Now that the United Kingdom is (finally) exiting the European Union (EU) one question U.S. based companies have is what happens to transfers of personal data from the United Kingdom (UK) to the United States under the EU’s General Data Protection Regulation (GDPR). The International Trade Administration’s (ITA) Privacy Shield Team recently put out guidance to address this question.

Good news is that Privacy Shield participants may rely on the EU-U.S. Privacy Shield Framework to receive personal data from the UK even though they are withdrawing from the EU. That is because EU law will continue to apply during the transition period from January 31, 2020 to December 31, 2020.

After the transition period–starting in 2021–a Privacy Shield organization must update its public commitment to comply with Privacy Shield to include the UK.  Meaning, organizations must update their public facing privacy policy on their website to include certain language covering the UK.  Model language is provided by the ITA (click here). And of course, in order to receive personal data from either the EU or the UK, an organization must be Privacy Shield certified.

A new version of the employment eligibility verification form, known as the Form I-9, is about to be published.  Once it is, employers must use the new version (with a version date of 10/21/2019) and phase out use of the prior version within 90 days.  Use of the revised form by all employers completing the Form I-9 is mandatory after the 90 day window.

All employers must complete a Form I-9 for new hires within three days of hire. After completion, employers must maintain the Form I-9 for the duration of the employee’s employment with the company.  Upon termination, the forms must be retained for three years after hire or one year after termination, whichever is later.  Click here to read more on retention of the Form I-9 post termination.  Employers must use the current version of the Form I-9 as instructed by U.S. Citizenship and Immigration Services.

The new Form I-9 will have a revision date of 10/21/2019 in the bottom left hand corner of the form.  Employers will be allowed to use the prior version for 90 days after publication in the Federal Register.  There are no substantive changes to the paper Form I-9, however there are two country additions to the “fillable” Form I-9 that USCIS offers employers on its website. There are changes to the Form I-9 instructions, including clarifications to who an authorized representative is and updates to the process to request the paper Form I-9.

To view the Federal Register notice click here or click here.


On January 1, 2020, the California Consumer Privacy Act (CCPA or the “Act”) became effective. At a high level, the CCPA gives California residents, with certain exceptions, new rights to know what types of personal information a business collects about them, information about the business’s data collection practices, the ability to request access to and deletion of personal information the business maintains about them, and, if applicable, the ability to request that a business not sell personal information about the individual. The law also affects service providers to businesses and certain third parties that receive personal information from a business. While implementing regulations proposed by the California Attorney General have not yet been finalized, enforcement nevertheless is scheduled to begin July 1, 2020 and organizations subject to the law should be working on their compliance program (if that work has not already been completed).

To read the full alert my colleague Kevin Coy and I wrote, click here.

Happy Hanukkah, Merry Christmas, Happy Kwanza!  Whatever you celebrate I hope you are enjoying the holiday season.

This week’s edition of the Compliance News Flash features information about:

  • The California Consumer Privacy Act.
  • Increase in H1B denials and requests for more information by USCIS.
  • Standard contractual clauses and data transfers.
  • Discrimination claims related to the Form I-9.

Click here to read it.

U.S. Citizenship and Immigration Services (USCIS) announced it will increase the premium processing fee for certain employment-based petitions, beginning on December 2, 2019.

Premium processing is an optional service provided to petitioners filing Form I-129, Petition for a Nonimmigrant Worker and Form I-140, Immigrant Petition for Alien Worker that allows petitioners to request 15-day processing for an extra fee. The current fee is $1,410 and the increase will put the new fee at $1,440. USCIS last increased the premium processing fee in 2018 and says the increase is intended to reflect inflation. Click here to read the USCIS announcement and click here to read the Final Rule in the Federal Register.

Please join us on October 30, 2019 at 2:00 pm EST for a free webinar hosted by TazWorks and presented by Montserrat Miller and Erin Doyle from Arnall Golden Gregory LLP.  Ms. Miller and Ms. Doyle will cover the following subjects:

  • Differences between employment screening and tenant screening under the Fair Credit Reporting Act (FCRA).
  • The treatment of independent contractors and volunteers under the FCRA.
  • Are government agencies consumer reporting agencies under the FCRA (focusing on the recent decision holding that the FMCSA is not a consumer reporting agency).
  • Restrictions around putting names, aliases and addresses procured through SSN Trace searches on consumer reports.
  • An overview of the CCPA and the interplay between the FCRA and the CCPA – relevant amendments include those related to employee information, the FCRA exemption, data breaches, and the data broker registry requirement.

Background screening companies and employers both have obligations under the FCRA when providing and requesting background check reports for employment screening purposes.  The same is true of background screening companies and property management companies and landlords when requesting background screening reports for tenancy.  The FCRA isn’t a strict liability statute but it does require attention to details given that individuals can bring both class action as well as individual claims under the FCRA for technical violations of the law.  And as if the FCRA isn’t enough, now organizations have to layer in the CCPA and prepare for January 1, 2020, the effective date of the CCPA.  While in theory the CCPA applies to California residents, in practice most background screeners, employers, and property management companies have national operations that touch California.  Some have compared the CCPA to the European Union’s General Data Protection Regulation (GDPR) and other states are considering their own data privacy legislation similar to CCPA.  Therefore, focusing on the CCPA and understanding one’s compliance obligations is important.

