Cisive Quarterly Compliance Update Summer 2026
Compliance

Quarterly Compliance Update: Summer 2026

This quarter’s compliance article roundup highlights the latest updates from the federal government, the growing impact of AI, and the continued proliferation of Fair Chance legislation.

From the EEOC rescinding two guidance documents on voluntary affirmative action programs, to increased scrutiny of AI tools in hiring processes, employers face ongoing challenges with evolving technology and interpretations of employment law.

Additionally, state and international regulators continue to introduce new privacy, background screening, and employment requirements, highlighting the value of a proactive and evolving compliance program.

 

 

Key Points

FEDERAL UPDATES

  • EEOC Rescinds Forty-Year-Old Affirmative Action Guidance
  • Seventh Circuit Addresses BIPA Damage Accrual
  • Use of AI in Employment and the Legal Implications
  • Five Eyes Issue Call to Action to Protect Against AI Cyber Threats

FEDERAL UPDATES

 

EEOC Rescinds Forty-Year-Old Affirmative Action Guidance: Why Employers Should Review Their DEI and Employment Practices Now

 

June 30, 2026, the U.S. Equal Employment Opportunity Commission (“EEOC”) voted to rescind two longstanding guidance documents that, for more than four decades, provided employers with a roadmap for implementing voluntary affirmative action programs under Title VII of the Civil Rights Act of 1964. The Commission withdrew its 1979 interpretive guidance entitled Affirmative Action Appropriate Under Title VII of the Civil Rights Act of 1964 and the related Section 607 of the EEOC Compliance Manual. According to EEOC Chair Andrea Lucas, the agency concluded that the guidance no longer reflects the text of Title VII or current Supreme Court precedent. Although the EEOC’s action does not amend Title VII or eliminate all affirmative action programs, it represents another significant step in the federal government’s continuing shift toward a color-blind interpretation of federal employment discrimination laws. For employers, this is an appropriate time to conduct a privileged review of hiring, promotion, compensation, and diversity initiatives.

 

The EEOC’s Position

 

When the original guidance was adopted in 1979, the EEOC encouraged employers to voluntarily implement narrowly tailored affirmative action plans designed to remedy identifiable barriers affecting women and minorities. The Commission has now determined that portions of that guidance are inconsistent with the Supreme Court’s modern interpretation of Title VII, which protects every individual from discrimination because of race, sex, religion, national origin, or other protected characteristics. The rescission itself does not prohibit employers from pursuing workplace diversity or expanding recruiting efforts. Rather, it reflects the EEOC’s position that employment decisions should not be based upon an applicant’s or employee’s protected characteristics unless specifically authorized by law.

 

Part of a Larger Trend

 

The EEOC’s action did not occur in a vacuum. Over the past several years, the Supreme Court has steadily emphasized that anti-discrimination laws protect individuals, not groups. In 2023, the Supreme Court’s decision in Students for Fair Admissions v. President and Fellows of Harvard College significantly limited the use of race-conscious admissions policies in higher education. Although that case addressed educational institutions rather than employers, many employers reevaluated their DEI initiatives in light of the Court’s reasoning regarding equal treatment. More recently, in Ames v. Ohio Department of Youth Services, the Supreme Court unanimously held that so-called “reverse discrimination” plaintiffs are not subject to a heightened evidentiary standard under Title VII. The Court reaffirmed that Title VII protects every employee equally, regardless of whether the employee belongs to a majority or minority group. Taken together, these developments strongly suggest that federal courts, and now the EEOC, will closely scrutinize employment practices that expressly consider race or sex when making employment decisions.

 

Click Here for the Original Article

Seventh Circuit Addresses Biometric Information Privacy Act (BIPA) Damage Accrual (US)

Many employers collect biometric data like retina or iris scans, voiceprints, hand scans, fingerprints, facial scans and DNA from their employees to track working hours, allow employee admittance to secure areas or provide access to pay stubs, among other reasons. The Illinois Biometric Information Privacy Act (BIPA) was enacted in 2008 to regulate and safeguard how private entities in Illinois handle biometric information and imposes notice and consent requirements for the collection and storage of such data.

