Data privacy is our top priority at Scherzer International (“SI”).  SI has undertaken diligent efforts to ensure our compliance with the GDPR which became effective May 25, 2018.  Here are some of the things that we’ve done:

  • We added a clause about GDPR* compliance setting forth our respective obligations under this regulation to our Terms and Conditions Agreement (the “Agreement”), which now – unless superseded by another agreement – governs SI’s provision of background screening reports (“Reports”). The Agreement can be accessed here and is applicable to all Reports ordered from SI on or after May 25, 2018 (“Effective Date”).
  • We revised our Privacy Policy by adding information about our compliance with the GDPR requirements regarding the processing of personal data of individuals located in the European Economic Area (EEA) covered by the GDPR and made some wording changes for clarity.  Please note that as before, our website does not use cookies or otherwise track any personal data.
  • We posted a “GDPR Notice” on our website, which informs EEA individuals of their rights in connection with their personal data.

There is no need for you to take any action. By continuing to interact with SI and using our services after the Effective Date, you agree to these terms.

Of course, you can opt out at any time, by contacting Joann Gold, Executive Vice President/Chief Compliance Officer, at


*“GDPR” means Regulation 2016/679 of the European Parliament and of the Council of the European Union, and the European Commission of April 27, 2016, on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, known as the General Data Protection Regulation.

The EU-US Privacy Shield for transatlantic data transfers makes its debut

Announced on February 2, 2016 by the European Commission, the new political agreement called the Privacy Shield, reflects the requirements set out by the European Court of Justice in its ruling on October 6, 2015, which declared the old Safe Harbor privacy framework invalid.

The new arrangement calls for strong data privacy and security measures and robust enforcement of U.S. companies handling Europeans’ personal data, clear safeguards and transparency for U.S. government access, and effective protection of EU citizens’ rights with several redress possibilities.

The College of Commissioners is now preparing an adequacy decision regarding the Privacy Shield–the Article 29 Working Party (the “Working Party”), a data protection authority, is requesting that all documents be provided  by the end of February 2016 so that it can complete its assessment of the new framework at a special plenary meeting shortly thereafter. In a statement issued February 3, 2016, the Working Party provided some assurances that during this period of transition, transfer mechanisms, such as standard contractual clauses (which are data transfer agreements approved by the Commission) and binding corporate rules (generally described as internal data processing rules binding on all members of a global corporate group) to permit intragroup transfers of personal data) can still be used as transfer tools to the U.S.

Organizations that certified compliance under the Safe Harbor regime must continue to meet their obligations in connection with previously transferred personal data to avoid enforcement actions by the Commerce Department or the Federal Trade Commission, which consider the Safe Harbor as still binding. In the interim, implementing the above-mentioned clauses should also be considered to the extent they supplement the Safe Harbor platform. It appears that the Privacy Shield, at least initially, will rely significantly on the Safe Harbor framework, and it is likely that the Department of Commerce will offer a means for Safe Harbor certified organizations to transition to the Privacy Shield.

U.S. Supreme Court case offers window into CFPB’s position on the FCRA

The U.S. Supreme Court has agreed to hear a closely followed case involving the Fair Credit Reporting Act (the “FCRA”) that will have great significance on privacy law. In connection with this case, the Consumer Financial Protection Bureau (CFPB) offered a glimpse of its stance on the FCRA in an amicus brief recently filed with the U.S. Supreme Court.

In 2012, the Bureau took over the enforcement reins of the FCRA from the Federal Trade Commission (FTC). Since then, the industry has watched for signs on how the Bureau would tackle its new job, with few clues. But in an amicus brief filed jointly with the Solicitor General in Spokeo v. Robins, the CFPB weighed in, taking a consumer-friendly position on the statute.

The dispute began when Robins claimed that Spokeo ran afoul of the FCRA. The site allows users to obtain information about other individuals like address, phone number, employment information, and economic data such as mortgage value and investments. Robins sued after finding incorrect information about himself on the site, alleging that Spokeo was a consumer reporting agency (CRA) under the FCRA and sold “consumer reports” but failed to comply with the various statutory requirements by neglecting to assure the maximum possible accuracy of the information reported on its site and failing to provide notice of statutory responsibilities to purchasers of its reports.

Relying on Section 1681n of the FCRA, which grants consumers a cause of action against an entity that negligently or willfully violates “any requirement imposed

[under the FCRA] with respect to [that] consumer,” Robins filed a putative class action. A federal district court dismissed the suit for a lack of standing but the Ninth Circuit Court of Appeals reversed. The federal appellate panel held that Robins sufficiently alleged an injury in fact because Congress created a right of action to enforce a statutory provision, demonstrating intent to create a statutory right.

