top of page

Labor Law Compliance Reminder

As of April 2023, the U.S. Department of Labor (DOL) released revised versions of two posters, one of which is required to be posted right away:

  1. "Employee Rights Under the Fair Labor Standards Act" –
    All businesses are required to update and display the new 'Know Your Rights' Poster in a conspicuous location, effective immediately.

  2. "Your Employee Rights Under the Family & Medical Leave Act" –
    Covered employers may want to go ahead an update the FMLA poster with the new version to ensure employees have the most up-to-date information available.

Labor Law Poster Update
Pregnant Workers Fairness Act

Need-to-Know

Pregnant Workers Fairness Act 

By: Debra Fowler, SHRM-CP
Director, Compliance & Policy

Just a reminder for covered employers, the Pregnant Workers Fairness Act (PWFA) takes effect June 27, 2023. The PWFA requires employers to provide reasonable accommodations for employees and applicants experiencing pregnancy, childbirth, and related conditions, and additionally prohibits discrimination for an individual’s need for pregnancy-related accommodation.

Which employers have to comply?

Those with...
15 or more employees and all government employers.

Pregant Workers Fairness Act.png

What does this mean for employers?

Reasonable Accommodations

Employers cannot fail to make reasonable accommodations for pregnant, postpartum, or nursing mothers unless providing the accommodation would pose an undue hardship on the business.

Interactive Process

Employers cannot deny employees their rights to the interactive process under the PWFA nor the Americans with Disabilities Act (ADA).

Hiring

Employers cannot deny employment to applicants based on their need for accommodation due to pregnancy, childbirth, or related medical conditions.

Forced Leaves of Absence

Employers cannot force an employee to take a leave of absence in lieu of reasonable accommodation.

Retaliation

Employers cannot retaliate against employees or applicants who have opposed any act or practice made unlawful under the PWFA, or coercing, intimidating, threatening, or interfering with an individual in the exercise of rights granted under the PWFA.

The PWFA does not require employees to accept unreasonable accommodations proposed by the employer; nor does it require employers to provide accommodations which place an undue hardship on the employer. This is where the interactive process comes into play and allows a dialogue between the employer and the employee to determine the most appropriate and effective accommodation options.

Under the PWFA employers are required to consider “waiving” essential job function(s) for a qualified employee if the inability to perform the essential function(s) is temporary and waiving the essential function does not cause an undue hardship on the employer.

This law goes into effect on June 27, 2023, and the Equal Employment Opportunity Commission (EEOC) will start accepting complaints about violations of the law which occur on or after the effective date of the law. We do expect additional guidance from the EEOC later this year.

If you have any questions about your requirements as an employer under the PWFA, we encourage you to contact your HR Business Partner at Vida HR.

Expecting

Colorado Privacy Act

Control over the Controllers

By: Sean Hansen
HR Compliance Coodinator

With technology rapidly evolving, a key concern of the 21st century has been privacy. Never before has personal information been collected on such a mass scale, and Colorado is putting its foot down. Effective July 1st, 2023, The Colorado Privacy Act (CPA) goes into effect, putting new restrictions on the collection, protection, and sale of personal data. With more states starting to pass privacy legislation, The CPA provides a precedent on what laws may be passed in the near future.

The Fundamental Right to Privacy

Door+Key.png

The Colorado Privacy Act attempts to address three key components related to privacy, as laid out in the act:
 

  1. It provides consumers the right to access, correct, and delete personal data, as well as the right to opt out of both the sale and collection of personal data.

  2. It sets out to impose an obligation on companies to safeguard personal data, to provide clear information about how that data is used, and to require data protection assessments.

  3. The act empowers the attorney general and district attorneys to access and evaluate said protection assessments, as well as bring penalties to companies that violate the act.

The Applicability Test

But who does this apply to? As laid out in the CPA, a ‘controller’ is defined as a person or business, whether alone or jointly with others, that determines the purposes for and means of processing personal data. An example of a business that would be considered a controller of data would be retailers, such as Walmart or Target, because they collect consumer data when they make purchases and determine how it is used.