Click here to register.


Tuesday, October 22, 2019 | 8:00 am – 3:00 pm | Atlanta, GA

Please join AGG for our annual Employment Law Seminar on Tuesday, October 22, 2019 at the Cobb Energy Performing Arts Centre. Our attorneys—who have been recognized by Chambers USA: America’s Leading Lawyers for Business and Super Lawyers—will help you navigate today’s harrowing employment adventures, from the application process to termination and beyond.

Topics Include:

  • An Interactive Discussion – Part One:
    • Employees or Independent Contractors?
    • Qualifying your Employees (or Contractors): Background Screening
    • Documenting the Employment Relationship
    • Benefits Pitfalls (with or without the ACA)
    • Classifying and Paying your Employees Correctly
  • An Interactive Discussion – Part Two:
    • Employment Policies and Handbooks
    • Performance Management both Good and Bad
    • Dealing with the Difficult Employee
    • Effectively Terminating the Difficult Employee
    • Managing Post-Employment Disputes
  • Paying More? At Long Last, the New White Collar Exemptions
  • Riding High? Marijuana and other Drugs in the Workplace
  • Raids Coming? Immigration Update
  • Firing the Squeaky Wheel? How to Deal with a Whistleblower

Registration and Location:

  • Sign up early, as space is limited. Please click here to register by Thursday, October 17. 
  • The event has been approved for 6 hours of CLE credit by the State Bar of Georgia CLE credit. Society for Human Resource Management HRCI recertification credit and CPE credit hours have been applied for.
  • Complimentary breakfast and lunch will be provided.

Cobb Energy Performing Arts Centre
2800 Cobb Galleria Parkway
Atlanta, GA 30339

As we march toward January 1, 2020 I want to briefly discuss data brokers, registration by data brokers and the California Consumer Privacy Act (CCPA).

In the flurry of activity by the California legislature one bill that came out of the hopper was AB 1202, which will require data brokers to register with the California Attorney General (AG).  AB 1202 is required reading as organizations work toward compliance with the CCPA to determine if it applies.

The basics:

  • A “data broker” is defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”
  • The stated purpose of the bill is to “create a registry of data brokers so that California consumers may better know what businesses to contact in order to opt-out of the sale of their personal information.”
  • The data broker will need to pay a registration fee (not yet known) and provide basic information about itself.
  • Failure to register with the AG can lead to fines of $100/day for each day the data broker fails to register and payment of the expense incurred by the AG’s office to investigate/enforce the violation.
  • The AG will create a webpage where data broker information will be accessible to the public.
  • AB 1202, like the amendments to the CCPA, is pending on the Governor’s desk for signature.

For those entities in the background screening industry note two things. One, there is a general exception under the CCPA for activities under the Fair Credit Reporting Act (FCRA).  Two, AB 1202 states that a data broker does NOT include a consumer reporting agency to the extent that it is covered by the FCRA.

Check out the current edition of the Compliance News Flash (click here).  Here are the stories we are flagging for you this week:

  • Data breach litigation — breach of contract, negligence, invasion of privacy.
  • STEM OPT worksite visits by Homeland Security related to F-1 students working for a company.
  • $1.2 million civil fine levied against a cleaning company for Form I-9 violations.
  • The “right to be forgotten,” the European Court of Justice and the GDPR.
  • The Fairness for High Skilled Immigrants Act may not address immigration concerns and employers should review the legislation carefully to determine if it helps or hurts.

The Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB) will host a workshop on December 10, 2019 to discuss issues related to the accuracy of credit and background screening reports.

Consumer advocates, industry representatives, and regulators will be in attendance. A list of discussion topics has been posted online and public comments will be accepted until January 10, 2020. The workshop is free and open to the public and will take place at the FTC’s Constitution Center conference facility in Washington, D.C. with a live webcast streaming on the Commission’s event page. Click here for more details.

The FTC and CFPB are inviting interested individuals to submit comments recommending topics that should be addressed or specific information on the following potential topics for discussion:

  • What are the lessons from the CFPB’s supervisory reviews of CRAs and furnishers on accuracy and dispute obligations?
  • What are the lessons from CFPB and FTC enforcement cases on furnisher and CRA accuracy obligations?
  • How do furnishing practices differ based on the types of furnishers and the information they furnish to CRAs, and how does that impact accuracy?
  • What has been the effect of the removal of most civil judgments and tax liens from credit reports and recent changes in the reporting of medical debt?
  • How do background screening CRAs address accuracy in light of the limited personal identifying information included in public records?
  • What opportunities or challenges does inclusion of non-traditional data in credit reports, credit scoring models, or background screening reports present for accuracy?
  • Can new technologies and data management practices be used to improve accuracy?
  • How do consumers learn about inaccuracies on their consumer reports and navigate the current dispute process? What are the experiences of victims of identity theft in the dispute process?
  • How have the changes to the dispute process contained in the National Consumer Assistance Plan, which evolved out of the 2015 multi-state settlement, impacted the consumer experience?
  • Once consumers get erroneous information removed from their credit files through the dispute process, do they still have difficulties getting loans or other credit?
  • What government measures (including changes in the law) and private sector measures could improve accuracy? What are the costs and benefits of these possible measures?

Click here to read more about the workshop.