Spokeo petitioned the U.S. Supreme Court to take the case. The CFPB filed the amicus brief, siding with the plaintiff and arguing that the justices should deny the writ of certiorari. The Bureau argued to the Court that the statutorily created cause of action found in the FCRA satisfied the injury required for Article III standing. While recognizing that Congress does not have unlimited power to define the class of plaintiffs who may sue in federal court, the CFPB said the legislature “may grant individuals statutory rights that, when violated, confer standing, and the clear language of the FCRA did just that.”

“FCRA thus grants an individual consumer a statutory entitlement to be free from a CRA’s actual dissemination of inaccurate information about him when the CRA fails to employ ‘reasonable procedures’ to assure the information’s accuracy,” according to the CFPB’s brief. A CRA’s willful failure to follow reasonable procedures to ensure that an accurate report about a consumer is disseminated violates a ‘requirement imposed under [FCRA] with respect to [that] consumer.’ It is also a concrete and particularized injury to the consumer because it involves the actual, specific, and non-abstract act of disseminating information about the particular consumer.” This reading – recognizing a legally protected interest in consumer privacy – “is particularly salient in modern-day society given the proliferation of large databases and the ease and rapidity with which information about individuals can be transmitted and retransmitted across the Internet,” the CFPB added, as “public dissemination of inaccurate personal information about the plaintiff is a form of ‘concrete harm’ that courts have traditionally acted to redress, whether or not the plaintiff can prove some further consequential injury.”

Read the CFPB’s amicus brief in Spokeo v. Robins here.

Read the opinion of the U.S. Court of Appeals for the Ninth Circuit here.


June 12th, 2015|FCRA, Judgment|

Privacy laws gain momentum in Congress

President Barack Obama has made data security a priority in recent weeks.

Speaking at the Federal Trade Commission (FTC) in January, the President announced three pieces of legislation: the Student Digital Privacy Act (which would prohibit the sale of sensitive student data for non-education purposes), the codification of the Consumer Privacy Bill of Rights issued by the White House in 2012, and the Personal Data Notification & Protection Act.

Implicating businesses across the country, the Data Notification Act would establish nationwide, uniform data breach notification rules that would preempt the existing collection of 47 different state laws. Criminal penalties for hackers would also be strengthened and companies would be required to notify consumers of a breach within 30 days.

Broader than prior proposals of federal data breach notification bills, the Act defines “sensitive personally identifiable information” to include a range of data, like an individual’s first and last name or initial and last name in combination with two other items like a home address or telephone number, birthdate, or mother’s maiden name, a Social Security number by itself, and a user name or e-mail address in combination with a password or security question answer that would permit access to an online account.

The notice provisions allow companies to inform consumers of a breach by mail, telephone, and e-mail, under certain conditions. When more than 5,000 individuals are affected in a single state, media notice is required; if more than 5,000 total individuals (regardless of residence) are impacted, the company must also notify credit reporting agencies and the federal government.

Although the bill designates the FTC as the primary enforcement agency, with the authority to promulgate rules pursuant to the law, the measure also requires the agency to coordinate with the Consumer Financial Protection Bureau (CFPB) where a data breach relates to “financial information or information associated with the provision of financial products or services.”

Some exemptions are included in the proposed bill. A business that does not access, store, or use covered data for more than 10,000 individuals during a 12-month period is exempt from the individual notice requirements. Safe harbor is also provided for companies that conduct a “risk assessment” that determines the data breach did not result in – and will not result in – harm to affected individuals. The business must notify the FTC of its “risk assessment” results and affirmatively indicate its intent to invoke the safe harbor.

A few days after he presented the proposal, President Obama reiterated his intent to pass data security measures in his State of the Union address, sending a message that he is focused on cybersecurity and privacy in the coming legislative session. Recent high-profile cyberattacks and data breaches (think Sony and Target) have also led to support from lawmakers and consumers, giving the bill momentum, but the question of its passage remains uncertain.

Learn more about Personal Data Notification & Protection Act

February 23rd, 2015|Legislation|

California expands privacy protections for state residents

A perennial trendsetter with regard to data security and privacy, California has updated its state law with tweaks that expand the scope of the privacy protections for state residents.

A.B. 1710 made three changes to existing law that go into effect January 1, 2015: first, businesses that maintain “personal information” about California residents must “implement and maintain appropriate and reasonable security procedures and practices” to protect the data from “unauthorized access, destruction, use, modification, or disclosure.” Personal information is defined to include an individual’s first name or first initial and last name, Social Security number, driver’s license number, as well as medical and financial account information.

Second, if a person or business was “the source” of a data breach and offers to provide identity theft prevention and mitigation services to affected individuals, the business must offer the services at no cost for at least 12 months. Some controversy has swirled around this provision, with debate on whether the language actually requires businesses to provide one year of free identity theft protection and mitigation services or if the law simply requires that if the services are offered, they last for 12 months and are provided gratis. Additional guidance may be forthcoming.

