Social Media Trend

A major part of the job recruitment process has already moved online. These days, employers are looking for potential candidates via sites like LinkedIn, or tracking applicants through tools like Monster or Career Builder. Social networks can also help employers get in touch with a different pool of candidates, not just the ones that apply for the job.

Studies on social media analytics have shown that almost 40 percent of technology industry companies check their potential employees’ profiles on social media sites. Mads Christensen, Network Director at Eurocom Worldwide, says “The 21^st century human is learning that every action leaves an indelible digital trail. In the years ahead many of us will be challenged by what we are making public in various social forums today.”

What about privacy?

Using social media analytics as a recruitment tool also brings up concerns about user privacy. Candidates may feel that companies are unjustifiably basing their decisions on a person’s social media activities. Job seekers and privacy advocates often argue that personal life should not be confused with work life and as such, social media profiles should not be used as part of the decision-making process in recruitment.

According to Chirag Nangia, CEO of Reppify, a San Francisco-based business that uses integrated social media data to help companies find the right people:

“Employers have to be constantly aware of the types of information they are restricted from using in the selection process. However, because doing a web search on a candidate reveals many types of information, including information deemed ‘Protected Class’ (race, gender, etc.), it can be potentially dangerous to manually assess candidates’ social media properties. Aside from being restricted, the process is time consuming and cumbersome to use when comparing across candidates. For job seekers, it opens up questions around what they should or should not post to their own closed network of friends and family, which we believe is setting the wrong precedent.”

Another concern is that employers might be too dependent on social media information when making hiring decisions. According to the 2012 annual technology market survey conducted by Eurocom Worldwide, almost one in five technology industry executives say that a candidate’s social media profile has caused them not to hire a person. This survey is the first evidence that prospective job candidates are actually being rejected because of their profiles.

Proponents of the practice argue that social media analytics data should not be used on their own, rather as part of the overall recruitment process, together with face-to-face interviews, tests, background checks and other proven methods of determining a candidate’s likely performance in a job and his/her organizational fit.

Summary

This article explores how social media analytics has impacted the job recruitment and applicant assessment process. 40 percent of tech companies have reported that they use social media profiles in their hiring process, while 20 percent of these companies have admitted that a candidate’s social media profile has actually caused them not to hire a person.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/United States (CIPP/US) exam,  a privacy professional should be comfortable with topics related to this post, including:

• Employee background screening – social media (IV.B.a.ii.4.)

Different Perspectives

Supporters of gatekeeping requirements argue that preventing users from posting or accessing unlawful material in the first place is better than just assessing liability after the damage caused by the material has already been done. They believe intermediaries are in a position to prevent people within their jurisdictions from accessing illegal content, even content hosted in foreign jurisdictions.

Others also view the issue as a matter of fairness; the businesses that benefit from the opportunities created by the internet should play a role in implementing technological solutions to the challenges the internet poses, for instance, to copyright holders and law enforcement.

Still others believe that imposing gatekeeping duties on intermediaries can have a profoundly negative impact on lawful expression, user privacy and innovation. According to scholar Maurice Schellekens, it can be dangerous to impose such duties on intermediaries: “Once an Internet intermediary is subjected to a first monitoring duty its monitoring duties would, according to the [slippery slope] argument, quickly snowball. If we… assume that those seeking to prevent distribution of pictures of child abuse might be the first to establish a monitoring duty, then others, like victims of libel and slander, of fraud, etc., would soon press for monitoring duties too.”

Obligations Imposed

There are numerous “gatekeeping” obligations that have been imposed upon internet intermediaries worldwide. Such obligations include:

• Website blocking

Governments worldwide have been putting pressure on ISPs to block access to websites that may host objectionable content. Many countries also have semi-voluntary or law enforcement-led programs under which ISPs block access to child abuse images. There are a number of ways that an ISP can attempt to prevent users from visiting certain websites. It can block access to the site’s IP address, their domain name, or their individual URLs.

In certain cases, due to the ways in which data is routed on the internet, IP-blocking in one country may lead to a website becoming inaccessible for the entire world. Furthermore, the widespread blocking of domain names in particular would cause technical challenges that could possibly undermine the internet’s reliability and security. URL filtering can be extremely costly to implement.

• Domain name seizures

This is becoming a common practice by US law enforcement authorities against websites charged with unlawful conduct. The government does this by ordering the intermediaries responsible for maintaining the relevant domain name system (DNS) databases to revoke or reassign a website’s domain name. The government directs seizure orders to domain-name registries and registrars. Often, these entities are instructed to point the names to new sites.