A controller is held responsible under the CPA if they meet two requirements.​

Conduct Business In Colorado

or at least produce or deliver commercial products and/or services that are intentionally targeted to residents of Colorado.

AND

Control or process the personal data of 100,000 consumers

or more during the calendar year

and/or

Derive revenue from the sale of personal data

(or receive a discount on the price of goods and services)and they also process/control the personal data of 25,000 consumers or more. 

​However, as always, there are multiple exceptions to these requirements including protected health information that is collected, stored, and processed by a covered entity or its business associates. An important exception is that any employee records that are related to the hiring, firing, or promotion of employees is not controlled by the CPA. Similarly, information and documents created by a covered entity for the purposes of complying with HIPPA is also not under the control of the CPA. There is also an exception of activity involving personal data in regard to a consumer’s credit standing.

Permission Granted

Quick Terms

To be valid, consent must be given under the following conditions. For more detailed descriptions, read the longer definitions below.

No Dark Patterns*

A dark pattern refers to a user interface tactic that intentionally confuses or tricks consumers into giving consent by manipulating design elements and language, compromising their ability to make informed decisions or opt in or out freely, such as automatically checking consent boxes by default.

1. Clear and Deliberate Action

Consent should be given in a way that is obvious and intentional, either through clear actions or a statement that clearly shows agreement. It should not be assumed or automatically given through pre-selected options or terms and conditions that require the consumer to opt out.

2. Freely Given

Consumers can say no to giving consent without any negative effects, and they can change their mind and withdraw consent at any time. However, consent cannot be forced as a requirement for accessing basic goods or services, and it should not be hidden within general terms and conditions that don't give the option to refuse consent.

3. Consent Must Be Specific

If personal data is used for multiple purposes or shared with different parties, consumers have the right to give separate consent for each individual purpose or recipient, and consent to one purpose or party does not automatically imply consent to others.

4. Consent Must Be Informed

The controller must give clear and straightforward information to the consumer, including who they are, why consent is needed, what the data will be used for, who else might receive the data, how the consumer can withdraw consent, and any other required disclosures under the Colorado Privacy Act.

5. Unambiguous Agreement

Children: In the case of children, who are defined as those under thirteen, the controller must make reasonable efforts to get approval from a parent or legal guardian, and any personal information collected for verifying the parent's identity cannot be used for any other purpose.

Non-Children: Controllers can ask for consent directly from fourteen-year-olds without parental permission.

What does this mean for consumers in the state of Colorado? The years of companies taking your personal data without your knowledge is over! Controllers under the CPA will now be required to obtain consumer consent in order to process your sensitive data, or any data if the consumer is under thirteen, in which a parent must consent. They also cannot sell your data, or process it for targeted advertising or profiling, without your permission. Note however, if they obtained valid consent before July 1st, 2023 (the date this law goes into effect), they can continue to use it so long as it complies with the CPA rules.
 

Before we get to the definition of valid consent, we need to define another term: ‘Dark Pattern’. 
 

*A dark pattern is a user interface designed or manipulated with the effect of subverting or imparting user autonomy or decision-making. In other words, the consent is designed to confuse the consumer into giving consent or to trick them into giving consent by using language that doesn’t clearly allow the consumer to opt in or out. An example of a dark pattern is when the consent is automatically checked as the default which requires consumer action to opt out.
 

Even if the consent meets every other requirement in the book, if it was obtained through a dark pattern, it is not valid. So what exactly do these lawmakers mean when they say ‘valid consent’? We’ll have to break it down, since multiple points make up valid consent.

As a general overview, consent requires five things to be considered valid:
 

  1. obtained through clear, deliberate action (yes, I am choosing my own destiny);

  2. freely given by the consumer (yes, I give consent – no arm twisting);

  3. the consent is specific (what you’re giving consent for);

  4. the consent is informed (why is consent needed); and,

  5. it must reflect the consumer’s unambiguous agreement (no hidden text or dark patterns).

