535 Grand Avenue, Grand Junction, CO 81501

Utah Compliance Connection September

September 1, 2023

Federal Compliance Update

EEOC Proposes New Enforcement Guidance on Workplace Harassment

On Sept. 29, 2023, the U.S. Equal Employment Opportunity Commission (EEOC) issued proposed new guidance for determining whether workplace harassment violates Title VII of the Civil Rights Act (Title VII) or other equal employment opportunity (EEO) laws enforced by the agency. For employers subject to these laws, the new proposed guidance provides insight into how the EEOC will enforce compliance with anti-harassment provisions.


Title VII is a federal law that prohibits employers with 15 or more employees from discriminating against or harassing individuals based on certain characteristics. These characteristics, also known as protected traits, include race, color, religion, national origin and sex (including sexual orientation, transgender status and pregnancy). Other EEO laws protect individuals from discrimination or harassment based on disability, age (40 and older) and genetic information.

Between 1986 and 1999, the EEOC issued several documents designed to guide agency staff members who investigate claims of harassment under EEO laws. The agency also issued proposed enforcement guidance on these topics in 2017. If finalized following a 30-day comment period, the agency’s newly issued proposal would consolidate and replace those earlier documents.

Proposed Updates

In the newly proposed guidance, the EEOC provides several updated examples to reflect a wide range of modern scenarios and address emerging issues, such as how social media postings and other online content may contribute to a hostile work environment. It also incorporates current case law, including the U.S. Supreme Court’s 2020 decision on sexual orientation and gender identity in Bostock v. Clayton County, into the new proposed guidance.

Overview of New Guidance

The new proposed guidance focuses on the three main questions that must be answered in any workplace harassment claim, which are:

  • Whether the conduct is based on the individual’s legally protected trait;
  • Whether the conduct resulted in a hostile work environment or explicit change to the terms or conditions of employment; and
  • Whether there is any legal basis for holding the employer liable.

As further explained in the document, an employer may be liable for workplace harassment under several legal standards that often depend on the harasser’s relationship with the employer. The

document also describes preventive and corrective actions an employer may take to help establish defenses against liability for workplace harassment.

Federal District Court Rules Against 2022 DACA Final Rule

On Sept. 13, 2023, the U.S. District Court for the Southern District of Texas ruled against the 2022 Deferred Action for Childhood Arrivals (DACA) final rule. The final rule was published on Aug. 30, 2022, by the U.S. Department of Homeland Security (DHS) to preserve the department’s 2012 DACA policy. Specifically, the final rule defers the removal of qualifying noncitizens who came to the United States as children and grants them the right to work.

Under the final rule, “deferred action” is defined as a temporary forbearance from removal procedures. Deferred action does not grant eligible individuals any rights or entitlement to stay within the United States. Under deferred action, DHS may initiate criminal or other enforcement action at any time.

In its ruling, the court held that there were no material differences between the final rule and the 2012 policy, and the final rule does “nothing to change or resolve the substantive problems” found by district and appellate courts regarding the legality of DACA.

The History of DACA:

DACA Policy

In 2012, DHS adopted a policy that authorized immigration and customs enforcement personnel to stay, at their discretion, the removal of young people who came to the United States as children.

Under this policy, individuals who met the qualifying criteria and passed a background check were granted deferred action. DHS favored deferred action and considered it “a longstanding practice by which DHS has exercised its discretion to forbear from or assign lower priority to removal action in certain cases for humanitarian reasons, for reasons of administrative convenience or on the basis of other reasonable considerations involving the exercise of prosecutorial discretion.” Since 2012, more than 825,000 people have received deferred action under DACA.

Legal Challenges

On July 16, 2021, the U.S. District Court for the Southern District of Texas vacated the 2012 DACA policy. The court found, among other things, that the DACA policy violated the Immigration and Nationality Act of 1952. In response, on Sept. 28, 2021, DHS published a proposed rule to recommend regulations to preserve and fortify the DACA policy. This final rule implements the 2021 proposal with some amendments that take into consideration the public comments received regarding the proposal. On Aug. 30, 2022, DHS published a new DACA final rule. The final rule was scheduled to become effective on Oct. 31, 2022, but was enjoined by the District Court during the course of active litigation.

On Oct. 5, 2022, the U.S. Court of Appeals for the 5th Circuit upheld the 2021 Southern District of Texas court decision, declaring the 2012 DACA policy unlawful. However, the Court of Appeals preserved the partial stay issued by the District Court in July 2021 and remanded the case back to the District Court for further proceedings regarding the 2022 DACA final rule.

