), 1798.130. The CPRA provides for adoption of future regulations concerning exceptions for requests to correct that would be impossible or involve disproportionate impact. CPRA §1798.185(8). The ability of the business to comply with the consumer’s right to correction will depend at a minimum on knowing where personal information is stored in its information systems and adoption of technology/designs/procedures that permits the correction.

Planning now for compliance with the CPRA’s new requirements will help alleviate the rush of significant operational changes required in advance of the effective date of January 1, 2023. Organizations should begin the assessment process now, including a review of their data collection practices and vendor relationships. In the meantime, we will await the numerous clarifying regulations expected under CPRA §1798.185. Any questions regarding the CPRA or CCPA may be directed to Brian G. Cesaratto, Deanna Ballesteros or another member of EBG’s Privacy, Cybersecurity, and Data Asset Management Group.


[1] The CPRA becomes effective on January 1, 2023, except for requests by consumers to access their data, which will “look back” to data collected by the business on or after an earlier January 1, 2022 effective date. CPRA §1798.130(a)(2)(B).

[2] Although the CPRA extends the moratorium on applicability of certain CCPA provisions to employee/applicant data and business to business (B2B) communications from January 1, 2022 (AB1281) to January 1, 2023, the moratorium will become inoperative on January 1, 2023. CPRA §1798.145(m1),(n1).

[3] “Consumer” means any natural person who is a California resident. CPRA §1798.14(i).

[4] The CPRA enhancements apply to “for profit” companies and other organizations: (a) with more than $25 million in gross revenues in the preceding calendar year, or (b) that annually buy, sell or share the personal information of 100,000 or more consumers or households, or (c) that derive at least 50 percent of their annual revenue from selling or sharing consumer personal information (“businesses”). There are certain exemptions to coverage that may apply and will need to be closely analyzed based on the nature of the organization, the types of information collected and the organization’s collection and use practices. CPRA §1798.145.

[5] “Processing” means any operation or set of operations that are performed on personal information or on sets of personal information, whether or not be automated means. CPRA §1798.140(y).

[6] “Cross context behavioral advertising” is the “targeting of advertising to a consumer based on the consumer’s personal information obtained from the consumer’s activity across businesses, distinctly branded websites, applications or services, other than the business, distinctly-branded website, application, or service with which the consumer intentionally interacts.” CPRA §1798.140(k) (emphasis added).

In 2019, the Connecticut legislature passed sweeping changes to the state’s existing Family and Medical Leave Act, about which we previously reported here.  One of the most significant changes is that beginning in 2022, eligible employees will be entitled to paid family and medical leave.  Although the paid leave requirement does not take effect until next year, there are a number of 2021 deadlines about which employers should be aware.

Website and Mandatory Employer Registration

The 2019 amendments to the PFMLA created the Connecticut Paid Leave Authority (the “Authority”), to administer the paid leave program.  The Authority has created an informational and registration website for employees and employers:

All Connecticut employers with one or more employees are required to participate in the paid family and medical leave program and must register on the Authority’s website. Employer registration is now open.    Instructions and a video tutorial to learn the process are posted on the website.

Payroll Deductions

Paid leave will be funded solely by employee payroll deductions, which began on January 1, 2021.  Currently, the program taxes employees are taxed 0.5 percent of their weekly wages (capped at the Social Security base, which is currently $142,800 for 2021).

Employers must submit employee contributions to the Authority quarterly, no later than the last business day of the month after the close of the quarter. Late payments may be subject to penalties and interest.  In addition, if an employer does not remit required contributions after being notified that contributions are owed, the Authority will exercise its legal authority to work with a state collection agency to collect the monies owed, including penalties and interest.

Employers may submit the contributions directly to the Authority, or a third party administrator (i.e., payroll company) may submit on behalf of employers.

Exemption for Qualified Private Plans

An employer can apply for an exemption from the paid leave program if it offers its own paid family and medical leave that provides its employees with all of the same rights, protections and benefits as provided by the PFMLA and a majority of employer’s employees working in Connecticut vote in favor of the private plan.  Information regarding how to apply for an exemption is available on the Authority’s website.

