California Extends CCPA Exemptions on Employee and B2B Data Until 2022
On September 29, 2020, California Governor Gavin Newsom signed legislative bill AB 1281 to extend exemptions related to employment information and business-to-business communications contained in the California Consumer Privacy Act of 2018 (the “CCPA”) until January 1, 2022.
The CCPA, arguably the nation’s strictest and most expansive privacy law, not only affects businesses at home in California, but also businesses that hold or process some amount of personal data on California residents. The CCPA, which went into effect on January 1, 2020, includes temporary exemptions for employment-related information and business-to-business communications which were previously set to expire at the end of 2020.
Instead, the exemption will be extended for an additional year, allowing businesses more time to expand privacy compliance programming for employment-related information and business-to-business communications.
Under the current employment-related information exemption to the CCPA, personal information collected within the course of an employment relationship (as a job applicant, employee, owner, officer, director, medical staff member, or contractor) is exempt from the reach of the CCPA to the extent that the personal information is collected and used within the context of such relationship, to maintain an emergency contact on file, or to administer benefits. This means that employees cannot submit “data subject access requests” under CCPA asking to know or delete the personal information that their current and previous employers have collected on them. Even though this information is currently exempt from the CCPA, employers subject to CCPA are still required to safeguard this information and notify employees that they are collecting personal information and the purpose for which that information is to be used. Additionally, employers under the purview of CCPA can still be liable to employees if employees’ sensitive nonencrypted personal information (e.g., a social security number, driver’s license number, medical information) is breached due to the employer’s failure to reasonably safeguard personal information by implementing security procedures.
The business-to-business communications exemption excludes personal information collected in a business context. Specifically, the exemption carves out personal information collected by a business involved in business-to-business communications or transactions where an individual business contact is acting on behalf of another organization and the communications solely relate to the context of the business transaction. California residents do not have a right to notice of collection of this information nor the right to access or delete personal information. However, if a company sells this data, it must still provide business-to-business contacts the right to opt out of the sale of their information and cannot discriminate against those who do so. Additionally, businesses are still liable to those contacts for damages if sensitive nonencrypted personal information is breached due to the company’s failure to reasonably safeguard personal information by implementing security procedures.
Businesses should continue to evaluate data collection practices and consider internal and external policies and procedures that will need to be addressed after the exemptions expire. For advice on how to comply with the CCPA, or for other privacy and cybersecurity advice, please contact a member of the Koley Jessen Data Privacy and Security practice area.