Compliance Corner [May 2025]

Here is what is new in
May 2025

• Updated I-9 Form Available

• Virginia’s New Restriction on Collection of Reproductive and Sexual Health Data

• EO11246 – Gone but not Forgotten

• Another Data Breach

• Proof that the “Artificial” in AI Is at Least Sometimes an Accurate Description

• Deducting a Negative Leave/PTO Balance from Final Pay

• Maryland Paid Family Leave Program Delayed Again

• Virginia Expands Coverage of Non-Compete Law

Updated I-9 Form Available

As the result of the reversal of a Biden Administration wording change, the newest version of the I-9 form replaces “alien authorized to work” with “noncitizen authorized to work” in the list of options employees may select in order to attest to their citizenship or immigration status. The new form was effective in January, 2025, but the form dated August 1, 2023 is also in effect. As a result, there are currently two versions of the I-9 that are acceptable. Both have the same expiration date, however: May 31, 2027.

Virginia’s New Restriction on Collection of Reproductive and Sexual Health Data

Effective July 1, 2025, a new, broader prohibition on the obtaining and use of specific personal data will take effect. Specifically, this new addition to the Virginia Consumer Protection Act prohibits businesses from “[o]btaining, disclosing, selling, or disseminating any personally identifiable reproductive or sexual health information without the consent of the consumer.” Violations are subject to a private right of action, so potential plaintiffs do not have to wait for the state to take action.

Of note is the fact that “reproductive or sexual health information” is defined very broadly and can include any “information relating to the past, present, or future reproductive or sexual health of an individual.” According to Cooley, this definition expressly includes, but is not limited to, information relating to the following, among other listed examples:

• “Efforts to research or obtain reproductive or sexual health information services or supplies, including location information that may indicate an attempt to acquire such services or supplies”

• “Reproductive or sexual health conditions, status, diseases, or diagnoses, including pregnancy, menstruation, ovulation, ability to conceive a pregnancy, whether an individual is sexually active, and whether an individual is engaging in unprotected sex”

• “Use or purchase of contraceptives, birth control, or other medication related to reproductive health, including abortifacients”

An additional datapoint is that collection of transaction records for consumers’ purchase of products, such as condoms or tampons or geolocation of purchases from smartphones might be covered as well, even if they fall below quantitative thresholds for other reporting regulations. All organizations that are already covered by the Virginia Consumer Protection Act are automatically covered.

EO11246 – Gone but not Forgotten

A reminder is in order that some states have requirements for affirmative action plans or some variation thereof – or non-discrimination requirements at the very least. Those state laws generally apply only to contractors of those states. The following states have affirmative action requirements of some sort: California, Connecticut, Illinois, Kentucky, Maine, Minnesota, New Jersey, New York, Ohio, Rhode Island, and Wisconsin. Cities with similar requirements are Baltimore, MD; Eugene, OR; Madison, WI; Minneapolis, MN; Portland, OR; and St. Paul MN. The above list is general only; specific requirements vary by locale. In the absence of EO11246, states or cities may become more assertive about enforcement than they have been in the past. The most active in the past have been CA, MN and NJ. Many of the others listed require only commitments, as opposed to actual quotas.

Another Data Breach

National General and Allstate insurance companies are being sued by Letitia James, the Attorney General of New York, for their failure to protect the personal information of over 165,000 citizens of New York in two large data breaches. The breaches were actually against National General and succeeded because they had insufficient security measures in place. To make it worse, they failed (1) to notify customers of the first breach and (2) to implement any corrective measures. As a result, the second breach was larger than the first. Their online quoting system listed full drivers license numbers. Allstate acquired National General after the breaches but failed to correct the problems, so they are included in the lawsuit.

Proof that the “Artificial” in AI Is at Least Sometimes an Accurate Description

A Norwegian man, Arve Hjalmar Holmen, has sued OpenAI under the European Union “General Data Protection Regulation” law (GDPR) for developing “inaccurate outputs.” Using Open AI, he did a search on his own name. The results started out accurately, including his hometown and children’s ages, but then it “hallucinated,” stating that he had been convicted of murdering two of his children and attempting to murder a third, and that he was sentenced to 21 years in prison, none of which is true. He is seeking correction of the program plus a fine.

Deducting a Negative Leave/PTO Balance from Final Pay

This is a multiple-part question. Considerations include the following:

a) Do you even permit employees to have a negative PTO balance? [If so, why?] Abuse of a payroll advance or a payroll error could be possible causes, but under normal circumstances, employees wanting to take more PTO than they have accrued should have to take the balance beyond their current accrual balance as unpaid to avoid this problem.

b) FLSA status (exempt or non-exempt) makes a difference. According to the US-DOL Field Operations Handbook (FOH), advance leave can be deducted from a non-exempt employee’s final pay only under these circumstances: (1) The employer informs the employee about that policy before even advancing the leave; and (2) The amount deducted reflects the rate of pay the employee earned when they took the advanced leave. The FOH stipulates that proportional or hourly pay is permitted for exempt employees only during their final week of employment, so the circumstances surrounding this situation for an exempt employee must be closely managed.

c) It is strongly recommended that employers have a policy statement regarding negative leave balances (which can include banning them altogether) to avoid erroneous or mistakenly “flexible” interpretations (or creations). State law must be taken into account when formulating such policies, as well. It is incumbent upon employers to make themselves aware of any applicable requirements of the states in which they do business.

d) Recovery of negative leave/PTO balances does NOT depend on whether the termination is voluntary or involuntary, but the timing of the final handling of compensation is generally stipulated in state regulations.

Maryland Paid Family Leave Program Delayed Again

The effective date of the Maryland Paid Family Leave Program, known as FAMLI, has been pushed back again. The Maryland DOL blamed the delay on new employer-employee policies coming from the Trump Administration, not on their own failure to finalize the regulations needed for an effective rollout of the program. The original proposed effective dates for FAMLI were July 1, 2025 for employer contributions and July 1, 2026 for employee claims. The new effective date proposed for employer contributions is January 1, 2027; the new effective date for employee claims will be somewhere between January 1, 2027 and January 3, 2028, with the final date to be determined by the Secretary of the MD-DOL.

Virginia Expands Coverage of Non-Compete Law

Effective July 1, 2025, the Non-Compete Law of Virginia will be expanded to cover ALL employees who are classified as non-exempt under the FLSA. Previously, the law covered anyone whose pay was below the average weekly wage of the Commonwealth. That wage for 2025 is set at $1,463.10 per week, or $76,081 per year regardless of FLSA status; but now more people will potentially be covered.