Summary of Key Dates in 2021

  • Ongoing: register for the paid leave program
  • January 1, 2021: employee payroll tax deductions begin
  • March 31, 2021: first quarter payroll contributions period ends
  • April 30, 2020: last day for employers to remit first quarter payroll contributions to Authority
  • Fall 2021: employees can begin to submit applications to the Authority for paid leave benefits
  • January 1, 2022: paid leave benefits available to approved applicants

On his first day in Office, President Biden issued Executive Order 13985, “Advancing Racial Equity and Support for Underserved Communities Through the Federal Government” (“Executive Order”), stating that “[i]t is . . . the policy of [his] Administration that the Federal Government should pursue a comprehensive approach to advancing equity for all.” The Executive Order revokes President Trump’s Executive Order 13950, which had imposed restrictions on workplace diversity training under the guise of combatting race and sex stereotyping.

As we reported in our October 20, 2020 Act Now Advisory, Executive Order Prohibits Inclusion of “Divisive” Concepts in Workplace Training, Executive Order 13950 prohibited federal government contractors, as well as federal agencies, the military, and recipients of federal grants, from using a workplace training program that “inculcates in [their] employees any form of race or sex stereotyping or any form of race or sex scapegoating.”  While training employees to create an inclusive workplace was deemed appropriate and beneficial, programs that appeared to support concepts such as implicit bias, systemic racism, white privilege, male privilege, and the idea that the United States is a racist country, were not.

The new Executive Order requires the heads of federal agencies, within 60 days of the date of the Order (i.e., March 21, 2021), to consider suspending, revising, or rescinding any action related to or arising from Executive Order 13950.  In response, the United States Department of Labor’s Office of Federal Contract Compliance Programs (“OFCCP”) announced on January 27, 2021, the specific additional steps it was taking, including:

  • Rescinding the Frequently Asked Questions section related to Executive Order 13950.
  • Eliminating the telephone hotline and email address set up to receive complaints relating to Executive Order 13950.
  • Administratively closing any complaints regarding alleged noncompliance with Executive Order 13950.
  • Not enforcing any of the provisions of Executive Order 13950 contained in any federal government contracts or subcontracts.

Accordingly, federal government contractors and grant recipients may resume their workplace diversity training programs without restriction.

As featured in #WorkforceWednesday:  In early January, the Equal Employment Opportunity Commission (EEOC) issued proposed rules on using incentives to encourage employee participation in wellness programs. While we don’t know exactly how President Biden’s EEOC will adjust the proposed rules, attorney Frank Morris explains why employers should keep the rules in mind when offering incentives to employees for COVID-19 vaccination. Read more.

Video: YouTubeVimeo.

On January 21, 2021, in an effort to provide enforcement of more stringent worker safety standards, President Biden issued an Executive Order (‘EO”) on Protecting Worker Health and Safety. The EO specifically orders the Occupational Safety and Health Administration (“OSHA”) of the Department of Labor to:

  1. issue, within two weeks of the date of the EO, revised guidance to employers on workplace safety during the COVID-19 pandemic;
  2. consider whether any emergency temporary standards on COVID-19, including with respect to masks in the workplace, are necessary, and if such standards are determined to be needed, issue them by March 15, 2021;
  3. review the enforcement efforts of OSHA related to COVID-19 and identify any short-, medium-, and long-term changes that could be made to better protect workers and ensure equity in enforcement;
  4. launch a national program to focus COVID-19- related OSHA enforcement efforts on violations that put the largest number of workers at serious risk or are contrary to anti-retaliation principles;
  5. coordinate with states that have occupational safety and health plans [1] approved under section 18 of the Occupational Safety and Health Act (29 U.S.C. 667) (“Act”) to help ensure that workers covered by such plans are adequately protected from COVID-19, consistent with any revised guidance or emergency temporary standards issued by OSHA; and
  6. team with the U.S. Department of Labor’s public affairs office and OSHA’s regional offices nationwide to create and implement a multilingual outreach campaign to inform workers and their representatives of their legal rights, which will include “engagement with labor unions, community organizations, and industries, and place a special emphasis on communities hit hardest by the pandemic.”

Although the EO does not direct OSHA to issue emergency temporary standards, the agency is generally expected to do so. According to OSHA Standards Development, if issued, the emergency temporary standards would take effect immediately and last no longer than six months, unless adopted as a permanent standard. Of note, several states, including California, Oregon, Michigan and Virginia, have already implemented their own emergency standards.