Since 2019, if a covered employer mishandles an individual’s data, BIPA grants the individual a private right of action to sue the company. Importantly, the individual does not need to prove actual financial or physical harm to sue under BIPA. This serves as an important reminder to Illinois employers of their obligations when collecting biometric data from any individual, including potential or current employees. These include:

  • Written Informed Consent: Companies must inform individuals in writing about the collection, purpose and duration of the biometric data storage, and must obtain a signed written release.
  • Prohibition on Selling or Profiting: Companies may not sell, lease or profit in any way from an individual’s biometric data.
  • Data Policies: Companies must develop and publish a written policy regarding retention and data destruction. This policy must be publicly available.

BIPA violations carry steep penalties. Individuals may recover up to $1,000 per negligent violation and up to $5,000 per intentional or reckless violation. For many years, courts counted each individual biometric scan as a separate BIPA violation, leading to very substantial aggregate penalties. For example, in Cothron v. White Castle System, Inc., a class of employees alleged that they scanned their fingerprints to access pay stubs and computers. White Castle used a third-party vendor to verify each scan and authorize the employee’s access. White Castle did not seek the plaintiff’s consent to acquire her fingerprint until 2018, 14 years after her employment with the company commenced. In 2023, despite recognizing the risk of “annihilative liability” resulting from its analysis, the Illinois Supreme Court ruled that, based on the plain language of the statute, a separate claim accrues under BIPA each time a private entity scans or transmits an individual’s biometric data, which contributed to the parties settling the class action for more than $9 million. Nonetheless, the court encouraged the state legislature to revisit the statute in light of the result.

Click Here for the Original Article

 

Use of Artificial Intelligence in Employment and the legal implications

Over the past fifteen years, artificial intelligence (AI) has become embedded in the legal field in ways that were not widely anticipated. While it was initially expected that legal professionals would need to familiarize themselves with AI tools to enhance efficiency in practice, few foresaw the necessity for attorneys to possess an understanding of AI’s technical functions to competently advise clients on the legal ramifications of its use. AI has evolved beyond its routine application which was used to sort large datasets or resolve analytical problems and is now used to autonomously make decisions based on the information presented. Generative AI is capable of generating new content, such as images or text, by learning from data supplied to it. The most popular examples of generative AI, include Chat GPT, Meta AI, Claude and many more that are constantly under development.

In particular, there has been an increase of the use of AI in the employment sector, which has resulted in enhanced and efficient decision-making for many employers, particularly in the areas of recruitment and staff management. Employers are using AI to analyze candidate qualifications and employee performance. These practices are frequently justified on the basis that algorithmic decision-making can reduce human bias and produce objective outcomes. However, the Illinois Legislature has recognized the possibility of the misuse of generative AI and the potential consequences and has responded in kind by regulating its use.

Click Here for the Original Article

Five Eyes Issue “Call to Action” to Protect Against AI Cyber Threats

 

The leaders of the Five Eyes cyber security agencies, representing Australia, New Zealand, Canada, the United Kingdom, and the United States, issued an alert on June 22, 2026, entitled “The AI Shift in Cyber Risk: Why Leaders Must Act Now” urging organizations to a “call to action” to protect against cyber threats both for organizations and society as a whole. The Five Eyes are expressing urgency because artificial intelligence (AI) is quickly changing cyber risk, and organizations need to act fast to keep up. The call to action is informed by the fact that AI can improve cyber defense, but it also makes cyber-attacks faster, larger, and more advanced, including how attacks happen and how organizations can defend against them.

 

Because of this, the Five Eyes urge that cyber resilience is critical for business continuity, market confidence, and long-term success.

 

The Five Eyes encourage leaders to:

 

  • Understand and assess risks, readiness, and accountability
  • Focus on basic cybersecurity practices and controls
  • Give cyber leaders the authority and resources they need
  • Stay involved as threats and guidance change

 

The alert emphasizes how “success for organizations depends on getting the basics right, acting quickly, and making cybersecurity part of the core business strategy.” It stresses that cyber risk is not just a technical issue—it is a business risk and a leadership responsibility.

 

Boards and executives must ensure systems are resilient and work under pressure. It is not enough to have controls; leaders must know those controls will work during a real incident. This may require rethinking past decisions and using AI carefully to strengthen defenses, not just improve efficiency.