Domain name seizures are susceptible to overblocking for the same reasons as domain name blocking. Seizures also present jurisdictional and procedural challenges. When a domain name is seized, the effect is felt worldwide, not just within the jurisdiction where the seizure occurs. Internet users worldwide can no longer reach the original website via that domain name, leading to possible disputes when content is lawful in the jurisdiction where it is hosted, but unlawful elsewhere.

• Licensing requirements, content regulation and mandatory filters

Certain countries have burdened intermediaries with broadcast-style regulations (e.g. licensing requirements, rules demanding “balanced coverage” or other editorial controls). Automatic content filters, designed to identify and block specific content rather than whole websites, are also becoming a concern of certain courts. Some hosting providers will voluntarily use such filtering technology to reduce copyright infringement.

Licensing requirements, content regulation and filtering mandates necessarily limit expressive opportunities online and ultimately undermine the internet’s role as an open medium for speakers of all kinds.

• Warning or punishing individual users

Escalating concerns regarding online copyright infringement are creating pressures to demand that ISPs threaten or punish users who appear to be engaged in infringement. In France, the HADOPI law targets unlawful file sharing by requiring ISPs to forward warning notices to subscribers identified by rightsholders as likely infringers. Where subscribers ignore the warnings and engage in repeat infringement, ISPs may be ordered to disconnect them. Other countries have adopted similar laws.

Such warning systems can be useful for educational purposes, for instance to inform subscribers about the law and potential consequences of their actions. However, they can also raise new issues regarding the necessity and proportionality of the penalties imposed and the fairness of the process by which penalties are applied.

Summary

It is becoming more common for internet intermediaries to take on the role of gatekeepers, policing and censoring the materials shared online. Gatekeeping obligations have been imposed by governments upon intermediaries worldwide.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT), a privacy professional should be comfortable with topics related to this post, including:

• Privacy intersections in the development process (I.B.a.)
• Global resourcing and outsourcing (I.F.b.i.)
• Privacy-enhancing techniques (III.D.)

What is the VPPA?

The Video Privacy Protection Act of 1988 (Public Law 100-618) limits the disclosure of personally identifiable information regarding video rentals. It represents one of the strongest consumer privacy protections in federal law – even stronger than those for health records under HIPAA.

The VPPA defines “personally identifiable information” as that which “identifies a person as having requested or obtained specific video materials or services from a video tape service provider.” A “video tape service provider” is “any person, engaged in the business, in or affecting interstate or foreign commerce, of rental, sale or delivery of prerecorded video cassette tapes or similar audiovisual materials.”

Video tape service providers may disclose personally identifiable information only:

• To the consumer himself/herself
• To any other person, with the written consent of the consumer
• To any other person, if this disclosure is simply of names and addresses and:
  • The consumer has been provided with an opportunity to opt-out and
  • The disclosure does not identify title, description or subject matter (though subject matter may be disclosed “for the exclusive use of marketing goods and services to the consumer”)
  • To any other person, if in the ordinary course of business
  • To a law enforcement agency, pursuant to a federal or state warrant, a grand jury subpoena, or a court order, provided that:
    • The consumer is provided with prior notice and
    • There is a showing of probable cause to believe that the records are relevant to a legitimate law enforcement enquiry
    • Pursuant to a court order in a civil proceeding, upon showing of a compelling need, provided
      • The consumer is given reasonable notice and
      • Afforded the opportunity to contest the request

Responses to the Act

It’s important to note that the VPPA is very rarely applied; however, it represents one of the strongest protections of consumer privacy against a specific form of data collection. In general, it prevents disclosure of personally identifiable rental records of video cassette tapes or similar audio visual material, but beyond that it has several important provisions, including:

• A general ban on the disclosure of personally identifiable rental information unless the consumer consents specifically and in writing.
• Disclosure to police officers only with a valid warrant or court order.
• Disclosure of “genre preferences” along with names and addresses for marketing, but allowing customers to opt out.
• Exclusion of evidence acquired in violation of the VPPA.
• Civil remedies, including possible punitive damages and attorneys’ fees, not less than $2500.
• A requirement that video stores destroy rental records no longer than one year after an account is terminated.
• The VPPA does not preempt state law. This means that states are free to enact broader protections for individuals’ records.

Updates to allow online sharing

In December 2011, the House of Representatives passed legislation updating the VPPA in order to facilitate online rental services – such as Netflix – to share information about customers’ viewing habits with user consent. Previously, the law required written consent to share video records, however the new law allows companies to obtain consent over the web.

