Following a winding path in the California Legislature, AB-1281 passed the CA Senate on Friday, August 28^th, and the Assembly on Sunday, August 30^th, and will now go to Governor Newsom for his signature. Governor Newson is not expected to veto the bill. AB-1281 amends the California Consumer Privacy Act (CCPA), extending the business-to-business and personnel/applicant carve-outs through January 1, 2022.

Under the existing carve-outs, businesses subject to the CCPA do not have to comply with the full remit of the law (1) for personal information in business-to-business communications, and (2) for data collected by businesses regarding personnel and applicants in the course of them acting as personnel and applicants. While mostly exempt, there are a couple of CCPA requirements that still apply to this personal information:

• Businesses must provide a notice at collection for personnel and applicants, and
• All personal information is still subject to the CCPA’s personal information breach provisions.

However, outside of these two requirements, businesses have thus far been free from the remainder of the CCPA requirements for business-to-business communications and personnel/applicants, including the requirements around individual rights requests.

What is the Impact of AB-1281? 

The business-to-business and personnel/applicant carve-outs were set to expire at the end of 2020, creating an assortment of new consumers subject to the full scope of the CCPA. The extension will provide a welcome relief to businesses, many of which have been affected by the current COVID crisis.

The obligations imposed by CCPA will continue to not fully apply to data that relates to business-to-business communications or personnel/applicants for one additional year.

What if CPRA is enacted?

The California Privacy Rights Act (CPRA aka Prop 24) will appear on the ballot in California on November 3^rd. AB-1281 will only go into effect if the CPRA fails. The business-to-business and personnel/applicant carve-outs will immediately be extended until January 1, 2023 if CPRA passes in November.

In the event CPRA fails, the CA Legislature could potentially further amend CCPA during the 2021 legislative session to further extend or even make the business-to-business and personnel/applicant carve-outs permanent. However, if CPRA is enacted, the legislature will likely not be able to extend the carve-outs beyond January 1, 2023 or make them permanent given the limitations on amendments that the initiative would impose.