We will continue to monitor for relevant developments and update as needed. If you have any questions, please contact the author or your Epstein Becker Green attorney directly.


[1] State plans are OSHA-approved workplace safety and health programs operated by individual states or U.S. territories. There are currently 22 state plans covering both private sector and state and local government workers, and there are six state plans covering only state and local government workers.

On December 21, 2020, Congress passed the Consolidated Appropriations Act of 2021 (CAA) which modifies or extends to March 14, 2021 many of the relief programs first created in March 2020 by the Coronavirus Aid, Relief and Economic Security Act (CARES Act), including three expanded unemployment insurance benefits programs (which we previously blogged about here) and a new benefit program for “mixed earners”.  We provide here a summary of the updates to those programs.

Federal Pandemic Unemployment Compensation

The CAA includes a modified version of the Federal Pandemic Unemployment Compensation (FPUC) program, which expired in July 2020.  That program provided an extra $600 per week benefit to anyone receiving state unemployment benefits. The CAA revives the supplement, but reduces the weekly benefit amount to $300. The new FPUC payment is available to recipients of state unemployment benefits from December 26, 2020 through March 14, 2021.

Pandemic Emergency Unemployment Compensation

The CAA extends the CARES Act’s Pandemic Emergency Unemployment Compensation (PEUC) benefits, which provided up to 13 weeks extended unemployment benefits through December 31, 2020, to individuals who had exhausted their state unemployment benefits (most states cap assistance after 26 weeks of benefits). The CAA provides PEUC benefits to eligible workers for another 11 weeks, i.e., for up to 50 weeks in total. To receive the benefit, new applicants must become eligible before March 14, 2021 (the expiration date of the PEUC extension), while those already receiving assistance may continue to collect through April 4, 2021. The U.S. Department of Labor provides further guidance about eligibility:

Any individual who established eligibility for PEUC before the date of enactment of the [CAA] (December 27, 2020), including PEUC exhaustees and current PEUC recipients, will have his or her PEUC accounts augmented by an amount equal to an additional 11 times the individual’s average [weekly benefit amount]…However, such additional amounts are ONLY payable with respect to a week of unemployment beginning on or after the date of enactment of the [CAA].”

Pandemic Unemployment Assistance

The CARES Act created the Pandemic Unemployment Assistance (PUA) program to provide unemployment benefits to affected workers, who did not meet the traditional unemployment eligibility requirements, such as certain gig-economy workers and independent contractors (which we previously blogged about eligibility here).  As with PEUC, new PUA qualified applicants must become eligible before March 14, 2021 (the expiration date of the PUA extension), while those already receiving assistance may continue to collect through April 4, 2021. To combat unemployment insurance fraud, the CAA imposes new verification requirements.  Whereas the CARES Act only required self-certification, PUA applicants seeking benefits after January 31, 2021, must provide documentation to substantiate their income eligibility within 21 days of their application submission.  Individuals already receiving benefits must provide the confirming documentation within 90 days of their application or risk disqualification and repayment obligations.

In addition, the law requires states to verify the identity of all PUA applicants and to design a process for identifying and dealing with recipients who refuse offers of suitable work without good cause.

Mixed Earner Unemployment Compensation

The CAA includes an optional new Mixed Earner Unemployment Compensation (MEUC) program to address a gap in the CARES Act, which had excluded mixed earners.

Mixed earners are workers who receive some income on a W-2 basis and other income on a 1099 basis, typically those such as freelancers, artists, independent contractors, Uber drivers and, the like, who earn most of their living through gigs and who supplement their income by working part-time in  traditional employment.  Under the CARES Act, a mixed-earner had to choose between applying for traditional unemployment benefits based on their W-2 wages, or for PUA benefits based on their self-employed 1099 income. The applicant could not claim both.  Under the MEUC, mixed earners who (i) reported at least $5,000 of self-employment income in the last taxable year and (ii) receive at least $1 of unemployment insurance in any program other than the PUA (i.e., state unemployment insurance or PEUC extended benefits) may be eligible to receive an additional $100 per week, in addition to their FPUC benefit —for a total of $400 per week.

