Workforce Bulletin

Is the developer of an AI resume-screening tool an “employment agency” or “agent” subject to liability under Title VII of the Civil Rights Act for its customers’ allegedly discriminatory employment decisions? According to the United States Equal Employment Opportunity Commission (“EEOC”), the answer is yes. On April 9, 2024, the EEOC filed a motion for leave to file a brief as amicus curiae, together with a brief, in Mobley v. Workday, Inc., Case No. 3:23-cv-00770-RFL, to support plaintiff Derek Mobley’s (“Mobley”) motion to dismiss.

The EEOC’s action is ...

Recently, the Sixth Circuit found that the Fair Credit Reporting Act (“FCRA”) preempted a former employee’s state law defamation claim against his former employer.  While the FCRA can impose burdensome requirements on the entities that fall within its scope, including consumer reporting agencies (“CRAs”), furnishers, or users of consumer reports, the FCRA can also serve as a shield against certain state law tort claims.

In McKenna v. Dillion Transportation, LLC,  plaintiff, a truck driver named Frank McKenna, sued his former employer, Dillon Transportation, LLC, for ...

A recent decision from the Northern District of Illinois highlights new legal hurdles for employers using AI-powered video interview technologies under Illinois’ Biometric Information Privacy Act (BIPA), 740 ILCS 14/15.  In Deyerler v. HireVue, initially filed over two years ago in January 2022, a class of plaintiffs alleged that HireVue’s AI-powered facial expression and screening technology violated BIPA.  According to the complaint, HireVue collected, used, disclosed, and profited from “biometric identifiers” without complying with the requirements of BIPA.  ...

On December 11, 2023, the City of San Francisco released the San Francisco Generative AI Guidelines (“Guidelines”).  The Guidelines set forth parameters for City employees, contractors, consultants, volunteers, and vendors who use generative artificial intelligence (AI) tools to perform work on behalf of the City.

Specifically, the Guidelines encourage City employees, contractors, consultants, volunteers, and vendors to use generative AI tools for purposes such as preparing initial drafts of documents, “translating” text into levels of formality or for a ...

On December 8, 2023, the California Privacy Protection Agency (“CPPA”) Board (the “Board”) held a public meeting to discuss, among other things, regulations addressing: (1) cybersecurity audits; (2) risk assessments; and (3) automated decisionmaking technology (“ADMT”).  After years in the making, the December 8 Board meeting was another step towards the final rulemaking process for these regulations.  The Board’s discussion of the draft regulations revealed their broad implications for businesses covered by the California Consumer Privacy Act ...

While recent public attention has largely focused on generative artificial intelligence (AI), the use of AI for recruitment and promotion screening in the employment context is already widespread.  It can help HR-professionals make sense of data as the job posting and application process is increasingly conducted online. According to a survey conducted by the Society for Human Resource Management (SHRM),[1] nearly one in four organizations use automation and/or AI to support HR-related activities, such as recruitment, hiring, and promotion decisions, and that number is posed ...

After releasing an initial two-page “fact sheet,” Congress publicly posted the bill text of the No Robot Bosses Act (the “Proposed Act”), detailing proposed federal guardrails for use of automated decision-making systems in the employment context. Robert Casey (D-PA), Brian Schatz (D-HI), John Fetterman (D-PA), and Bernie Sanders (I-VT) currently cosponsor the Proposed Act.

California businesses, including employers, that have not already complied with their statutory data privacy obligations under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA), including as to employee and job applicant personal information, should be taking all necessary steps to do so. See No More Exceptions: What to Do When the California Privacy Exemptions for Employee, Applicant and B2B Data Expire on January 1, 2023. As background, a covered business is one that “does business” in California, and either has annual gross revenues of $25 million, annually buys sells or shares personal information of 100,00 consumers or households, or derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information. It also applies, in certain circumstances, to entities that control or are controlled by a covered business or joint ventures. Covered businesses may be exempt from obligations under certain enumerated entity-level or information-level carve-outs.