Specifically, it would amend the VPPA’s consent provision to allow the disclosure of video rental records:

to any person with the informed, written consent (including through an electronic means using the Internet) in a form distinct and separate from any form setting forth other legal or financial obligations of the consumer given at one or both of the following times –

i.            the time the disclosure is sought; and

ii.            in advance for a set period of time or until consent is withdrawn by such consumer.

The legislation was sponsored by Rep. Bob Goodlatte (R-VA) and updates the VPPA to allow users to consent to video sharing over the web. It also allows users to consent once to all future sharing. These adjustments were criticized by Marc Rotenberg, president of the Electronic Privacy Information Center (EPIC).

Summary

This article takes a look at the Video Privacy Protection Act of 1988 (VPPA), which limits the disclosure of personally identifiable information regarding video rentals. It represents one of the strongest consumer privacy protections in federal law and was passed as a response to the disclosure of Supreme Court nominee Robert Bork’s video rental records during his confirmation hearings.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/United States (CIPP/US) exam,  a privacy professional should be comfortable with topics related to this post, including:

• Video Privacy Protection Act of 1988 (II.E.f.)

The Industry

Companies providing a background check service are part of a growing industry. The industry is made up of large national corporations, as well as numerous smaller local and regional companies providing criminal record information to employers. According to a BusinessWeek article:

“Background screening has become a highly profitable corner of the HR world. At the screening division of First Advantage (FADV), based in Poway, Calif., profits soared 47% last year, to $29 million; revenue grew 20%, to $233 million. HireRight (HIRE), based in Irvine, Calif., reported that earnings jumped 44%, to $9 million, last year on revenues of $69 million. To grab a piece of this growing market, Reed Elsevier Group (RUK), the Anglo-Dutch information provider, agreed to acquire ChoicePoint for $4.1 billion in February – at a 50% premium to its stock price.”

There are currently no licensing requirements to become a background checking agency and no system for registration exists. Essentially, anyone with a computer, internet connection and access to records can start a background screening business.

Accuracy is an Issue

Attorneys and community organizations that work with consumers with problematic background reports say that they often see background reports that:

• Mismatch the subject of the report with another person
• Reveal sealed or expunged information
• Omit information about how the case was disposed or resolved
• Contain misleading information
• Mischaracterize the seriousness of the offense report

Mismatched reports are an extremely common problem with criminal background reports. These contain the criminal history of a person other than the subject of the report, and are mainly the result of unsophisticated matching criteria. Biometric identification systems help to reduce the chances of incorrectly connecting someone to the criminal record of another. Private background check companies typically match information in their databases using non-biometric information (e.g. name and birth date).

Another problem within the screening industry involves the common practice of subcontracting out the search for criminal records. However, the subcontracting does not stop with one vendor, but continues as the vendors themselves subcontract the work to other vendors. This practice of sub-sub-sub-contracting drastically reduces accountability and increases the likelihood of erroneous information. The majority of background check agencies do not demand stringent quality controls over the information provided by vendors.

One of the most damaging mistakes an agency can make is to reveal sealed or expunged data. The information revealed in such records is nearly impossible to dispute with the employer. If the agency has mixed the job applicant’s file with another person, the applicant can argue it was not him/her. In the case of a sealed conviction, the applicant cannot claim that the accusation is false, but merely that the employer should not know about it.

Background check companies might also omit final disposition data. This means that the companies would report the fact that charges were filed, but not whether the person was convicted. Because of this omission, people who have been exonerated of the charges against, or had the charges dropped or reduced, appear to have pending criminal complaints against them.

Certain screening agencies will dedicate considerable space on their reports to tout the jurisdictions they search, but will leave significantly less space to the results of those searches. Even more worrisome is that background screening agencies have been known to report single arrests or incidents multiple times. Screening agencies will also attempt to subvert the time limits for information in the FCRA by telling potential employers that the company has information that it could not share.

Advocates across the US report that they often see mistakes on commercial background reports, due to a fundamental misunderstanding of how states report and classify information. In particular, commercial background screening agencies repeatedly misreport the level or classification of the offense. Additionally they rarely know what to do with offenses that are classified as less than a misdemeanor or are non-criminal offenses (e.g. traffic tickets).

Recommendations

The National Consumer Law Center recommends the Consumer Financial Protection Bureau (CFPB) use its rulemaking authority under the Fair Credit Reporting Act (FCRA) to:

• Require mandatory measures to ensure greater accuracy.
• Define how long an employer has to wait in between sending an initial notice and taking an adverse action (i.e. rejecting an applicant or terminating an employee).
• Require registration of consumer reporting agencies.