States may choose whether to participate in the MEUC program.  For those that do, MEUC benefits will be available to eligible beneficiaries between December 27, 2020, and March 14, 2021.  Several jurisdictions have already expressed interest in opting in, including New York, California, Connecticut, Illinois, and Washington, D.C.

Other Provisions: Of additional note, the CAA also provides additional funding and deadline extensions for several other programs, including Paycheck Protection Program (PPP) loans (which we previously reported on here), tax credits for COVID-19 paid sick and family leave (which we blogged about here), and the option for employers to postpone withholding of social security taxes (which we previously covered here).


*          *          *

Please contact Susan Gross Sholinsky and Jillian M. de Chavez-Lau for assistance with questions regarding compliance with the new CAA provisions discussed.

*Law Clerk – Admission Pending

Many employers have established wellness programs to promote employee health and, in doing so, help counter the ever increasing costs associated with employer-sponsored health benefit plans. Often employers want to establish programs that provide employees with incentives to achieve certain health outcomes, such as smoking cessation or weight loss. Employers must exercise caution in creating such health-contingent wellness programs, which necessarily require employees to disclose health information, because the Americans with Disabilities Act (“ADA”) and the Genetic Information Nondiscrimination Act (“GINA”) prohibit medical inquiries unless there is a demonstrated business necessity or responding to the health inquiry is voluntary.

A significant unsettled question with respect to “voluntariness” in the context of an employee’s participation in a health-contingent wellness plan has been: How much is too much for an employer to offer as an incentive? In other words, when does the proverbial carrot become so big that it becomes a stick, which impermissibly penalizes employees, who opt not to participate and not share their health information?

On January 7, 2021, the U.S. Equal Employment Opportunity Commission (“EEOC”) issued two proposed rules –one under the ADA (the “ADA Proposed Rule”) and one under GINA (the “GINA Proposed Rule”) (collectively, the “Proposed Rules”) to answer these questions. The Proposed Rules are the EEOC’s second attempt at doing so, as its first set of regulations were struck down in 2017 by a federal court, which found the rules permitted incentives that were too significant and thus were coercive. Unsurprisingly, given this background, the EEOC’s Proposed Rules, with limited exception discussed below, permit employers that wish to incentivize participation in health-contingent wellness programs to use only an exceedingly small carrot.

Background Leading to the Proposed Rules

Under the Affordable Care Act (“ACA”), wellness programs fall into two categories: participatory programs and health-contingent programs.

In a participatory program, the employer can choose to reimburse or to reward employees for participating in wellness programs (e.g., by reimbursing gym memberships or fitness classes), but the reimbursement or reward cannot be contingent on any particular health outcome. In participatory wellness programs, employees are not required to share medical information to receive the reward or avoid a penalty and, thus, no ADA or GINA issue is presented.

Health-contingent wellness programs, on the other hand, reward employees not merely for participating, but for achieving a specific health goal. These programs generally require an employee to disclose health information through a health risk assessment or biometric screening to determine and then demonstrate a health-related outcome, such as a target BMI or cholesterol level. Because employees must necessarily share medical information to participate, these health-contingent programs run the risk of violating the ADA’s and GINA’s requirements that medical inquiry responses be voluntary, absent business necessity.

In 2016, the EEOC issued wellness program regulations, which included provisions allowing employers to use financial or in-kind incentives to encourage employees to take part in eligible health-contingent program. The regulations permitted the incentive to be in the form of a reward (for employees who opted to participate) or a penalty (for employees who chose not to) of up to 30% of the total cost of self-only healthcare coverage.  In October of 2016, AARP filed a lawsuit in the United States District Court for the District of Columbia, challenging the regulations.  AARP argued that the regulations violated ADA and GINA because they allowed employers to impose draconian penalties on employees who refused to provide health information to their employer necessary to participate health-contingent programs, which amounted to coercion and made such programs impermissibly “involuntary.”