As featured in #WorkforceWednesday:  This week, we analyze how employers can benefit from artificial intelligence (AI) innovations while remaining in compliance with federal regulations:

AI is evolving faster than ever before. How can employers prepare for the future of AI in the workplace? Epstein Becker Green attorneys Alexander J. Franchilli and J.T. Wilson III tell us how looming federal regulations and diversity, equity, and inclusion concerns are creating a turbulence of compliance and innovation.

The California Privacy Protection Agency Board (the “Board”) held a public meeting on February 3, 2023, adopting and approving the current set of draft rules (the “Draft Rules”), which implement and clarify the California Consumer Privacy Act of 2018 (“CCPA”) as amended by the California Privacy Rights Act of 2020 (“CPRA”). The Draft Rules cover many CCPA requirements, including restrictions on the collection and use of personal information, transparency obligations, consumer rights and responding to consumer requests, and service provider contract requirements. At the meeting, the Board also addressed additional proposed rulemaking processes concerning cybersecurity audits, risk assessments, and automated decision-making. 

On February 1, 2023, the FTC announced a proposed $1.5 million settlement with GoodRx Holdings, based on alleged violations of the Federal Trade Commission Act (“FTC Act”) and Health Breach Notification Rule (“HBNR”) for using advertising technologies on its websites and mobile app that resulted in the unauthorized disclosure of consumers’ personal and health information to advertisers and other third parties. On the same day, the U.S. Department of Justice, acting on behalf of the FTC, filed a Complaint and Proposed Stipulated Order detailing the FTC’s allegations and the terms of the proposed settlement. 

As reported in a June 3, 2022 press release from the House Committee on Energy and Commerce, U.S. Representatives Frank Pallone, Cathy McMorris Rodgers, and Senator Roger Wicker released a “discussion draft” of a federal data privacy bill entitled the “American Data Privacy and Protection Act” (the “Draft Bill”), which would impact the data privacy and cybersecurity practices of virtually every business and not-for-profit organization in the United States.

As further described below, the Draft Bill’s highlights include: (i) a comprehensive nationwide data privacy framework; (ii) preemption of state data privacy laws, with some exceptions; (iii) a private right of action after four (4) years, subject to the individual’s prior notice to the Federal Trade Commission (“FTC”) and applicable state attorney general before commencement of lawsuit; (iv) exemptions for covered entities that are in compliance with other federal privacy regimes such as the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and Gramm-Leach Bliley Act (“GLBA”) solely with respect to data covered by those statutes; (v) exclusions from Act’s requirements for certain “employee data”; and (vi) a requirement for implementation of reasonable administrative, technical and physical safeguards to protect covered data. The Draft Bill would be enforced by the FTC, and violations treated as unfair or deceptive trade practices under the Federal Trade Commission Act, as well as by state attorneys general.

Prompted by the widespread adoption and use of video-conferencing software following the COVID-19 pandemic, many employers have shifted toward video interviews to evaluate potential hires. Even as employers have begun to require in-office attendance, the widespread use of video interviewing has continued, because it is a convenient and efficient way to evaluate applicants. Some of the video interviewing tools used by employers incorporate the use of artificial intelligence (AI) in an effort to maximize the effectiveness of the interview process. Often, employers contract with third-party vendors to provide these AI-powered interviewing tools, as well as other tech-enhanced selection procedures.

On March 15, 2022, President Biden signed into law the 2022 Consolidated Appropriations Act containing the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (the “Cyber Incident Reporting Act”). While President Biden’s remarks highlighted the $13.6 billion in funding “to address Russia’s invasion of Ukraine and the impact on surrounding countries,” the 2022 Consolidated Appropriations Act contained numerous other laws, including the Cyber Incident Reporting Act, which should not be overlooked. The Cyber Incident Reporting Act puts in motion important new cybersecurity reporting requirements that will likely apply to businesses in almost every major sector of the economy, including health care, financial services, energy, transportation and commercial facilities. Critical infrastructure entities should monitor the upcoming rule-making by the Cybersecurity and Infrastructure Security Agency (“CISA”), as the final regulations will clarify the scope and application of the new law.