California Legislature Extends CCPA Exemptions for Employees’ Personal Information & “Business-to-Business” Exchanges to 2022
But for limited exemptions added to the California Consumer Privacy Act (CCPA) last year, personal information exchanged in the employment context, and personal information collected through “business-to-business” exchanges, would be subject to all requirements of the CCPA. Those exemptions were set to expire next year. However, the California legislature has recently voted, through Assembly Bill 1281, to extend the exemptions until January 1, 2022.
To what information do the exemptions apply? The employee information exemption includes personal information collected in the course of a natural person’s employment or as a job applicant, owner, director, officer, medical staff member, or contractor of a business. It is inclusive of personal information of the employee’s emergency contacts and benefit recipients. Under the exemption, businesses subject to the CCPA are not required to comply with many of the notice, disclosure, access, “Do Not Sell,” opt-out, and deletion provisions of the CCPA with regard to employee information. However, the exemption does not apply to a business’ obligation to: (1) notify employees, at or before the point of collecting personal information, of the categories of personal information to be collected, and the purposes for which the information is to be used, and (2) maintain reasonable security procedures and practices to protect personal information, or be subject to a private right of action in the event of unauthorized access and exfiltration, theft, or disclosure, of that information.
The “business-to-business” information exemption applies to information reflecting a written or verbal communication or a transaction between the business and the consumer if (1) the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency, and (2) the communication or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from that company, partnership, sole proprietorship, nonprofit, or government agency. The exemption does not apply to “Do Not Sell” opt-out obligations, and the obligation to maintain reasonable security practices to protect the information from unauthorized access and exfiltration, theft, or disclosure.
I thought the exemptions lapsed on January 1, 2021. What’s changed? The exemptions were set to lapse on January 1, 2021. However, the California legislature opted to extend the deadline due to the limited legislative session caused by the COVID-19 pandemic combined with a pending November 2020 ballot initiative that could significantly change how the CCPA is applied (California Privacy Rights and Enforcement Act (CPRA)).
What does it mean for my business? At least until January 1, 2022, businesses subject to the CCPA can continue to rely on these exemptions. If the CPRA is approved by voters this November, these exemptions will be extended through January 1, 2023.
For more information on these CCPA exemptions, contact the authors of this post. Subscribe to Lewis Brisbois’ Digital Insights blog for additional analysis in the coming months regarding the CCPA and how its provisions may affect businesses in The Golden State.