On Sept. 13, 2023, the U.S. District Court for the Southern District of Texas ruled against the 2022 final rule and held, among other things, that:

  • The DACA final rule and policy has many legal deficiencies;
  • The court has expressed its concerns about the legality of the program for some time; and
  • The solution to the program’s deficiencies “lies with the legislature, not the executive or judicial branches.”

The 2023 District Court decision is expected to be appealed by DHS.

Employment Authorization 

DACA recipients are considered to be lawfully present in the United States. This designation does not grant “lawful status” or authorization to remain in the United States but does allow DACA recipients to remain in the United States without accruing “unlawful presence.”

The DACA final rule creates a specific regulatory provision regarding eligibility for employment authorization for eligible individuals. Under this provision, DACA recipients must have been granted deferred action and must establish an economic need to be eligible for employment authorization. DACA employment authorization automatically terminates when DACA expires.

Employment Authorization Documents

DACA recipients who are authorized to work receive an employment authorization document (EAD) from DHS. An official, unexpired EAD is an acceptable List A document for Form I-9. Employers cannot ask DACA recipients for more (or different) work authorization documents based on an individual’s citizenship status or national origin. When using an EAD for Form I-9 purposes, employers should:

  • Accept the EAD if it appears to be genuine and relates to the employee presenting it;
  • Record the EAD’s document title, number and expiration date in Section 2;
  • Reverify the employee’s work eligibility in Section 3 once the EAD expires.

What does it mean for employers?

At this time, the District Court ruling does not affect current grants of DACA and related EADs. DHS will continue to “accept and process renewal DACA requests, accompanying requests for employment authorization and applications for advance parole for current DACA recipients.” This means that current DACA recipients will retain protection from deportation, work authorization, and the ability to renew these protections while litigation continues. However, the decision prevents DHS from processing new DACA applications.

Understanding the Significant Changes to the EEOC’s EEO-1Report

Employers with 100 or more employees and certain federal contractors are required to file an EEO-1 Report annually with the U.S. Equal Employment Opportunity Commission (EEOC). Federally mandated under Title VII of the Civil Rights Act, this survey collects workforce data categorized by race, ethnicity, sex and job category. EEO-1 Reports are typically due by March 31 each year. However, for 2022 EEO-1 Reports (due in 2023), the EEOC has recently announced that the portal for employers to submit 2022 EEO-1 Reports will open Oct. 31, 2023, and the deadline for submission has been extended to Dec. 5, 2023. The EEOC had previously extended the portal’s opening date twice before making the most recent announcement.

In addition to altering the deadline for EEO-1 submissions, the EEOC has also made significant changes to the EEO-1 Report. According to the EEOC, these changes have been made as part of ongoing modernization efforts and in response to feedback from previous filers. This article highlights the most significant changes to EEO-1 reporting and provides guidance for how employers can prepare.

Changes to EEO-1 Reporting

The EEOC recently published a new instruction booklet for the 2022 data collection period. Employers can review this booklet for instructions on how to file EEO-1 Reports and for more information on the changes that have been made to 2022 EEO-1reporting. The following are significant changes to EEO-1 reporting for the 2022 submission year:

Naming conventions—In the new EEO-1 Report, the EEOC has replaced the different types of non- headquarters establishment reports based on the number of employees at an establishment with a single Establishment-Level Report. The names referring to different types of employer reports have also been altered:

  • Type 1 is now called the Single-establishment Employer Report.
  • Type 2 is now called the Consolidated Report.
  • Type 3 is now called the Headquarters Report.
  • Types 4, 6 and 8 are now called the Establishment-level Report.
  • There is no Type 7 Report.

Remote employees—Consistent with the informal guidance previously published by the EEOC, remote employees should be included in the establishment they report to or the establishment their manager reports to, if they don’t report to an establishment. If employers operate entirely remotely, they should report the address where the organization is legally registered. Remote employees’ home addresses should never be used.

Nonbinary employees—Reporting nonbinary employees outside the male/female chart is not required. However, employers who wish to report nonbinary employees can do so in the comments section of the applicable establishment report.

IDs for federal contractors—Since the U.S. government no longer uses Data Universal Numbering System numbers to identify federal contractors, these numbers have been eliminated from the EEO-1 Report. For 2022 EEO-1 reporting, federal contractors must use the Unique Identity ID created at http://www.sam.gov/. Crucially, the EEOC booklet says any company is considered a federal contractor if any of the employers’ establishments is a contractor. This is a variation from the Office of Federal Contract Compliance Programs’ stated position about the use of the single entity test to determine when affiliated entities are covered contractors.