 

Click Here for the Original Article

Key Points

STATE, CITY, COUNTY AND MUNICIPAL UPDATES

  • Sweeping Amendments Impose New Obligations on Employers Conducting Criminal Background Checks in Washington
  • Philadelphia Publishes Fair Chance Hiring Update
  • States Take Aim at AI in Employment Decisions
  • Vermont Makes 23
  • NYDFS Issues Dual Guidance on Heightened Cybersecurity Threats, Frontier AI Risks
  • Is a CCPA Risk Assessment Required?

STATE, CITY, COUNTY AND MUNICIPAL UPDATES

 

Sweeping Amendments Impose New Obligations on Employers Conducting Criminal Background Checks in Washington Starting 1 July 2026

 

Washington state has significantly expanded its Fair Chance Act through legislation enacted during the 2025 legislative session (EHB 1747), which is now codified at RCW 49.94 (Amended Fair Chance Act). Signed by Governor Bob Ferguson, the Amended Fair Chance Act imposes substantially more demanding requirements on Washington employers when inquiring about criminal history, conducting criminal background checks, and making employment decisions based on criminal history.

The new requirements take effect 1 July 2026 for employers with 15 or more employees and 1 January 2027 for employers with fewer than 15 employees.

 

Background: Washington’s Original Fair Chance Act (2018)

 

In 2018, Washington enacted the original Fair Chance Act, which is commonly known as the “ban the box” law. The Fair Chance Act prohibited employers from inquiring into or conducting criminal background checks on applicants until the employer had determined that the applicant was “otherwise qualified” for the position. The 2018 law also banned job postings that categorically excluded applicants with criminal histories. Those foundational provisions remain in effect and are now supplemented by the 2025 amendments discussed below.

 

Employers with employees in Seattle have been subject to Seattle’s Fair Chance Employment Ordinance (Seattle Ordinance) since 2013, which already imposed restrictive rules regarding the use of criminal records in employment decisions. The Amended Fair Chance Act aligns Washington’s statewide requirements more closely with the Seattle Ordinance and extends heightened protections to the entire state.

 

Click Here for the Original Article

 

Philadelphia Publishes Fair Chance Hiring Update: What Employers Need to Know

 

Philadelphia employers that screen applicants, employees, or independent contractors for criminal histories are subject to the Fair Criminal Record Screening Standards Ordinance (FCRSSO)—one of the more rigorous “fair chance” regimes in the country—which requires covered businesses to conduct individualized assessments of criminal records before taking adverse action, to provide prescribed notices, and to comply with affirmative posting obligations. It also affords individuals a private right of action for damages, creating litigation exposure from technical noncompliance.

 

In October 2025, Philadelphia Mayor Cherelle Parker signed amendments to the FCRSSO, effective January 6, 2026. As enacted, the amendments authorized, but did not require, the Philadelphia Commission on Human Relations to create a form of required pre-adverse action notice, an updated summary of rights, and a statement concerning evidence of error or rehabilitation. The Commission has now published a document, titled, “Notice: 2026 amendments to Fair Chance Hiring Law,” but has not clarified how this document relates to these requirements.

 

Click Here for the Original Article

 

States Take Aim at AI in Employment Decisions: Illinois’s Disclosure and Anti-Discrimination Requirements, Enforcement Gaps Under NYC’s Local Law 144, and Connecticut’s New AI Law

 

As employers increasingly integrate AI into hiring, promotion, discipline, and other employment decisions, state and local regulators are accelerating efforts to impose transparency and accountability. The following two developments highlight both the direction of legislative efforts and the compliance complexity: (1) amendments to the Illinois Human Rights Act (IHRA), effective January 1, 2026, that add AI-specific notice obligations and prohibit the discriminatory use of AI in employment decisions; (2) a December 2025 audit report by the New York State Comptroller finding significant enforcement gaps under New York City’s Local Law 144 (LL144), the city’s automated employment decision tools (AEDT) law in effect since July 2023; and (3) Connecticut's SB5, a broad AI law that regulates AEDTs.

 

These developments arrive amid continued federal uncertainty and growing state and local activity regulating workplace AI. Employers operating nationally should expect additional requirements in 2026 and should treat AI-enabled HR tools as a regulated workflow—not a standalone technology purchase—requiring governance, documentation, and communications tailored to each jurisdiction.