In AARP v. United States Equal Employment Opportunity Commission, Judge John D. Bates ruled in favor of AARP, finding that the 30% incentives were inconsistent with statutory requirements that wellness program participation be voluntary because employees who could not afford to pay a 30% increase in premiums would be forced to disclose their protected information when they otherwise would not choose to do so. The court reasoned that the rules would push people to disclose sensitive medical information for the reward alone. In particular, the court took issue with the fact that the EEOC allegedly failed to consider the level of coerciveness its rules allowed and whether the rules complied with the purposes of the ADA and GINA.

Since the decision, the EEOC has been wrestling with how to address health-contingent wellness programs, while employers have been without guidance on what constitutes a permissible incentive. With the Proposed Rules summarized below, the EEOC believes it has found the solution.

Proposed Rules:  De Minimis Incentives Only

Echoing the AARP decision, the EEOC has adopted the view that offering too high of an incentive (or too strong a penalty) would make employees feel coerced to participate in a health-contingent wellness program.  Thus, the Proposed Rules and interpretive guidance make clear that for employee participation in health-contingent wellness programs (e.g., completion of a health risk assessment or biometric screening) to comply with the ADA’s and GINA’s voluntariness requirements, an employer may offer only de minimis incentives (such as a water bottle or gift card of modest value) to encourage participation; incentives such as a $50 monthly premium penalty, paying for gym membership, or providing airline tickets would not be de minimis.

In addition, the Proposed Rules, like their predecessors, provide that employers may not require an employee to participate in a wellness program, deny coverage under its group health plans or particular group health plan benefits, or take any adverse action against an employee who refuses to participate in a wellness program or who fails to achieve certain outcomes. Deeming it unnecessary in light of the proposed de minimis standard, the Proposed Rules eliminate the prior rules’ requirement that employers provide a unique ADA notice to employees describing the type of medical information that will be obtained and the purpose for which it would be used. However, wellness programs that are exempt from the de minimis limits would still be subject to the separate notice requirements under the HIPAA rules.

Important Tax Note

Of note, the Proposed Rules do not change the rules applicable to the taxation of incentives. Employers will still need to consider whether the de minimis incentives they offer for wellness program participation fall within the tax exclusion for de minimis fringe benefits, or other tax exclusion. In other words, permissible de minimis incentives for wellness program participation should not be confused with the tax exclusion for de minimis fringe benefits, which is narrow. For example, even though a modest value gift card would be deemed a de minimis incentive under the Proposed Rule, gift cards, regardless of their amount, will always be taxable and would not be excludable as a de minimis fringe benefit.

The EEOC’s Proposed Rules and the HIPAA Wellness Program Rule

Another regulatory consideration for health-contingent wellness programs arises under HIPAA, the Health Insurance Portability and Accountability Act. In 2013, after the ACA’s enactment, the Departments of Health and Human Services, Treasury and Labor promulgated HIPAA regulations by (the “Tri-Department wellness regulations”) that allow employers to offer incentives up to thirty percent of the total cost of health insurance (or fifty percent to the extent the wellness program is designed to prevent tobacco use) to encourage participation in health-contingent wellness programs without regard to the voluntariness limitation of the ADA and GINA. The EEOC’s Proposed Rules would thus depart from the Tri-Department wellness regulations’ incentive allowances, and as a practical matter, arguably render the higher allowances nugatory based on its assessment of the voluntary disclosure standard proposed by the ADA and GINA.

EEOC’s Proposed “Safe Harbor” Exception

The ADA Proposed Rule provides an exception to the “de minimis” standard for:

[H]ealth-contingent wellness programs that are a part of, or qualify as, group health plans to which the Tri-Department wellness regulations apply are an exception to the de minimis standard. Accordingly, this proposed rule interprets the [insurance] safe harbor [provision of the ADA] as permitting health-contingent wellness programs that are a part of, or qualify as, group health plans to offer the maximum allowed incentive under the 2013 HIPAA regulations (currently 30 percent of the total cost of coverage or 50 percent to the extent the wellness program is designed to prevent tobacco use), so long as they comply with the given HIPAA requirements for such plans.