Finally, the new legislation prohibits a business from “selling, offering for sale, or advertising for sale” Social Security numbers. Limited exceptions were noted in the bill, including “if the release

[not necessarily a sale] of the Social Security number is incidental to a larger transaction and is necessary to identify the individual in order to accomplish a legitimate business purpose” or “for a purpose specifically authorized or specifically allowed by federal or state law.”

The law’s scope reaches well beyond the borders of California, as it applies to businesses that maintain any personal information about a state resident. Companies would be well advised to familiarize themselves with the new requirements.

To read AB 1710, click here.

December 3rd, 2014|Legislation, Privacy|

California passes two new data privacy laws

Effective January 1, 2014, California will have two new data privacy laws: AB 370, which mandates disclosure of “do not track” and other tracking practices in online privacy policies, and SB 46, which amends the state’s data security breach notification law.

AB 370 adds to the California Online Privacy Protection Act (“CalOPPA”) a requirement for companies that collect personally identifiable information online to include disclosures regarding (1) how they respond to a web browser’s “do not track” (DNT) signal, and (2) if third-parties can collect personal information across a network of sites. The law does not require websites to honor browser DNT signals or block third-party tracking; it simply tries to increase transparency about the site’s practices.

SB 46 adds a new category of data triggering California’s breach notification requirements, to wit: “a user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.” The new law requires notification of unauthorized access to user credential information even if that information is encrypted.

October 25th, 2013|Educational Series, Legislation, Privacy|

California passes bill that would require policy disclosures for “do not track”

On August 28, 2013, the California State Senate and Assembly passed AB 370, to amend the California Online Privacy Protection Act (CalOPPA) that would require operators of commercial websites or “online services” accessible to California residents to disclose how the site responds to “do not track” (DNT) browser settings, which in turn will trigger enforceability by federal and state authorities. The amendment is expected to be signed by Governor Jerry Brown. 

September 12th, 2013|Legislation|

Virginia takes workers’ privacy to a new level

Starting July 1, 2013, new Virginia Code §40.1-28.7:4 provides that “employers shall not, unless a listed exemption applies, be required to release, communicate, or distribute to a third-party, any current or former employee’s personal identifying information.”

In this context, “personal identifying information” is defined as a “home telephone number, mobile telephone number, e-mail address, shift times, or work schedule.”  Exceptions permitting the disclosure of such information include requirements of federal laws that supersede state statutes, court orders, judicial warrants or a subpoena in a civil or criminal case. Although there is no penalty, the statute establishes a public policy that endorses protection of the personal identifying information and could be used in a lawsuit against employers.

The White House casts “Consumer Privacy Bill of Rights”

Over two years in the making, and backed by online ad powerhouses such as AOL, Microsoft, Yahoo, and even Google, the Bill of Rights announcement on February 22, 2012 pulls together consumer privacy initiatives of both the Federal Trade Commission (FTC) and the Commerce department. Intended to lead to new legislation that fills the gaps of current U.S. privacy laws, the bill promotes a set of standards for the fair handling of private information based on a set of principles that date back to the early 1970s known as the Fair Information Practices.
The Consumer Privacy Bill of Rights applies to personal information, which means any data, including aggregations of data that is identifiable to a specific individual, and to a specific computer or other device. According to the Administration, this bill will establish codes of conduct and call for strong enforcement, ultimately increasing interoperability between the U.S. consumer data privacy framework and that of its international partners. Below are the bill’s highlights.
  • Individual control. Consumers have a right to exercise control over what personal data companies collect from them and how they use it.
  • Transparency. Consumers have a right to easily understandable and accessible information about privacy and security practices.
  • Respect for context. Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data.
  • Security. Consumers have a right to a secure and responsible handling of personal data.
  • Access and accuracy. Consumers have a right to access and correct personal data in usable formats, in a manner that is appropriate to the sensitivity of the data and the risk of adverse consequences to consumers if the data is inaccurate.
  • Focused collection. Consumers have a right to reasonable limits on the personal data that companies collect and retain.
  • Accountability. Consumers have a right to have personal data handled by companies with appropriate measures in place to ensure that they adhere to the Consumer Privacy Bill of Rights.
March 2nd, 2012|Legislation|

Scraping to find your real name has applied for a patent for a way to, among other things, match people’s real names to pseudonyms they use on blogs, Twitter and online forums. A statement on its patent application describes the invention as “a method for aggregating over a network, personal information available from public sources.”

PeekYou’s people-watch Web site offers records of about 250 million people, primarily in the U.S. and Canada. PeekYou says it also is starting to work with listening services to help them learn more about the people whose conversations they are monitoring. It claims to provide only demographic information, not names or addresses.

December 22nd, 2010|Educational Series|
Go to Top