1. That’s a lot to unpack so let’s dive deeper, starting with ‘clear, deliberate action.’ This means the consent is communicated through deliberate and clear conduct, or a statement that clearly indicated their acceptance. A blanket acceptance, such as a terms and conditions agreement, pre-ticked boxes, or other constructions that require the consumer to prevent the agreement are NOT clear deliberate actions.

2. Next, ‘freely given’ means a consumer has the option to refuse consent without detriment, as well as being able to withdraw consent at any time. This means it is not valid consent if whatever good or service they are purchasing is hampered by not consenting, or if some goods or services are denied to those who choose to not consent. The only exception to this rule is if for some reason those goods and services require said data in order to be provided to the consumer. Doubling down on the affirmative action section, consent is not considered freely given if the agreement is rolled into a general acceptance of terms and conditions or other construction that do not allow the user to also withhold consent.

3. Moving on to ‘consent must be specific’. If the data being processed is used for more than one processing purpose, and those processes are not reasonably necessary or compatible with one another, consumers have to the ability to consent to each process separately. Similarly, consent to selling data to one party does not constitute selling to any other party. If there are different processes, or different parties the data is being sold to, the consumer needs to be able to consent to each separately.

4. Next on the list is ‘consent must be informed’, which might sound familiar to those in the science world, or at least anyone who took one semester of a psychology course. The controller has to provide their identity, the reason the consent is required (plain language- no jargon!), the processing purposes for which the consent is sought, the categories of personal data the controller will process, the third parties that will receive data through sale (if applicable), a description of the consumer’s right to withdraw consent, and any other disclosures required through the CPA.

5. Finally, ‘unambiguous agreement’, we already covered. Consent cannot be obtained through malicious means (aka Dark Patterns).

There’s another layer to all this: children. Parents and legal guardians, be warned, the CPA defines a child as anyone under thirteen. While those newly turned fourteen year olds may like the sound of being treated as an adult, parents should know that means controllers can get consent from them without your permission. When a controller is seeking consent from a child, they must make reasonable efforts to obtain verifiable parental consent. Any personal data they collect in order to verify a parent/legal guardian cannot be used by a controller for any other reason other than verifying identity.
 

Consent doesn’t last forever. If the consumer has not interacted with a controller in the past two years, the controller must refresh consent. This is not applicable if the consumer has easy access and the ability to update their opt-out preferences at any time.

Big Brother is Watching You, With Your Permission

When exercising these rights, the controller is legally obligated to respond to them within 45 days. For any data right request, controllers are required to use authentication methods to confirm the identity of the consumer. They need to avoid requesting more personal data from the consumer in order to authenticate their identity (unless they do not have sufficient personal data to do so already)

It’s important to note that whenever a controller sends out any sort of privacy notice or agreement, they have to inform you of these rights, as well as specific methods for you to exercise these rights if you so choose.

Although these rights are pretty simple, there is another layer intertwined with the right to opt-out: profiling. Controllers are required to provide transparent information about how consumer’s data is used for profiling. Consumers are allowed to opt out to profiling when it is done to further a decision that affects the provision of financial/lending services, housing, insurance, education, criminal justice, employment, health-care services, or access to goods and services.

Controllers have to be clear about what decisions are subject to profiling, as well as what categories of personal data are used in the part of profiling. This also must include plain language on the logic used in the process, and how profiling is used in the decision making process. They also need to inform the consumer if the system has been evaluated for accuracy, fairness, or bias, and if so, the results of that evaluation. Finally, they also need to provide the benefits and potential consequences of decisions based on profiling, and provide the consumer information on how they may opt-out.

The CPA empowers consumers with Data Rights that they can exercise at any time including...

THE RIGHT TO:

Opt-out of your data being processed.

