Privacy Hat Trick: Three New State Laws to Juggle

Nevada, Oregon and New Jersey recently passed laws focusing on the collection of consumer information, serving as a reminder for advertisers, retailers, publishers and data collectors to keep up-to-date, accurate and compliant privacy and information collection policies.

Nevada: A Website Privacy Notice is Required

Nevada joined California and Delaware in explicitly requiring websites and online services to post an accessible privacy notice. The Nevada law, effective October 1, 2017, requires disclosure of the following:

  • The categories of “covered information” collected about consumers who visit the website or online service;

  • The categories of third parties with whom the operator may share such information;

  • A description of the process, if any, through which consumers may review and request changes to their information;

  • A description of the process by which operators will notify consumers of material changes to the notice;

  • Whether a third party may collect covered information about the consumer’s online activities over time and across different Internet websites or online services; and

  • The effective date of the notice.

“Covered Information” is defined to include a consumer’s name, address, email address, telephone number, social security number, an identifier that allows a specific person to be contacted physically or online, and any other information concerning a person maintained by the operator in combination with an identifier.

Takeaway: Website and online service operators (including Ad Techs and other data collectors) should review their privacy policies to ensure they are disclosing all collection of information that identifies, can be used to contact, or that is combined with information that identifies consumers. Website operators should also be sure that they are aware of, and are properly disclosing, any information that is shared with or collected by their third-party service providers and how that information is used.

Oregon: Misrepresentation of Privacy Practices = Unlawful Trade Practice.

Oregon expanded its definition of an “unlawful trade practice”, effective January 1, 2018, to expressly include using, disclosing, collecting, maintaining, deleting or disposing of information in a manner materially inconsistent with any statement or representation published on a business’s website or in a consumer agreement related to a consumer transaction.The new Oregon law is broader than other similar state laws, which limit their application to “personal information”. Oregon’s law, which does not define “information”, could apply to misrepresentations about any information collection practices, even if not related to consumer personal information.

Takeaway: Businesses should be mindful when drafting privacy policies, terms of use, sweepstakes and contest rules and other consumer-facing policies and statements not to misrepresent their practices with respect to any information collected, not just personal information.

New Jersey: ID Cards Can Only be Scanned for Limited Purposes (not Advertising)

New Jersey’s new Personal Information and Privacy Protection Act, effective October 1, 2017, limits the purposes for which a retail establishment may scan a person’s identification card to the following:

  • To verify the authenticity of the card or the identity of the person paying for goods or services with a method other than cash, returning an item or requesting a refund or exchange;

  • To verify the person’s age when providing age-restricted goods or services to the person;

  • To prevent fraud or other criminal activity using a fraud prevention service company or system if the person returns an item or requests a refund or exchange;

  • To prevent fraud or other criminal activity related to a credit transaction to open or manage a credit account;

  • To establish or maintain a contractual relationship;

  • To record, retain, or transmit information required by State or federal law;

  • To transmit information to a consumer reporting agency, financial institution, or debt collector to be used as permitted by the Fair Credit Reporting Act and the Fair Debt Collection Practices Act; or

  • To record, retain, or transmit information governed by the medical privacy and security rules of the Health Insurance Portability and Accountability Act.

The law also prohibits the retention of information scanned from an identification card for verification purposes and specifically prohibits the sharing of information scanned from an identification card with a third party for marketing, advertising or promotional activities, or any other purpose not specified above. The law does make an exception to permit a retailer’s automated return fraud system to share ID information with a third party for purposes of issuing a reward coupon to a loyal customer.

Takeaway: Retail establishments with locations in New Jersey should review their point-of-sale practices to ensure they are not scanning ID cards for marketing, advertising, promotional or any other purposes not permitted by the New Jersey law.

Read more legal analysis at the National Law Review.

This post was written byJulie Erin Rubash of  Sheppard Mullin Richter & Hampton LLP.

Oregon Expands Effort to Achieve Equal Pay

This month, Oregon joined a number of other states, including California, Massachusetts, Maryland, and New York by strengthening existing equal pay laws. The new law, the Oregon Equal Pay Act of 2017 (“OEPA”), has three (3) central components:

  • Applying equal pay protections to disparities based on race, color, religion, sex, sexual orientation, national origin, marital status, veteran status, disability or age;
  • Curbing an employer’s ability to obtain or rely upon an applicant’s prior compensation to determine his or her current compensation; and
  • Changing and substantially limiting the defenses available to employers sued for alleged equal pay violations.

The bulk of the OEPA’s substantive provisions is effective January 1, 2019.