 

Click Here for the Original Article

 

Vermont Makes 23: States with Comprehensive Data Privacy Laws

 

This is a quick update to let you know that Vermont became the 23rd state to enact a comprehensive state privacy law. Gov. Phil Scott, R-Vt., signed Senate Bill 71, the Vermont Data Privacy and Online Surveillance Act, into law on June 16, 2026. The law will be enforceable on January 1, 2028.

 

Under Vermont’s new privacy law, enforcement power is granted exclusively to the state attorney general with no private right of action. Sorry, Plaintiff’s Bar, you don’t get to use the new law to abuse businesses. The state attorney general must submit an annual report to the Vermont General Assembly containing information on its enforcement activities. The law features a 60-day cure period for violations that expires 30 June 2029.

 

The law applies to data controllers or processors that handle the personal data of more than 35,000 state residents, those processing the sensitive personal data of at least 3,000 state residents, or those selling the personal data of at least 3,000 residents.

 

Click Here for the Original Article

 

Cisive. Screen Smarter, Hire Safer. Get the Right Talent to Drive Your Success. Speak to an expert.

NYDFS Issues Dual Guidance on Heightened Cybersecurity Threats, Frontier AI Risks

 

On May 21, 2026, NYDFS published two related industry letters addressing cybersecurity preparedness for DFS-regulated financial institutions, insurers, and money transmitters. The first, titled Guidance on Measures Regulated Entities Should Consider in a Heightened Cybersecurity Threat Environment (the Guidance), provides a structured menu of defensive measures entities should consider when cybersecurity risks become significantly elevated. The second, titled Heightened Cybersecurity Risks Associated with Frontier AI Models (the Advisory), warns that certain AI models capable of identifying vulnerabilities and exploits at unprecedented speed and scale will soon become more widely available, and directs entities to prepare now. The two documents are designed to work together: the Advisory identifies the threat, and the Guidance provides recommendations on how to respond.

Neither publication creates binding requirements. Both documents state explicitly that they do not alter the obligations under Part 500. The Guidance frames its recommendations as measures entities “should consider” adopting based on their “unique circumstances and operations.” The Advisory states it is “intended to inform Regulated Entities’ risk management and compliance efforts.”

That said, NYDFS has a well-established pattern of publishing non-binding guidance that later becomes the benchmark in examinations and enforcement. NYDFS may evaluate whether an entity considered these measures, documented its reasoning, and updated its risk assessment accordingly.

Click Here for the Original Article

 

Is a CCPA Risk Assessment Required When Using Productivity Management and Monitoring Platforms?

 

Artificial intelligence has made significant inroads into the hiring process. Employers increasingly rely on AI-driven tools to screen resumes, analyze video interviews, administer automated assessments, and score candidates against job-fit models. These tools promise greater efficiency and, in theory, more consistent evaluation. They also collect and generate a substantial amount of personal information about job applicants—information that, under the CCPA’s updated regulations, may require a formal risk assessment before or during use.

If your organization is a “business” under the CCPA and is using AI-powered hiring or applicant screening technology, the following analysis will help you evaluate whether a risk assessment is required. If you have not yet confirmed that the CCPA applies to your organization, check out our CCPA FAQs which address this and other provisions of the CCPA.

What AI Hiring Tools Typically Do

AI-powered hiring tools span a wide range of functions. Resume parsing and ranking tools use machine learning to score applications against predefined criteria. Video interview platforms analyze candidates’ facial expressions, word choice, and vocal patterns to generate personality or culture-fit assessments. Automated chatbots conduct initial screening interviews and assess responses. Skills assessment platforms measure cognitive ability, personality traits, and job-relevant competencies through adaptive tests scored by AI. Across all of these tools, the common thread is that personal information about applicants is being processed automatically to evaluate them and, directly or indirectly, to inform hiring decisions.

Click Here for the Original Article

Key Points

INTERNATIONAL UPDATES

  • Employer Policies in Mexico
  • The Data (Use and Access) Act 2025

INTERNATIONAL UPDATES

Employer Policies in Mexico: Tips for Enforceability

Multinational employers operating in Mexico often rely on global policies to set workplace expectations across their operations. While this approach promotes consistency, it can also create enforceability risks.