Foreign-based employers—Companies based outside of the United States must file an EEO-1 Report if they meet the filing thresholds for U.S.-based establishments. According to the instruction booklet, foreign-based employers can use one of their U.S. establishments as headquarters for the purpose of filing. Otherwise, each U.S. establishment should file a separate EEO-1 Report.

North American Industry Classification System (NAICS) codes—Employers must use appropriate NAICS codes for each establishment. These codes are updated every five years. Employers should use the most recent 2022 codes for this year’sEEO-1 Report.

Mergers, acquisitions and spinoffs—Requirements for corporate changes have been updated for 2022 reporting. If a merger, acquisition or spinoff occurs after the reporting period, the new entity is typically responsible for reporting the data if the establishment meets filing eligibility requirements. The EEOC urges companies that experience corporate change during the reporting period to carefully review this section of the instruction booklet to ensure compliance.

The EEOC has announced additional changes that will impact the EEO-1 Report for 2023 data in 2024. Beginning next year, employers will no longer be able to choose a snapshot date that would eliminate the obligation to report. Also, employers will be required to report employees who are assigned to client sites at the client’s physical address. Currently, employers can report these employees at either the client’s address or the employer establishment where they’re assigned.

Preparing for EEO-1 Reporting

Careful planning for EEO-1 reporting can reduce the risk of mistakes and confusion when the EEOC portal opens on Oct. 31,2023. Employers can prepare for EEO-1 submissions with the following steps:

  • Determine if EEO-1 reporting is required.
  • Understand which reports must be completed (e.g., single-establishment or multi-establishment reports).
  • Review the EEOC’s instruction booklet for compliance.
  • Consult the U.S. Department of Labor’s resource for frequently asked questions.
  • Choose a pay period from October through December to complete the report.
  • Ensure self-identification forms are available for all employees during the selected pay period.
  • Complete the EEO-1 Report by the updated deadline (Dec. 5, 2023).
  • Keep a record of data used for the EEO-1 Report for at least a year after submitting the report.


Employers should stay current on updates from the EEOC regarding filing requirements and deadlines for the EEO-1 Report. Submitting an incorrect or incomplete report could result in a court order compelling employers to complete the forms. Further failures to accurately complete the EEO-1 Report could cause employers to be held in contempt. It may also result in the termination of federal contracts for contractors. By reviewing the EEOC’s recently published instruction booklet, employers can help ensure compliance with significant new changes to EEO-1 reporting.

National Labor Relations Board

The National Labor Relations Board (NLRB) issued a new legal standard on August 2, 2023, in the Stericycle, Inc. and Teamsters Local 628 case. This will significantly affect employer’s current and future workforce rules. It sets a new legal standard in determining if an employer’s policy, process, or rule violates an employee’s protected concerted activity under Section 7 of the National Labor Relations Act (NLRA).

Employer’s Action Steps

Employers must immediately review their policies, practices, and workforce rules including those found in the employee handbook and/or onboarding packets to ensure they meet compliance with Section 7 in light of the new legal standard. Several employee handbook sections to review include but are not limited to social media policies, confidentiality and trade secret clauses, non-solicitation, and non- distribution statements. Additionally, companies should review the language of these policies, practices, and rules for violation such as prohibiting employees from discussing wages, benefits, or work conditions, treatment from supervisors, etc. Additionally, these employer work rules should not prohibit employees from engaging in political or social activities that may affect the employer’s reputation or business interests without compliant language indicating what activities are relevant or how they may affect the employer.

NLRB Statement

The following is from the News & Publication page of the NLRB website: “Under the new standard adopted in Stericycle, the General Counsel must prove that a challenged rule has a reasonable tendency to chill employees from exercising their rights. If the General Counsel does so, then the rule is presumptively unlawful. However, the employer may rebut the presumption by proving that the rule advances a legitimate and substantial business interest and that the employer is unable to advance that interest with a more narrowly tailored rule. If the employer proves its defense, then the work rule will be found lawful to maintain.”

State Compliance Update

Utah Consumer Privacy Act

Utah adopted the Utah Consumer Privacy Act (UCPA) on March 24, 2022. Compliance with the UCPA will be monitored by the Utah Division of Consumer Protection (the Division) and enforced by the state’s attorney general office. The UCPA does not create a private right of action for individuals affected by violations of this law. The UCPA’s effective date is Dec. 31, 2023.

Affected Entities

The UCPA applies to any controller or processor that:

  • Conducts business in the state or produces a product or service that is targeted to consumers who are residents of thestate;
  • Has annual revenue of $25,000,000 or more; and
  • Either controls or processes the personal data of at least 100,000 consumers or derives over 50% of its gross revenue fromthe sale of personal data and controls or processes the personal data of at least 25,000 consumers.