The Federal Trade Commission (FTC) could also enforce the FCRA in the following ways:

• Investigate major commercial background screening companies for common FCRA violations.
• Investigate major, nationwide employers for compliance with FCRA requirements imposed on users of consumer reports for employment purposes.

Summary

Companies providing a background check service are part of a quickly growing industry, however, errors in reporting can have serious and long-lasting consequences on job seekers. Attorneys and community organizations that work with consumers with problematic background reports say that agencies often produce reports that contain inaccurate information. This article takes a look at some of the most common problems within the background screening industry.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/United States (CIPP/US) exam,  a privacy professional should be comfortable with topics related to this post, including:

• Employee background screening (IV.B.a.)
• Screening requirements under FCRA (IV.B.a.i.)
• Screening methods (IV.B.a.ii.1. – IV.B.a.ii.4.)

Delays

According to insiders who have worked with the final drafts, the new standards will address targeting ads based on information collected across apps, and will allow consumers to opt out. The mobile rules are also likely to require companies to obtain users’ opt-in consent before collecting some information, such as address-book data.

However, the fact that the DAA has still not finalized the guidelines makes it difficult for the self-regulatory process. Without official guidance from the DAA, participants lack the industry-imposed rules on whether opting-out would simply prevent participating mobile ad networks from serving behaviorally-targeted ads in apps, or go further by preventing collection of some forms of data.

Another issue is the fact that most consumers don’t distinguish between location data and other information collected through mobile apps, which indicates that government regulators and legislators may not do so either. While device location data can be collected by apps and used to target ads, there is no DAA guideline which determines whether an advertiser could aim a geo-targeted ad in a mobile app to someone who has opted out through the TRUSTe or Evidon systems.

As the DAA has been silent on self-regulatory services, it poses another question. Mike Zaneis, SVP and general counsel of the Interactive Advertising Bureau asks, “We don’t have mobile principles yet so we are not in a position to endorse; what would we be endorsing against?”

It is not exactly clear what’s behind the delay of the guidelines. Some suspect that technical hurdles may contribute. Cookies are typically not the identifier of choice in the mobile app environment, where multiple types of device identifiers are employed. This means that opting out from mobile ads in apps has a much more permanent effect than on the desktop. If cookies are cleared online, an opt-out cookie gets trashed, which re-enables tracking and targeting.

Privacy Challenges in Mobile Platforms

A major privacy challenge posed by mobile platforms is that devices are usually tied to specific individuals, meaning that data linked to those devices isn’t necessarily “anonymous.” For this reason, the new DAA rules will likely encourage companies to take steps to de-identify information.

Another significant privacy challenge is that opting out of mobile targeting can be an inconvenient process. Previously, some individual mobile networks have permitted consumers to opt out by providing their phones’ device identifiers, or unique character strings. Advertising networks then retain records of the devices that have opted out of online behavioral advertising.

Users of Apple devices have the option of activating a “limit ad tracking” setting, which communicates to networks that users don’t want to be tracked. The tech giant also recently began limiting developers’ ability to access unique device identifiers (UDIDs). As an alternative, Apple offers “advertising identifiers,” which consumers can control by either resetting or deleting.

However, certain developers still retain access to the old UDIDs, which can be used for tracking. Even without access to the UDIDs, companies can identify devices through other characteristics.

In Context

The DAA’s new privacy standards appear within a climate of increased regulatory scrutiny on how companies collect and use data, especially data gathered through mobile devices. The Federal Trade Commission (FTC) and California Attorney General have weighed in with recommendations regarding mobile privacy.

In the previous year, for instance, the Commerce Department has held several meetings between a wide array of online companies and advocates, in an attempt to forge a consensus on mobile privacy guidelines.

A number of mobile app developers – including the well-known Path and Hipster – were recently accused of uploading users’ address books without their permission. The mobile social network Path recently agreed to create a comprehensive privacy policy to settle FTC charges which stemmed from the alleged uploads. Path also agreed to pay $800,000 in order to settle separate allegations that it violated the Children’s Online Privacy Protection Act (COPPA), by inappropriately collecting personal data from children under age 13.

Summary

This article discusses the Digital Advertising Alliance’s (DAA) mobile privacy guidelines. These new standards will address targeting ads based on information collected across apps, and will allow consumers to opt out.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT), a privacy professional should be comfortable with topics related to this post, including:

• Business use of mobile services (I.C.f.ii.)
• Privacy by policy (III.B.)
• Limiting or preventing automated data capture (III.E.a.)

