October 30, 2020

Volume X, Number 304

Advertisement

October 29, 2020

Subscribe to Latest Legal News and Analysis

October 28, 2020

Subscribe to Latest Legal News and Analysis

October 27, 2020

Subscribe to Latest Legal News and Analysis

CCPA Business-to-Business and Personnel Carve-Out Extension Clears California Legislature

Following a winding path in the California Legislature, AB-1281 passed the CA Senate on Friday, August 28th, and the Assembly on Sunday, August 30th, and will now go to Governor Newsom for his signature. Governor Newson is not expected to veto the bill. AB-1281 amends the California Consumer Privacy Act (CCPA), extending the business-to-business and personnel/applicant carve-outs through January 1, 2022.

Under the existing carve-outs, businesses subject to the CCPA do not have to comply with the full remit of the law (1) for personal information in business-to-business communications, and (2) for data collected by businesses regarding personnel and applicants in the course of them acting as personnel and applicants. While mostly exempt, there are a couple of CCPA requirements that still apply to this personal information:

  • Businesses must provide a notice at collection for personnel and applicants, and
  • All personal information is still subject to the CCPA’s personal information breach provisions.

However, outside of these two requirements, businesses have thus far been free from the remainder of the CCPA requirements for business-to-business communications and personnel/applicants, including the requirements around individual rights requests.

What is the Impact of AB-1281? 

The business-to-business and personnel/applicant carve-outs were set to expire at the end of 2020, creating an assortment of new consumers subject to the full scope of the CCPA. The extension will provide a welcome relief to businesses, many of which have been affected by the current COVID crisis.

The obligations imposed by CCPA will continue to not fully apply to data that relates to business-to-business communications or personnel/applicants for one additional year.

What if CPRA is enacted?

The California Privacy Rights Act (CPRA aka Prop 24) will appear on the ballot in California on November 3rdAB-1281 will only go into effect if the CPRA fails. The business-to-business and personnel/applicant carve-outs will immediately be extended until January 1, 2023 if CPRA passes in November.

In the event CPRA fails, the CA Legislature could potentially further amend CCPA during the 2021 legislative session to further extend or even make the business-to-business and personnel/applicant carve-outs permanent. However, if CPRA is enacted, the legislature will likely not be able to extend the carve-outs beyond January 1, 2023 or make them permanent given the limitations on amendments that the initiative would impose.

© Copyright 2020 Squire Patton Boggs (US) LLPNational Law Review, Volume X, Number 245
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Lauren Kitces Data Privacy & Cybersecurity Attorney Squire Patton Boggs Washington DC
Associate

Lauren Kitces is a member of our Data Privacy & Cybersecurity Practice, where she provides business-oriented privacy and cybersecurity advice to a wide range of clients, leveraging her in-house experience to provide mindful guidance. She has strong international experience, which she uses to help translate pre-existing international efforts into US regulatory compliance. Lauren enjoys the nuance and complexities that come with being in a field that is still evolving and forming both nationally and internationally.

Lauren utilizes her analytical thought-process and over 10 years...

202-457-6427
Lydia de la Torre Data Privacy & Cybersecurity Attorney Squire Patton Boggs Palo Alto, CA
Of Counsel

Lydia de la Torre provides strategic privacy compliance advice related to US and EU privacy, including data protection and cybersecurity law, General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), other state’s privacy and cyber laws, US financial privacy laws, and marketing and advertising compliance, as well as information security. She also represents clients in investigations with an eye toward helping them avoid litigation.

Lydia’s work in-house and with organizations has run the gamut, from pre-IPO start-ups to mature Fortune 500 companies, in a...

650-843-3227
Advertisement
Advertisement