Make any changes or corrections to the data being processed.

Have your data deleted.

Access their own personal data.

Receive access to their data in a portable and easily readable form.

Under Lock and Key

Under their obligation to implement security measures for personal data, controllers are also required to conduct data protection assessments (DPAs). A DPA has to be a genuine, thoughtful analysis of each data processing activity that presents a heightened risk of harm to a consumer. DPAs must identify and describe the risks to the rights of the consumers, document measures considered and taken to address the risks, contemplates the benefits gained by processing, and demonstrably shows the benefits outweigh the risks. This requirement is not retroactive, meaning it only must be conducted for activities created or generated after July 1st, 2023.

Conclusion

The Colorado Privacy Act is bold legislation that puts a lot of much needed control over the controllers. However, because of that, as well as the very complicated nature of personal data, it can be difficult to understand. This article can’t cover every requirement and exemption listed, but we hope it provided a grand scale overview of what this act entails. If you feel your company may fall under the CPA, please consult your Vida HR Business Partner, or an HR professional, about how the CPA will affect you. Stick around for next month’s newsletter, where we’ll dive more into what obligations controllers have under the CPA.

The Colorado Privacy Act
HR Insights: Dress Code Violations
HR Insights.png

QUESTION:

Help! One of my employees showed up to a client meeting wearing a Hawaiian shirt and flip flops, violating our company's business casual dress code policy. How can I address this without damaging our relationship with the client or creating conflict with the employee?

It sounds like the employee took the “casual” part of business casual a bit too seriously! While it can be awkward to address dress code violations with employees, it's important to do so in a way that is respectful and constructive.
 

You can start by having a private conversation with the employee and explaining the importance of dressing professionally for client meetings and the impact their clothing choice has on a client's perception of the company. You can provide suggestions to the employee on how to dress more appropriately for client interactions in future and provide examples of acceptable business casual attire.
 

There is also a safety issue at play – wearing flip flops to work, even in an office environment can cause a trip and/or fall injury. Remind the employee of the company’s commitment to workplace safety and that wearing flip flops in the workplace is not allowed.
 

This doesn’t need to be a disciplinary conversation – unless this isn’t the first time the issue has been addressed with the employee. If the employee was unaware of the dress code policy or there were extenuating circumstances, be sure to listen to their perspective and address any concerns they may have. It's also important to follow up with the client to acknowledge the dress code violation and reassure them of the company's commitment to professionalism.
 

It may also be beneficial to send a friendly email reminder to all staff about the dress code requirements, including an explanation of why these guidelines are in place, emphasizing safety considerations, and the positive impact they have on employees and the overall success of the business.

Vida_HR_Logo_White-04.png

EMPLOYEE HIGHLIGHT

EMPLOYEE HIGHLIGHT

EMPLOYEE HIGHLIGHT

Hello, I'm Nikki!

Nikki.png
Operator.PNG

I have been employed at Vida HR for 8 months as an Implementation Specialist - Timekeeping. Over the course of 7 years, I have provided support and implemented timekeeping systems. Furthermore, I hold a bachelor's degree in computer information systems and have served in the United States Navy as a Hospital Corpsman. According to my PI profile, I am an Operator, which signifies my enjoyment in assisting others, acquiring new knowledge of processes, and maintaining a keen focus on details. These strengths greatly aid me in my present position, where I am responsible for implementing and training clients on the software.

A little about me:

I am married to an amazing man and will be celebrating our 8-year anniversary this year. I have two grown children: my daughter, who is 25 years old, recently graduated with her master's degree, and my son, who is 23 years old, serves in the Navy and is stationed in Bremerton, Washington. Additionally, we have an Australian Cattle Dog named Indigo and a cat named Jackson. In our leisure time, we enjoy activities such as hunting, fishing, and simply taking walks on trails. We have a great love for the outdoors here in Georgia!

Employee Highlight: Nikki
bottom of page