Thus, an employer’s health-contingent wellness program (e.g., targeting BMI or cholesterol levels, or completion of walking or other exercising goals) that is appropriately connected to a health insurance plan (e.g., related solely to cost sharing or premiums) may use health-related information obtained from an employee to provide an incentive of up to thirty percent of premiums for plan participants. Historically, the EEOC has limited its interpretation of this safe harbor to actual insurance practices (e.g., risk analysis and underwriting) and has not applied it to wellness programs. The EEOC’s 2016 rules took the position (with which some courts disagreed) that the ADA safe harbor did not apply to wellness programs, even if such plans were part of a group health plan. Thus, the proposed safe harbor provision contained in the ADA Proposed Rule departs from the EEOC’s prior position and may be a target of challenge by employee advocates.

The ADA Proposed Rule does not specifically address incentives in the form of employer contributions to health savings accounts or health reimbursement arrangements. While it is likely that the EEOC intended these types of incentives to be subject to the new de minimis standard, clarification in EEOC’s final rule would be helpful for these popular forms of incentives.

GINA’s Proposed Rule for Spouse (and Other Family Participation)

Under the GINA Proposed Rule, an employer may only offer a de minimis incentive to an employee for his or her family members’ voluntary disclosure of their medical conditions. There is no HIPAA exception to the de minimis rule for a family member’s participation in a health-contingent wellness program.

What Now?

The de minimis incentives rules appear aimed at permitting some amount of inducement for participation in health-contingent wellness programs, and at the same time prevent incentives that may be deemed coercive and a violation of the ADA’s and GINA’s prohibition against non-voluntary health disclosures, absent business necessity.

The public will have 60 days from publication of the Proposed Rules in the Federal Register to comment on them. If the Proposed Rules go into effect without material change (and they are not delayed or withdrawn by the new Administration), it will be interesting to see if they significantly undercut the effectiveness or use of health-contingent wellness programs. Epstein Becker & Green will continue to monitor this proposed regulation as it continues through the EEOC’s rulemaking process.

*Law Clerk – Admission Pending

On January 14, 2021, President-elect Joe Biden released his $1.9 trillion emergency stimulus plan, designed primarily to guide the country through the next medical and economic stages of the COVID-19 pandemic.  The American Rescue Plan (“ARP”) also includes non-COVID-19 related proposals, such as a mandatory $15 per hour minimum wage and funding to improve cybersecurity.

The following is a non-comprehensive overview of the ARP, which will require Congressional legislative passage.

Checks to Individuals

The ARP would increase to $2,000 the total direct financial assistance to individuals.  In December 2020, Congress authorized a one-time stimulus payment of $600 to eligible households. This proposal would add $1,400 more, and would prioritize the issuance of checks to households that have not yet received their first payment.

Expanded Paid FFCRA Leave

Biden’s plan asks Congress to greatly expand and extend COVID-19-related paid leave, which had been provided for under the Families First Coronavirus Response Act (“FFCRA”). The FFCRA leave benefits expired on December 31, 2021, although covered employers may voluntarily extend them through March 2021 for eligible employees. The ARP would further extend the paid leave benefit to September 31, 2021 and would require all employers to offer FFCRA leave. The proposal would mandate that employers provide up to 14 weeks of paid sick and family and medical leave, and would apply to an expanded list of parental caregiving situations. In addition, it would allow employee use of paid leave to get the COVID-19 vaccination.  Of note, the ARP would extend FFCRA’s refundable tax credit only to employers with fewer than 500 employees.

Supplemental Unemployment Compensation

The ARP would continue and expand the CARES Act unemployment compensation (“UC”) benefits through September 2021 and extend eligibility, including for gig economy workers and independent contractors.  The proposal would add an extra $400 weekly supplemental payment to cover expenses.  Opponents of additional UC benefits have argued that such supplemental payments are counter-productive as they provide a disincentive for recipients to return to work because they receive more compensation by not working.

New OSHA Standard

Biden has also announced that he will ask Congress to authorize the Occupational Safety and Health Administration (“OSHA”) to issue a COVID-19 Protection Standard that “covers a broad set of workers, so that workers not typically covered by OSHA, like many public workers on the frontlines, also receive protection from unsafe working conditions and retaliation.” To date, OSHA has resisted establishing a national COVID-19 safety standard, opting instead to let the states take the lead, as they deem warranted.  A number of states, including California and Virginia, have mandated such workplace COVID-19 safety rules.  A federal standard has been a goal of organized labor.