The Telecommunications Act of 1996 was signed by Congress with the intention on providing customers with more competition and diversity from their telecommunication services.

Section 222(a) of the 1996 Act states: “Every telecommunication carrier has a duty to protect the confidentiality of proprietary information of and relating to customers.”

This restricts the use of Customer Proprietary Network Information (CPNI) to the limited purpose of providing the telecommunications services from which the CPNI was derived in the first place. For any other purposes the carrier must obtain consent from the customer before using or disclosing CPNI. It also limits the rights of a carrier or provider to use CPNI to gain unfair competitive advantage in relation to other carriers.

Customer Proprietary Network Information

In 1998, the Federal Communications Commission’s (FCC) interpretation of section 222 of the 1996 Act identified that customer information could potentially be used in a manner that was invasive of customer privacy and published a rules to govern the specific uses of customer information by telecommunication companies. Under the rules, all service providers and carriers have a duty to protect against the unauthorised disclosure of customers’ CPNI and must have internal safeguards in place.

Information referred to as CPNI is information that can be gathered and used by telecommunication companies for marketing purposes and includes:

-          Information about the quantity, technical configuration, type, destination, location and amount of use of your communications services.

-          Information contained on your bill concerning your communications services.

Examples of CPNI may include telephone numbers that the customer calls or communications services that they purchase. It does not include the customer’s name, address or telephone number or other specific identifiable information. CPNI does not include information related to the internet, which is defined as an ‘information service’.

In 2006, the FCC strengthened the protection to protect against a practice known as ‘pretexting’ i.e. posing as the actual customer or as a police official to obtain telephone calling records. Congress passed a law making this action a crime punishable by a fine or imprisonment of up to 10 years.

US West case

Section 222 did not define a ‘telecommunication service’. Therefore, the FCC interpreted it to be a customer’s total combination of services obtained from any one carrier (total service approach, or TSA), allowing the use of such information for cross-promotion of services.

Section 222(c)(1) of the 1996 Act called for express customer approval requirements (an opt-in scheme) that would require customers to give affirmative consent if a carrier or provider wished to promote additional services outside of the customer’s current total-service package, using CPNI. The FCC’s interpretation was considered to be an attempt to balance the privacy interests of consumers with the deregulatory purposes of the 1996.

In their challenge to the legislation, US West argued that this interpretation went too far and restricted the right to free speech under the First Amendment as it would “seriously impair carriers’ ability to communicate valuable commercial information to their customers.” The court agreed, stating that the FCC’s argument that alternative means of communication to customers was available (such as broadcast speech) did not eliminate the fact that their interpretation restricted speech. On that basis it held that the restriction was unconstitutional and struck it down.

On that basis the updated FCC interpretation of the 1996 Act states that service providers may use customers’ CPNI without prior approval to provide customers with information about services that are within the same category as the services that they have already purchased. Service providers may also request a customer to allow the server to share CPNI with affiliates, agents or other related entities. Rather than the ‘opt-in approach’ initially adopted by the FCC, an ‘opt-out approach’ can now be applied by the carrier. This method means that a customer is deemed to have consented to the use, disclosure or access to the customer’s CPNI if the customer has failed to object to the notification of the carrier’s request for consent. However, the carrier must inform the customer of their preferred method and, if the company is using the ‘opt-out approach’ the notice must provide a reasonable time for the customer to opt-out.

Summary

The Telecommunications Act of 1996 was signed by Congress with the intention on providing customers with more competition and diversity from their telecommunication services. Customer Proprietary Network Information (CPNI) is information that can be gathered and used by telecommunication companies for marketing purposes.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/United States (CIPP/US) exam,  a privacy professional should be comfortable with topics related to this post, including:

• Telecommunications Act of 1996 & Customer Proprietary Network Information (II.E.e.)

Why use psychological and personality tests?

Pre-employment testing can be useful in reducing the time HR personnel spend interviewing applicants by automatically eliminating a percentage of the applicant pool. Psychological tests can also be helpful in determining an employee or applicant’s honesty and integrity. Integrity tests are written tests that predict whether an employee will engage in theft, as well as reflect their general trustworthiness and dependability.

Risks Involved

There are significant legal implications in administering psychological tests to employees and applicants. For instance, the 2005 case Karraker v. Rent-A-Center Inc. shows the risks associated with psychological testing. The case held that administering certain psychological tests to employees violates the Americans with Disabilities Act (ADA). The court found that the employer’s use of the Minnesota Multiphasic Personality Inventory (MMPI) as part of its testing process for managers violated the ADA. The MMPI is a test for adult psychopathology and can be used by medical professionals to diagnose some psychiatric disorders.