Broadening Scope of Equal Pay Protections

The OEPA prohibits disparities in “wages or other compensation” between employees performing work of a “comparable character” based on race, color, religion, sex, sexual orientation, national origin, marital status, veteran status, disability or age. Work is of a “comparable character” if it requires “substantially similar knowledge, skill, effort, responsibility and working conditions [.]” This is a substantial expansion of prior law, which only applied to sex-based pay disparities.

The OEPA also limits an employer’s ability to rely upon prior compensation by:

  • Making it unlawful to seek information about an applicant’s or employee’s compensation history; and
  • Prohibiting employers from screening job applicants or determining compensation based on a prospective employee’s current or past compensation.

However, these pay history restrictions do not apply “during a transfer, move or hire of [an] employee to a new position with the same employer.”

Limited Defenses to Equal Pay Claims

Under prior Oregon law, an employer could defend a sex-based pay disparity by demonstrating that it was based on (a) a seniority or merit system, or (b) good faith factors other than sex.

However, under the OEPA an employer can only pay differential wages for work of a comparable character if the disparity is attributable to “a bona fide factor that is related to the position in question and is based on” one or more of the following:

  • A seniority system;
  • A merit system;
  • A system that measures earnings by quantity or quality of production;
  • Workplace locations;
  • Travel, if travel is necessary and regular for the employee;
  • Education;
  • Training; or
  • Experience.

The employer must also demonstrate that the factor(s) creating the pay disparity account for the entirety of the differential.

Potential Limits on Remedies

In addition to back wages, employees bringing claims under the OEPA may also seek compensatory and punitive damages. However, the law limits remedies against employers that take specified steps to achieve pay equality.

Under the OEPA, a court “shall” disallow an award of compensatory or punitive damages if the employer shows that within three (3) years of the employee bringing the OEPA claim, the employer conducted a good faith equal pay analysis that: (a) was “[r]easonable in detail and scope in light of the size of the employer”; (b) related to the protected class at issue in the action (e.g., sex, age, race, etc.); and (c) “[e]liminated the wage differentials for the plaintiff and [] made reasonable and substantial progress toward eliminating wage differentials for the protected class asserted by the plaintiff.”

What This Means for Employers

Because the bulk of the OEPA changes are not yet effective, now is the time for employers to commence their compliance efforts including:

  • Reviewing job applications to ensure they do not seek prior compensation information;
  • Auditing compensation data to identify protected class-based disparities, if any. If this analysis reveals disparities, employers can avoid or limit future claims and damages by eliminating any identified differentials;
  • Training managers and human resources professionals regarding the permissible considerations when making compensation decisions, and how to document such decisions;
  • Revising employee job descriptions to ensure they reflect the substantive distinctions between positions – i.e., the fact that jobs are not of a “comparable character” is reflected in job descriptions; and
  • Revising employee reviews on which compensation decisions are based to ensure they reflect the considerations that are permissible grounds for a pay disparity under OEPA.
This post was written by Brian K. Morris of Polsinelli PC.


New Ridesharing Legislation in California and Oregon Highlights Insurance Uncertainty in Emerging Industries

Proskauer Law firm

Managing a company’s exposure to new types of risks is often a complicated endeavor.  We’ve previously reported on the uncertainty that can arise when existing coverage models are applied to a new risk—such as losses arising from data breaches and other cyber-attacks.  Applying existing coverage models to emerging industries presents similar challenges.  These challenges were highlighted recently in the years-long dispute over insurance of ridesharing companies, like Lyft and Uber, which recently reached some degree of closure in California with the enactment of new insurance legislation for these companies.

Ridesharing companies have arisen in the past few years as an alternative to traditional forms of transportation, such as taxis.  These companies neither employ the drivers nor own the cars used for transportation; they essentially serve as an online “middleman” connecting passengers with freelance drivers for hire and expressly disavow that they provide any sort of “transportation services.”  This new business model—blurring the lines between traditional services and social media—presented many questions as to liability and, consequently, risk management.  These questions were brought to the fore earlier this year, when the family of a six year old girl killed by a ridesharing driver sued the ridesharing company.  The company disclaimed liability on the basis that it is not responsible for the acts of its drivers, especially when the drivers do not have ridesharing passengers or are not en route to pick up one.

Many ridesharing drivers have relied primarily on their personal automobile policies, eschewing business coverage altogether, reportedlyat the recommendation of the ridesharing companies themselves.  While ridesharing companies have carried excess insurance policies to cover ridesharing accidents, the insurance industry took the position that these policies did not cover such accidents because there was no primary coverage.  In other words, because the only “primary” insurance policies were personal use automobile policies that did not cover commercial livery use, the excess insurance could not be triggered.