Controller means a person or entity “doing business in the state that determines the purposes for which and the means by which personal data are processed, regardless of whether the person or entity makes the determination alone or with others.” Processor means a person or entity that “processes personal data on behalf of a controller.”

Notable exclusions from the UCPA apply to:

  • Governmental entities or third parties under contract with a governmental entity when the third party is acting on behalfof the governmental entity;
  • Native American tribes;
  • Institutions of higher education;
  • Nonprofit corporations;
  • Covered entities and business associates, as defined by HIPAA;
  • Information that is protected by other personal information protection laws; and
  • Some deidentified information.

Consumer Rights

The UCPA creates the right for consumers to:

  • Confirm whether controllers are processing their personal data (and to access the data that is being processed);
  • Delete the personal data they have provided to controllers;
  • Obtain a copy of the personal data they have previously provided to controllers; and
  • Opt out of the processing of consumer personal data for targeted advertising and the sale of that data.

To exercise these rights, consumers must submit a request to the controller through the means the controller prescribes. These requests must specify the rights that consumers intend to exercise.

Parents or legal guardians may exercise these rights on behalf of their children.

Controller and Processor Responsibilities

Determining whether a person or entity is acting as a controller or processor with respect to a specific processing of data is a fact-based determination that depends upon the context in which personal data are to be processed. A processor that adheres to a controller’s instructions with respect to the specific processing of personal data remains a processor.

Required Notice

Controllers must provide consumers with a reasonably accessible and clear privacy notice that includes:

  • The categories of personal data being processed;
  • The purposes for which the categories of personal data are processed;
  • A description of how consumers may exercise their rights;
  • The categories of personal data that controllers share with third parties, if any; and
  • The categories of third parties, if any, with whom controllers share personal data.

Controllers that sell consumer personal data to one or more third parties and controllers that engage in targeted advertising must also clearly and conspicuously disclose to consumers how they may exercise their right to opt out.

Data Security

The UCPA requires controllers to establish, implement and maintain reasonable administrative, technical and physical data security practices designed to:

  • Protect the confidentiality and integrity of personal data; and
  • Reduce reasonably foreseeable risks of harm to consumers relating to the processing of personal data.

These measures must be appropriate for the volume and nature of the personal data and account for controller business size, scope and type.

Sensitive Data

The UCPA also prohibits controllers from processing sensitive data collected from consumers unless they first provide clear notice and an opportunity to opt out of the processing.

Notice is not required under the act if controllers process the data for known children in accordance with the federal Children’s Online Privacy Protection Act and the act’s implementing regulations and exemptions.

Prohibited Discrimination

Controllers cannot discriminate against consumers who exercise their rights under the UCPA. Prohibited discrimination includes denying a good or service, charging a different price or rate for a good or service and providing a different level of quality of a good or service.

However, controllers may encourage consumers to share their data by offering a different price, rate, level or quality (including offering a good or service for no fee or at a discount) if:

  • Consumers have opted out of targeted advertising; or
  • The offer is related to the consumer’s voluntary participation in a bona fide loyalty, rewards, premium features, discounts or club card program.

Controllers are not required to provide products or services to consumers if their personal data (or processing the data) is reasonably required to receive the products or services and consumers either fail to provide the data (or prevent the controller from processing the data.)

Responding to Requests

Controllers must respond to consumer requests to exercise their rights under the UCPA within 45 days of receiving the request. Specifically, controllers must act on these requests and inform consumers of any actions they have taken regarding their requests.

  • Controllers may extend the 45-day response window with an additional 45 days if:
  • The extension is reasonably necessary due to the complexity of the request or the volume of the requests received by the controller;
  • They inform consumers of the extension, including the length of the extension; and
  • They provide their rationale for why the extension is reasonably necessary.

The requirement to respond within 45 days is void when a controller reasonably suspects the consumer’s request is fraudulent and the controller is not able to authenticate the request before the 45-day period expires. Controllers must also comply with the 45-day notice requirement when they choose not to act on any request. With this notice, controllers must also include the reasons for not acting.

Controllers cannot charge a fee for information in response to a request unless the request is the consumer’s second or subsequent request during the same 12-month period. However, controllers may charge a reasonable fee to cover the administrative costs of complying with requests or refusing to act on a request if:

  • The request is excessive, repetitive, technically infeasible or manifestly unfounded;
  • The controller reasonably believes the primary purpose in submitting the request was something other than exercising a right; or
  • The request, individually or as part of an organized effort, harasses, disrupts or imposes an undue burden on the resources of the controller’s business.