Furthermore, employers could face lawsuits from employees who believe that confidentiality laws were violated in the handling of their test results. Employers have an obligation to maintain confidentiality of the test answers and to avoid providing information that could be deemed confidential without the employee’s consent.

For these reasons, certain states have enacted laws prohibiting the psychological testing of employees. Other states have stringent statutes banning the use of lie-detector testing. Massachusetts broadened the scope of its polygraph-protection law to prevent employers from using written examinations used to render a diagnostic opinion regarding an individual’s honesty. California and Rhode Island laws require that honesty and integrity exams cannot be the primary basis for making hiring, firing or promotion decisions.

Best Practices

It should be clear that use of psychological or personality testing of current or potential employees represents a risk for litigation. Employers still considering such tests should consider the following precautions and practices:

• Never use psychological or personality tests as the sole criterion for hiring or promotion decisions.
• Avoid using tests that require analysis by a psychologist, psychiatrist or social worker.
• Review existing tests to ensure they do not include a psychological diagnostic component. Ensure the test does not contribute to a finding of a particular mental impairment or psychological disorder.
• Ensure the test is statistically valid, reliable and devoid of cultural and ethnic bias.
• Use tests that are job-related and of a business necessity.
• Administer the test in a standardized fashion that ensures that all job applicants or employees are assessed in the same way.
• Monitor the test results to ensure that there is not a disparate impact on certain groups.
• Take active steps to ensure the confidentiality of test responses.
• Monitor workplace statistics on attrition, theft, turnover and production to determine whether the use of these tests has resulted in a reduction of identified counterproductive or undesirable behaviors.
• Consult a lawyer or advisor with expertise in the area of employment screening before implementing testing activities. At the very least, an employer must comply with federal requirements, as well as any additional requirements imposed by the state where the test is being administered.

Common Tests

Psychological and personality tests assess an individual’s general aptitude, intelligence and personality. Some common test types are introduced below.

• Myers-Briggs Type Indicator – This testing system is generally used by private companies and federal government agencies. It organizes personality data along four scales of opposing characteristics. Companies use this test to match employees to the right jobs, improve organizational communications and design training programs.
• IPIP-NEO Personality Test – This measures an employee’s personality of five broad personality categories and 30 sub-categories. Organizations often use this test to evaluate an employee’s ability to get along in a multicultural setting.
• Kolbe Index – This is based on the notion that an employee’s problem-solving abilities are stable and independent of intelligence, personality and education. Employees are asked to answer several multiple-choice questions based on problem-solving scenarios.

Summary

Psychological and personality testing can often bring objectivity and validity to the recruitment process; however employers who administer tests in the hiring or promotion processes must be aware of the legal obstacles and privacy risks involved. This article examines some of the risks involved in testing and introduces best practices for employers interested in conducting such tests for current or future employees.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/United States (CIPP/US) exam,  a privacy professional should be comfortable with topics related to this post, including:

• Employee background screening (IV.B.a.)
• Screening methods – personality and psychological evaluations (IV.B.a.ii.1.)

The Digital Advertising Alliance (DAA) is set to announce its mobile privacy standards and Evidon’s release is assumed to enable compliance. The DAA first introduced its Ad Choices program in 2011 in response to growing concerns at the Federal Trade Commission (FTC) and the government that consumers required a way to opt out of behaviorally targeted ads.

Although regulators appear satisfied that the industry is indeed protecting consumer privacy online via self-regulatory efforts, they have also been pressing for a mobile solution, which the industry has been promising to deliver for over a year.

As Evidon provides the privacy controls for many of the companies participating in the DAA’s online Ad Choices program, Ad Control launched with broad participation from the mobile ad industry, including IPG Mediabrands, GroupM and VivaKi, which are responsible for about 60 percent of all mobile ads, and 20 of the world’s leading mobile ad networks, such as Google Ad Exchange, Tapad, ActionX, MediaMath and Jumptap.

According to Evidon’s blog, Ad Control is important for consumers because, “It gives them simple, robust privacy controls where they arguably need it the most.” After all, according to FTC consumer protection lead David Vladeck, 67 percent of smartphone users sleep with their smartphones.

