December 1, 2022

Volume XII, Number 335


November 30, 2022

Subscribe to Latest Legal News and Analysis

November 29, 2022

Subscribe to Latest Legal News and Analysis

November 28, 2022

Subscribe to Latest Legal News and Analysis

CCPA Employee and B2B Exemption Extended Until 2022

On September 29, California Governor, Gavin Newsom, signed an amendment (AB 1281) into law that extends the California Consumer Privacy Act (CCPA) partial employee and business-to-business exemptions until January 1, 2022. As businesses continue to work through COVID-19 obstacles, these extended exemptions may provide some relief to businesses struggling to comply with changing local, state and federal COVID-19 requirements.

Partial employee and B2B exemptions

The amendment extended the exception for businesses from complying with certain CCPA requirements with respect to the personal information of California employees, applicants and business contacts.

The partial employee exemption specifically exempts personal information that is collected by a business about a person in the course of the person acting as a “job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of” the business to the extent that the personal information is collected and used solely within the employment context.The exemption also applies to personal information used for emergency contact purposes, as well information that is necessary to administer employment benefits. Under the exemption, employers are still required to inform employees and applicants, at or before the time of collection, of the categories of personal information to be collected and the purposes for which the information will be used (i.e., a “notice at collection”).Further, employers are not exempt from the “duty to implement and maintain reasonable security procedures and practices,” and employees and applicants retain the private right of action in the event that certain of their personal information is subject to a data breach.3

Under the business-to-business exemption, businesses are not required to provide certain notices or extend certain consumer rights to their business contacts. Specifically, the exemption applies to information “reflecting a written or verbal communication or a transaction” between the business and an employee or contractor of another organization (i.e., a business, non-profit or government agency), where the communication or transaction occurs in the context of (1) the business conducting due diligence on that other organization, or (2) the business providing or receiving a product or service to or from such organization.

Both the partial employee exemption and the business contact exemption were set to expire in a few months on January 1, 2021. However, the passage of AB 1281 extends these exemptions for an additional year through the end of 2021.

Extension through 2023?

AB 1281 will only take effect if California voters do not approve the California Privacy Rights Act (CPRA) ballot initiative. The CPRA, among other things, would provide new and expanded rights to California consumers and impose additional obligations on businesses, contractors and service providers. If approved on the November 3 ballot, the CPRA would extend the business-to-business and employee exemptions for another year until the end of 2022.

What should I do now?

Regardless of whether the CPRA is approved, businesses subject to the CCPA have some breathing room to develop CCPA compliance plans with respect to their employee and business contact operations. As of now, businesses should ensure that they are satisfying the CCPA’s requirement to provide applicants and employees a notice at collection, taking into consideration any new or additional data collection practices in response to COVID-19.

Additionally, now that the CCPA regulations are in effect and enforceable, employers should ensure that employee notices meet the requirements under the regulations. Notably, employee notices should include (1) a list of the categories of personal information to be collected, written in a manner that provides a “meaningful understanding” of the information being collected, and (2) the purpose for which the personal information will be used. The regulations also require that notices be designed and presented in a way that is easy to read and understandable, and:

  • Use plain, straightforward language and avoid technical or legal jargon;

  • Use a format that draws the reader’s attention and makes the notice readable, including on smaller screens, if applicable;

  • Be available in the languages in which the business typically provides contracts and other information to individuals in California; and

  • Be reasonably accessible to consumers with disabilities.4

Lastly, businesses should assess whether they are using the personal information of applicants and employees outside the employment context or using the personal information of business contacts outside the business-to-business relationship. If so, the exemptions may not apply, and businesses should confirm that they are otherwise complying with the full requirements of the CCPA.


2 1798.100(b).

3 1798.150.


©2022 Katten Muchin Rosenman LLPNational Law Review, Volume X, Number 275

About this Author

Dagatha L. Delgado Intellectual Property Attorney Katten Muchin Rosenman New York, NY
Staff Attorney

Dagatha Delgado helps clients get the most out of cutting-edge innovations and address the privacy, data protection and cybersecurity challenges that arise from an ever-changing digital world.

Dagatha helps provide advice on privacy and technology matters, including compliance with rapidly evolving privacy and cybersecurity laws, and engaging and managing IT and cloud service providers. As a member of Katten’s data breach response team, Dagatha also steps in to help clients respond to and recover from data breaches and security incidents.

Guidance on privacy compliance and...

Doron Goldstein, Katten Muchin Law Firm, Intellectual Property Attorney

Doron S. Goldstein's practice primarily deals with intellectual property, information technology and advertising, marketing and branded entertainment transactions and counseling, including privacy and information security, trademark, copyright, software and technology matters, and he is co-head of Katten's Advertising, Marketing and Promotions practice and of the firm's Privacy, Data and Cybersecurity group.

Doron regularly advises on various aspects of integrated marketing campaigns, including talent and production agreements, advertising agency...

Megan Hardiman, Katten Muchin Law Firm, Health Care Legl Specialist

Megan Hardiman draws on her broad regulatory background to advise clients on complex health information privacy issues, tax-exempt organization compliance issues, including maintaining tax-exempt status, IRS Form 990 reporting issues and best practices for executive compensation, state fee-splitting and corporate practice of medicine prohibitions and fraud and abuse compliance.

Megan devotes a significant portion of her practice to helping health care companies and business associates understand and meet the requirements of the Health Insurance Portability...

Jeremy Merkel Privacy, Data & Cybersecurity Attorney Katten Muchin Rosenman New York, NY

Jeremy Merkel counsels businesses and organizations across a range of industries on privacy and data security matters. Combining his knowledge of the cybersecurity landscape with his technical experience, Jeremy is a trusted advisor to companies during the critical moments of identifying and responding to data security incidents. From the moment a breach is identified, Jeremy leverages resources to understand the scope of an incident, assess the risk to data and sensitive information and mitigate legal exposure.

The legal framework of privacy and data security laws is constantly...

Trisha Sircar Privacy, Data and Cybersecurity Attorney Katten Muchin Rosenman New York, NY

The value of data as an asset has increased substantially in today's global digital economy. In the high-stakes environment of global intellectual property and technology services, businesses, consumers and individuals need protection. With more than a decade of experience in helping to protect a wide range of businesses — including one of the world's largest insurance companies — Privacy, Data and Cybersecurity partner Trisha Sircar provides practical guidance and creative solutions regarding global privacy and data security risks and compliance issues.

Operating at the...