  • Employers may want to ensure they obtain formal employee acknowledgment of every internal policy; without proof that employees knew about a policy, enforcing it becomes extremely difficult.
  • Policies must align with Mexican law—including the Federal Labor Law (Ley Federal del Trabajo), the Mexican Constitution, and applicable Official Mexican Standards (Normas Oficiales Mexicanas or NOMs)—rather than relying solely on global standards.
  • To lawfully impose disciplinary sanctions, employers must have internal work regulations (reglamento interior de trabajo) in place that comply with the Federal Labor Law.

Mexico is a heavily regulated country, from the Political Constitution of the United Mexican States to the Federal Labor Law to Normas Oficiales Mexicanas (NOMs) governing health and safety, as well as other secondary provisions. These local requirements could limit or impact global policies, as mandatory local compliance is required.

Click Here for the Original Article

 

The Data (Use and Access) Act 2025 and the new right for individuals to complain to controllers

The UK’s data protection framework continues to evolve following the enactment of the Data (Use and Access) Act 2025 (DUAA). One of the more operationally significant developments for organizations is the introduction of a new statutory right for individuals to complain to controllers regarding infringements of the UK General Data Protection Regulation (GDPR), as well as a framework governing how controllers must handle those complaints.

The relevant provisions will apply from 19 June 2026, pursuant to the Data (Use and Access) Act 2025 (Commencement No. 6) Regulations 2026. On or before that date, organizations subject to the UK GDPR will need to update their privacy notices and introduce formal data protection complaint handling processes that meet specific legal requirements.

Although individuals will retain their right to complain directly to the Information Commissioner’s Office (which will become the “Information Commission” under other changes introduced by the DUAA) (ICO), the reforms are designed to ease the ICO’s related regulatory burden and therefore to encourage individuals to raise concerns with controllers in the first instance, with controllers now expected to provide accessible complaint channels, acknowledge complaints within prescribed timeframes, investigate concerns appropriately and communicate outcomes without undue delay.

These new obligations represent a significant formalization and strengthening of regulatory expectations. In practice, complaints handling will become a more visible and auditable aspect of organizational accountability under UK data protection law.

 

What is changing?

The new right to complain and related complaints handling requirements are introduced through the new section 164A of the Data Protection Act 2018 (DPA 2018), as amended by the DUAA.

The new right allows individuals to make a complaint to a controller if they consider that the controller has infringed the UK GDPR when processing their personal data. Broadly, the reforms require controllers to:

  • Provide at least one accessible way through which individuals can submit data protection complaints (for example, by providing an online complaint form which can be completed and submitted electronically)
  • Acknowledge complaints within 30 days of receipt
  • Take “appropriate steps” to investigate complaints (including making enquiries into their subject matter) without undue delay
  • Keep complainants informed about the progress and outcome of complaints without undue delay
  • Inform individuals of their right to complain in their privacy notices
  • Maintain appropriate records relating to complaints and their resolution

The ICO has also published guidance explaining that organizations should treat complaints handling as part of their broader accountability obligations and ensure complaints can be identified, assessed, investigated and resolved consistently and transparently.

Importantly, the concept of a “data protection complaint” is broad. According to the ICO, complaints may arise in relation to any alleged infringement of the UK GDPR, including concerns relating to subject access requests, direct marketing, retention practices, transparency obligations, cookies and other tracking technologies (insofar as they involve the processing of personal data), as well as security incidents and the lawful basis relied upon for processing.

The reforms also introduce related changes to transparency and individual rights request response requirements under the UK GDPR.

Click Here for the Original Article

 

Managing Compliance With Confidence

As compliance programs are forced to evolve with the ongoing shifts in legislation and technology-driven change, organizations must continue to employ a strategic and proactive approach to employment screening and data security.

Cisive helps you stay ahead of regulatory change, reinforce your compliance programs, and mitigate risk across the talent lifecycle. With proven expertise in background screening and global compliance, we help employers eliminate blind spots and hire with confidence.

Lets Build a Smarter Screening Strategy Together

 

Ready to get started?

Book time with one of our screening experts to find out how we can streamline your talent process with a free assessment

Get your free assessment
Digital interface illustrations showing screening and hiring processes Professional woman illustration