If they charge a fee, controllers bear the burden of demonstrating the request satisfies one or more of the criteria described above.

Finally, controllers are not required to comply with requests they cannot authenticate using commercially reasonable efforts. Within reason, controllers may request that consumers provide additional information to authenticate their requests.

Processor Responsibilities

Processors are entities that process data on behalf of controllers. Under the UCPA, processors must adhere to the instructions they receive from controllers and assist controllers in meeting their obligations.

In addition, before processing any data, processors and controllers must enter into a contract that:

  • Clearly sets instructions for processing personal data, the nature and purpose of the processing, the type of data subject to processing, the duration of the processing, and the parties’ rights and obligations;
  • Requires processors to ensure each person processing personal data is subject to a duty of confidentiality with respect to the personal data; and
  • Requires processors to engage any subcontractor with a written contract that requires the subcontractor to meet the same obligations as the processor with respect to personal data.

Processing Deidentified Data or Pseudonymous Data

Controllers that use pseudonymous data or deidentified data must take reasonable steps to ensure they comply with any contractual obligations governing the data and promptly address any breach of these contractual obligations.

However, controllers are not required to:

  • Reidentify deidentified data or pseudonymous data. Similarly, these entities are not required to maintain data in identifiable form or obtain, retain or access any data or technology for the purpose of allowing the controller or processor to associate a consumer request with personal data; or
  • Comply with an authenticated consumer request to exercise a UCPA right if:
  • It’s not reasonably possible to associate the request with the personal data or it would be unreasonably burdensome to associate the request with the personal data;
  • The personal data is not used to recognize or respond to the consumers who provided the data or the personal data is not associated with other personal data about consumers; and
  • The personal data are not sold nor otherwise disclosed to any third party other than a processor, except as allowed by the UCPA.

Finally, the rights to confirm the processing of data, delete personal data and obtain a copy of personal data do not apply to pseudonymous data if a controller demonstrates that any information necessary to identify a consumer is kept separately and subject to appropriate technical and organizational measures to ensure the personal data are not attributed to an identified individual or an identifiable individual.


UCPA requirements do not restrict a controller’s or processor’s ability to:

  • Comply with federal, state or local laws;
  • Take immediate steps to protect an interest that is essential for the life or physical safety of the consumer or another individual; or
  • Detect, prevent, protect against or respond to security incidents, identity theft, fraud, harassment or malicious, deceptive or illegal activities.

Finally, the UCPA does not require controllers, processors, third parties or consumers to disclose trade secrets.

Compliance Calendar


10/2 – QSEHRA Notice Deadline (Calendar Year Plans Only)

1014 – Medicare Part D Creditable/Non-creditable Coverage Notice

10/30 – Form 941 Filing Deadline (third quarter)


Nothing for this Month


12/5 – 2022 EEO-1 Component 1 Filing Deadline

12/29 – Gag Clause Prohibition Compliance Attestation (Group Health Plans, insurers, and insurance brokers) – more information, click here.


Lighthouse HR Support (LHRS) provides practical human resource information and guidance based upon our knowledge and experience in the industry and with our clients. LHRS services are not intended to be a substitute for legal advice. LHRS services are designed to provide general information to human resources and/or business professionals regarding human resource concerns commonly encountered. Given the changing nature of federal, state and local legislation and the changing nature of court decisions, LHRS cannot and will not guarantee that the information is completely current or accurate. LHRS services do not include or constitute legal, business, international, regulatory, insurance, tax or financial advice. Use of our services, whether by phone, email or in person shall indicate your acceptance of this knowledge.

Written By:

Kelly Murphy

Kelly Murphy

Senior HR Business Partner

Kelly brings a wealth of knowledge with nearly 30 years of human resource experience. She provides expertise in various human resource categories, including employee relations, performance management, HR Form creation/review (employee handbooks, job descriptions, etc.), employee/management training, workplace investigations, etc. Her human resource certifications include PHR (Professional Human Resources) and SHRM-PC (Society for Human Resource Management Certified Professional). 

Kelly attended Colorado Mesa University and Waldorf University, where she earned a degree in Human Resource Management and Business Administration with Summa Cum Laude honors. She was named Western Colorado Human Resource Association Professional of the Year, 2013, and currently serves on the Board of Directors. She also is a member of the WCHRA Skills Development Committee, the WCCA Education Committee, and the Members/Events Committee. She serves as an Ambassador for both the Fruita and Palisade Chamber of Commerce.