Scott Meyer at Evidon pointed out,

“For businesses, [Ad Control] is about being able to more completely leverage the mobile channel, because now, doing it responsibly – across all environments – is easy. To integrate into Ad Control, publishers and networks don’t have to install or make any changes to SDK’s. Each individual partner’s opt-out is accommodated automatically – no single, unique identifiers required, no relying on a third-party database of consumer opt-out preferences, which could introduce performance and security issues.”

Who is Evidon?

Founded in 2009, Evidon is a NYC-based tech-company that purports to reveal the invisible web. It may be best-known for its technology, Ghostery, the industry-leading browser tool that reports on data collection across 26 million websites and informs the company’s business control solutions. Evidon also provides market-leading privacy controls for over $2 billion of display media and e-commerce transactions each year.

Evidon is based on the following core principles:

• Foster a more transparent internet to help businesses grow and protect consumers.
• Promote responsible data collection/usage by enabling people and businesses to see all of that tracking clearly, understand what it does, and control it in a way to empowers them.
• Provide simple solutions for complex policy problems, and complex business problems.
• Ensure that notice and choice are consistent with the FTC’s principles, industry’s Self-Regulatory Principles and European legal principles to protect consumers and ensure that businesses comply with those regulations effectively.
• Use data on behalf of customers, but never collect, sell or trade advertising inventory or data that targets consumers.
• Provide neutral data and tools for enforcement means, but never assume an enforcement role.

IBM’s DDX

In March of 2013, Evidon announced that its InForm solution would be joining IBM’s Digital Data Exchange (DDX), enabling IBM Digital Analytics clients to comply with global privacy regulations easily, via a direct integration of Evidon privacy control tags into IBM’s DDX.

This partnership means that Evidon would become an IBM DDX Certified Partner. InForm tags – which enable businesses to provide privacy notices on websites to give consumers transparency and control over how their data is collected – will be easily accessible to all IBM DDX clients. The integration will enable those clients to test and deploy Evidon website notices across their sites, directly from the DDX interface, which eliminates the need to spend valuable resources on manual deployments.

Evidon’s InForm represents the industry-standard method for delivering essential privacy notices (e.g. those needed to comply with the EU’s ePrivacy Directive) to hundreds of millions of consumers each day, providing them the control over tracking in over 40 languages worldwide.

IBM’s DDX is a tag management solution. It simplifies the management of IBM and third-party page tags, allowing clients to deploy and maintain website pages with minimal IT support.

Summary

This article introduces Evidon’s latest app, Ad Control, which is essentially the mobile counterpart to the ad industry’s Ad Choices self-regulatory program that permits consumers to opt-out of online-targeted ads.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/Information Technology (CIPP/IT), a privacy professional should be comfortable with topics related to this post, including:

• Types of notice and choice (IV.A.)
• Software-based notice and consent (IV.B.)

The FCC’s Telephone Consumer Protection Act (TCPA) prohibits marketers from using automatic dialling systems to make calls to wireless parties, unless it is an emergency situation or the marketers have express prior consent. Wireless devices may include cell-phones, pagers, etc.

A ‘mobile service commercial message’ (MSCM) is an e-mail message that is sent to an e-mail address on an Internet domain of a wireless carrier. Most wireless carriers maintain an Internet domain name that can be used to send MSCMs to the wireless devices of users on their network.

In 2004 the FCC announced that carriers could begin to submit their wireless domain names to the FCC for inclusion in a wireless domain names database. This list is updated regularly as the Commission receives additional submissions. Under the regulations, carriers must:

-          File any future updates to listings with the Commission not less than 30 days before issuing subscribers any new or modified domain names.

-          Remove any domain name that has not been issued to subscribers or is no longer in use within 6 months of placing it on the list or last date of use.

The wireless domain list was made available in 2005 and marketers are required to adjust any e-mail campaign lists accordingly. Unless a recipient has given express prior authorisation, a person must not initiate marketing via e-mail to any address with a domain name that has been on the list for at least 30 days before the message is sent or otherwise knowingly initiate a mobile service commercial message.

If prior authorisation is given, the rules provide that senders of commercial e-mails must comply with the following:

-          Stop sending MSCMs within 10 days of receiving an opt-out request from a commercial wireless service provider.

-          Place a ‘conspicuously marked opt-out mechanism’ in the MSCM so that consumers can request that they no longer be sent additional MSCMs.

-          Provide the customers with the opportunity to opt-out via the same electronic method by which they initially provided their consent.

-          Have at least one opt-out mechanism that is free of charge.

-          Clearly identify to consumers who the sender is. For example, if a third party sends commercial e-mails on a company’s behalf, the e-mails must have the latter’s name clearly marked as the sender of the e-mail.

