September 28, 2022

Volume XII, Number 271


September 28, 2022

Subscribe to Latest Legal News and Analysis

September 27, 2022

Subscribe to Latest Legal News and Analysis

September 26, 2022

Subscribe to Latest Legal News and Analysis

California Consumer Privacy Act's Employee and B2B Exemptions to Expire on January 1, 2023

The California Consumer Privacy Act (CCPA) is California's groundbreaking legislation that seeks to give California consumers certain rights over how a business handles "personal information" collected about its consumers. On October 11, 2019, California Governor Gavin Newsom signed AB 25 into law, which provided businesses with temporary relief by exempting personal information that is collected in certain employment contexts and in a business-to-business (B2B) context from the scope of the CCPA until January 1, 2021. As previously reported, Governor Newsom signed AB 1281 into law on September 29, 2020, providing a one-year extension to the partial employee and B2B exemptions to January 1, 2022, applicable only in the event that the California Privacy Rights Act (CPRA) ballot initiative failed. When the CPRA was approved during the 2020 election by California voters, the exemptions were extended one final time to January 1, 2023. On August 31, 2022, the California legislature adjourned without extending the exemptions, which automatically expire on January 1, 2023 in conjunction with the CPRA effective date.

Types of Employee and B2B Data Now Subject to CPRA

The CCPA contains a partial employee exemption for personal information collected by a business about a person who was either a job applicant or past/current employee or in an otherwise related position, including owners, directors, officers, contractors and beneficiaries/dependents. The exemption is limited to when the business used the information provided "solely" for employment-related actions. The B2B exemption applies to personal information of employees or business contacts that a business collected to aid in providing or receiving a product or service to and from another business.

What Should I Do Now With Employee Data and Personal Information Collected in a Business Context?

This development marks California as the first and only state with a general privacy law that applies to this type of personal information. Personal information collected in certain employee contexts and in a B2B context will now be subject to the onerous compliance requirements under the CPRA. Businesses will have to immediately pivot their data privacy compliance efforts and:

  • Assess the personal information collected, used and disclosed from California employees and job applicants. This will require employers to map employee data and work with their human resource and information technology departments.

  • Update employee, job applicant and other privacy notices and disclosures to incorporate personal information collected in an employment and B2B context.

  • Businesses will be required to disclose a full text privacy notice to employees, as opposed to the previously abbreviated version permitted under the exemptions. These notices will have to include a variety of information, including: (i) the categories of sensitive personal information and personal information collected and processed; (ii) the purposes for the processing; (iii) the retention period by category of personal information; (iv) the description of the rights available; and (v) the manner in which individuals may exercise such rights.

  • Assess the personal information collected by service providers and third parties.

  • Review and update any contracts with service providers and contracts that process employee personal information or personal information collected in a B2B context.

  • Review and update policies and procedures to include the expanded rights under the CPRA.

In short, the CPRA ramps up notice requirements and imposes compliance obligations and other duties on more businesses than previously covered in the CCPA.

What Are Some Other New Issues That Need to Be Assessed?

There are multiple new requirements under the CPRA that will apply to personal information collected from consumers, as well as in the employment or recruitment context and when transacting with actual or prospective business contacts. Some of the key new requirements include:

  • The CPRA's expanded rights will now grant the right to know and access, the right to deletion and the right to correction of personal information.

  • The CPRA expands the scope of behavior covered by the CCPA by amending all mentions of "selling" to include "sharing." This term is defined as any disclosure of personal information to third parties for cross-context behavioral advertising, regardless of whether consideration is exchanged. Where a business engages in sharing, it must post a link titled "Do Not Share My Personal Information" and provide consumers an opportunity to opt out of sharing.

  • The CPRA introduces the new concept of "sensitive personal information," which will require businesses to develop additional disclosures about the use of sensitive personal information in their privacy notices and responses to individuals' requests exerting their expanded CPRA rights.

  • The CPRA introduces new data minimization and data retention requirements. Businesses must not collect more personal information than is necessary and must not retain personal information for longer than is reasonably necessary for disclosed purposes. Accordingly, businesses will have to develop, review and update internal data retention policies and procedures.

©2022 Katten Muchin Rosenman LLPNational Law Review, Volume XII, Number 263

About this Author

Trisha Sircar Privacy, Data and Cybersecurity Attorney Katten Muchin Rosenman New York, NY

The value of data as an asset has increased substantially in today's global digital economy. In the high-stakes environment of global intellectual property and technology services, businesses, consumers and individuals need protection. With more than a decade of experience in helping to protect a wide range of businesses — including one of the world's largest insurance companies — Privacy, Data and Cybersecurity partner Trisha Sircar provides practical guidance and creative solutions regarding global privacy and data security risks and compliance issues.

Operating at the...

Jose L. Basabe New York City Cybersecurity Attorney Katten

Jose Basabe is an Associate at Katten's New York City office. He advises clients across all industries, including financial services, retail, manufacturing, new and emerging technology and cryptocurrencies. Jose counsels clients on the intersectionality of the law with privacy and cybersecurity practices. Jose also advises clients on operating in accordance with current and anticipated privacy and data security laws, including but not limited to, the California Consumer Privacy Act (CCPA), the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, the...

Catherine E. O'Brien Associate Katten

Katie focuses her practice on intellectual property and related commercial litigation, which includes trademark infringement, false advertising, unfair competition and defamation. Katie also counsels clients on privacy and data security laws, including the California Consumer Privacy Act (CCPA), the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act, the Health Insurance Portability and Accountability Act (HIPAA), and state safeguard and data breach notification laws. Katie also assists clients with drafting privacy, data and information security...

Rachel J. Schaub IP Attorney Katten Law Firm

Rachel Schaub is an associate in the Intellectual Property practice.