The ARP also calls for additional funding for enforcement, including for violations of OSHA’s anti-retaliation mandate.  While unclear in its scope at this writing, many businesses are concerned that such a standard, along with increased funding, would lead to significant workplace litigation as employees return to the workplace in 2021.


The ARP proposes mounting a $20 billion “national vaccination program.” In addition to elements in the proposed legislation, President-elect Biden further explained his five-point plan to expedite and focus vaccinations:

  1. Open vaccine eligibility to more priority groups, such as adults 65 and older, and other essential workers, such as grocery workers and teachers;
  2. Establish more vaccination sites, using the Federal Emergency Management Agency (“FEMA”) to establish centers by the end of February;
  3. Increase the vaccine supply and continue the use of commercial pharmacies to administer vaccines;
  4. Hire a vaccination workforce; and
  5. Launch a large-scale public education campaign to encourage vaccination.


Biden’s plan proposes an investment of $50 billion in “a massive expansion of testing, providing funds for the purchase of rapid tests, investments to expand lab capacity, and support to help schools and local governments implement regular testing protocols.”

Research and Development

The ARP also seeks funds for identifying new strains of the virus and for developing more effective treatments.

Public Health Jobs Program

The ARP proposes the hiring of 100,000 public health workers to support such initiatives as community vaccination outreach and contract tracing, and then to transition to more permanent positions to improve the quality of health care services, particularly for low-income and underserved communities.

Greater Use of Defense Production Act

The President-elect promises that he will “fully use” the Defense Production Act to provide “emergency relief,” purchase needed supplies, and deploy National Guard to assist states and localities as warranted.

Eviction Moratorium, SNAP Expansion and WIC

The ARP would extend the federal eviction moratorium, which is set to expire on January 31, 2021, to September 30 2021, and would provide financial assistance to renters and to secure housing for the homeless. The proposal also seeks funds for attorney’s fees on behalf of individuals facing eviction for non-payment of rent.

The benefits for the Supplemental Nutrition Assistance Program (“SNAP”) would be increased by 15 percent through September 2021, with possible automatic increases and adjustments after that. The ARP also proposes more funding for the Special Supplemental Nutrition Program for Women, Infants, and Children (“WIC”).

Expanded Health Coverage

Biden is calling on Congress to subsidize continuation health coverage (COBRA) through September 30, 2021 and to “expand and increase the value of the Premium Tax Credit to lower or eliminate health insurance premiums and ensure enrollees – including those who never had coverage through their jobs – will not pay more than 8.5 percent of their income for coverage.” The ARP also seeks increased funding to ensure adequate access to behavioral health services.

Increased Minimum Wage

In addition to the provisions discussed above, like previous pandemic-related legislation, the ARP contains measures tangentially related to COVID-19, such as funding to modernize federal information technology “to protect against future cyber-attacks.”  Most significantly, the proposal mandates a national $15 per hour minimum wage (with elimination of the tipped minimum wage and the sub-minimum wage for persons with disabilities).

Opponents have criticized the minimum wage proposal as being an especially dull tool for bringing back workers in all settings, and in particular, industries such as restaurants, which are struggling to pay their wait staff as it is.

Other Provisions of the ARP

Among the numerous other measures in the ARP, President-elect Biden proposes to:

  • Grant approximately $440 billion in “critical support to struggling communities,” including small businesses, Tribal governments, public transit, and essential workers, which would:
    • give assistance to “more than 1 million of the hardest hit small businesses,” and
    • “[l]everage $35 billion in government funds into $175 billion in additional small business lending and investment;”
  • Provide $130 billion to help schools safely reopen;
  • Expand the Higher Education Emergency Relief Fund;
  • Expand financial assistance to both childcare providers and families, including by:
    • providing a fully refundable Child Tax Credit for one year, and
    • expanding the Earned Income Tax Credit for one year;
  • Provide another $1 billion for states for Temporary Assistance to Needy Families (“TANF”) recipients.

Prospects for Enactment

President-elect Biden’s COVID-19 American Rescue Plan is the opening salvo in a COVID-19 relief debate that may well consume Congress over the next several months, even though the Democrats control both houses.  The non-COVID-19 provisions are likely to face particular scrutiny.

Many elements of the ARP are evolving, and we will update this initial analysis as developments warrant.