On September 17, 2014, California AB-2293 was enacted to address this uncertainty of coverage.  The statute was the result of discussions between legislators, ridesharing companies, insurers, and traditional taxi companies.  It requires ridesharing companies in the state to provide $100,000 in coverage for their drivers that takes effect the moment a driver connects to the ridesharing company’s dispatch software and increases to $1 million once the driver agrees to pick up a passenger.  It also states that a personal automobile insurer does not have the duty to defend or indemnify claims arising out of ridesharing, unless the policy expressly provides such coverage, and it requires ridesharing companies to disclose this fact to their drivers.

Whether other states will follow California’s lead remains to be seen.  Legislation addressing ridesharing has been introduced across the country, and as one Pennsylvania state legislator observed, “By far the biggest issue is insurance.”  In other states, regulators are addressing the possible insurance gap.  Just days after California’s new statute was enacted, Oregon’s State Insurance Division issued a consumer advisory, warning of the potential unavailability of insurance coverage under personal insurance policies for ridesharing and other services provided in the peer-to-peer marketplace.

As Oregon Insurance Commissioner Laura Cali observed in connection with ridesharing, “When a new industry emerges, it often creates unique insurance situations.”  New industries may exist under insurance uncertainty for years or decades before legislation, regulation, or litigation clarifies the issue.  It is therefore critical when expanding into a nascent industry to consider how the risks of that industry may be managed, under either new or existing types of insurance coverage.



Oregon’s Same-Sex Marriage Ban Unconstitutional, Judge Rules

Jackson Lewis Law firm


Oregon’s prohibition on same-sex marriage conflicts with the United States Constitution’s guarantee of equal protection, newly appointed U.S. District Court Judge Michael McShane has held in a case filed on behalf of four couples in Multnomah County. Geiger v. Kitzhaber, No. 6:13-cv-01834-MC (May 19, 2014).

Judge McShane explained the measure discriminates against same-sex couples. “The state’s marriage laws unjustifiably treat same-gender couples differently than opposite-gender couples. The laws assess a couple’s fitness for civil marriage based on their sexual orientation: opposite-gender couples pass; same-gender couples do not. No legitimate state purpose justifies the preclusion of gay and lesbian couples from civil marriage.”

A state Constitutional amendment, enacted pursuant to a 2004 ballot initiative organized and sponsored by the Defense of Marriage Coalition, had prohibited same-sex marriage, stating that only “marriage between one man and one woman shall be valid or legally recognized as a marriage.” This initiative and the subsequent Constitutional amendment were in response to the Multnomah County commissioner’s decision to issue marriage licenses to same-sex couples. During the Geiger litigation, Oregon’s Attorney General stated she found it impossible to legally defend the ban because “per- forming same-sex marriages in Oregon would have no adverse effect on existing marriages, and that sexual orientation does not determine an individual’s capacity to establish a loving and enduring relation- ship.” With Geiger, and the U.S. Supreme Court’s 2013 decision in United States v. Windsor invalidating the federal Defense of Marriage Act, same-sex marriage is valid under Oregon state and federal law.

Further, although Oregon enacted a domestic partnership law in 2008, the Family Fairness Act, granting domestic partners similar rights and privileges to those enjoyed by married spouses, the Legislature acknowledged domestic partnerships did not reach the magnitude of rights inherent in the definition of marriage. For example, same-sex couples in Oregon were not entitled to the rights or benefits under the federal Family and Medical Leave Act because Department of Labor guidance recognizes same-sex marriage only if valid under the employee’s state of residence. The DOL, however, has proposed a rule expanding the term “spouse” and, if implemented, will recognize same-sex marriages when recognized in the couple’s state of residence or if performed in a state recognizing same-sex marriage. According to the Secretary of Labor, “The basic promise of the FMLA is that no one should have to choose between succeeding at work and being a loving family caregiver. Under the proposed revisions, the FMLA will be applied to all families equally, enabling individuals in same-sex marriages to fully exercise their rights and fulfill their responsibilities to their families.” No changes have been proposed, however, for purposes of the Employment Retirement Income and Security Act (“ERISA”), the federal law governing employee benefit plans. The DOL counsels employers that, for purposes of ERISA, same-sex marriage should be recognized if valid in the state it is performed.

While Geiger will simplify the legal landscape, employers should review policies, procedures, and benefit plans closely to ensure that same-sex spouses are treated equally in all respects. In addition, Oregon law further prevents employment discrimination based on sexual orientation and family status. Requiring same-sex couples to “prove their status” or take other similar measures that are not required of opposite-sex couples may increase the risk of potential litigation under these laws.

Mei Fung So contributed to this article.