-          Keep operational the opt-out mechanism identified in the MSCM for at least 30 days following the transmission of an MSCM.

The FCC list is provided by wireless carriers as opposed to individual customers. The Federal Trade Commission (FTC) has previously rejected a national do-not-spam registry due to fears that spammers would obtain the list and, as a list of working e-mail addresses, spam them.

The FTC is the primary enforcer of the CAN-SPAM Act but federal, state and private parties can also bring claims for violation. Penalties for non-compliance vary on the party bringing the claim and on whether the violation was ‘wilful, knowing of aggravated.’ Penalties may be up to $11,000 per violation.

Summary

As part of the federal CAN-SPAM Act, the FCC must require cell providers (i.e. commercial mobile radio services) to turn over the names of the internet domains on which they provide service. This article explores the so-called “wireless domain registry.”

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/United States (CIPP/US) exam,  a privacy professional should be comfortable with topics related to this post, including:

• Wireless Domain Registry (II.E.d.)

Sources of Information

Employers may consult a wide variety of information sources as part of a pre-employment check, including:

• Credit reports – Under the Fair Credit Reporting Act, businesses are required to obtain an employee’s written consent before seeking an employee’s credit report.
• Criminal records – State law determines the extent to which a private employer may consider an applicant’s criminal history in making employment decisions. Federal law also gives the Federal Bureau of Investigation (FBI) the authority to conduct a criminal history record check for non-criminal justice purposes. The FBI can exchange criminal history record information with officials of state and local governments for employment, licensing, which includes volunteers, and other similar non-criminal justice purposes.
• Lie detector tests – The Employee Polygraph Protection Act (EPPA) prohibits most employers from using lie detector tests, for pre-employment screening or during the course of employment. However, the EPPA includes a list of exceptions that apply to businesses that provide armored car services, alarm or guard services, or those that manufacture, distribute, or dispense pharmaceuticals. Although there is no federal law prohibiting use of a written honesty test on job applicants, these tests frequently violate federal and state laws that protect against discrimination and privacy violations.
• Medical records – Under the Americans with Disabilities Act (ADA), employers cannot discriminate based on a physical or mental impairment or request an employee’s medical records. However, businesses are permitted to inquire about an applicant’s ability to perform specific job duties. Some states also have stricter laws protecting the confidentiality of medical records.
• Bankruptcies – Bankruptcies are a matter of public record and may appear on an individual’s credit report. The federal Bankruptcy Act prohibits employers from discriminating against applicants because they have filed for bankruptcy.
• Military service – These records may be released only under limited circumstances, and consent is normally required. The military is permitted to disclose name, rank, salary, duty assignments, awards and duty status without the service member’s consent.
• School records – Under the Family Educational Rights and Privacy Act (FERPA) and other similar state laws, educational records such as transcripts, recommendations and financial information are confidential and will not be released by the school without a student’s consent.
• Worker’s compensation records – Worker’s compensation appeals are a matter of public record. Information from appeals may be used in a hiring decision, if the employer can show the applicant’s injury might interfere with his/her ability to perform required duties.
• Psychological and personality testing – Such tests may assess individuals’ general aptitude, intelligence and personality.

Blind Spots

Under the Fair Credit Reporting Act (FCRA), background checking agencies are required to maintain procedures to ensure the accuracy of the information they report about the consumer. The FCRA regulates what can and cannot be included on reports, however there are two major loopholes. The first is if the employer does not use a third-party screening company, but opts to conduct the background check itself, it is not subject to the notice and consent provisions of the FCRA.

Secondly, the employer might tell the rejected applicant that the adverse decision was not based on the contents of the background investigation, but that the job pool was so exceptional that it made its hiring decision based on the fact that there were individuals more qualified than the applicant.

In both situations, the applicant would not have the ability to obtain a copy of the background check to find out what negative information it contained.

Summary

Job applicants and existing employees and volunteers may be asked to submit background checks for a wide variety of reasons. This article introduces the various methods and sources of information for background checks and pre-employment screening. While the Fair Credit Reporting Act (FCRA) regulates the type of information that may be included on background reports, there are two major loopholes that are commonly used in the screening process.

CIPP Exam Preparation

In preparation for the Certified Information Privacy Professional/United States (CIPP/US) exam,  a privacy professional should be comfortable with topics related to this post, including:

• Employee background screening (IV.B.a.)
• Screening requirements under FCRA (IV.B.a.i.)
• Screening methods (IV.B.a.ii.1. – IV.B.a.ii.4.)