CCPA Employee and B2B Exemption Extended Until 2022
On September 29, California Governor, Gavin Newsom, signed an amendment (AB 1281) into law that extends the California Consumer Privacy Act (CCPA) partial employee and business-to-business exemptions until January 1, 2022. As businesses continue to work through COVID-19 obstacles, these extended exemptions may provide some relief to businesses struggling to comply with changing local, state and federal COVID-19 requirements.
Partial employee and B2B exemptions
The amendment extended the exception for businesses from complying with certain CCPA requirements with respect to the personal information of California employees, applicants and business contacts.
The partial employee exemption specifically exempts personal information that is collected by a business about a person in the course of the person acting as a “job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of” the business to the extent that the personal information is collected and used solely within the employment context.1 The exemption also applies to personal information used for emergency contact purposes, as well information that is necessary to administer employment benefits. Under the exemption, employers are still required to inform employees and applicants, at or before the time of collection, of the categories of personal information to be collected and the purposes for which the information will be used (i.e., a “notice at collection”).2 Further, employers are not exempt from the “duty to implement and maintain reasonable security procedures and practices,” and employees and applicants retain the private right of action in the event that certain of their personal information is subject to a data breach.3
Under the business-to-business exemption, businesses are not required to provide certain notices or extend certain consumer rights to their business contacts. Specifically, the exemption applies to information “reflecting a written or verbal communication or a transaction” between the business and an employee or contractor of another organization (i.e., a business, non-profit or government agency), where the communication or transaction occurs in the context of (1) the business conducting due diligence on that other organization, or (2) the business providing or receiving a product or service to or from such organization.
Both the partial employee exemption and the business contact exemption were set to expire in a few months on January 1, 2021. However, the passage of AB 1281 extends these exemptions for an additional year through the end of 2021.
Extension through 2023?
AB 1281 will only take effect if California voters do not approve the California Privacy Rights Act (CPRA) ballot initiative. The CPRA, among other things, would provide new and expanded rights to California consumers and impose additional obligations on businesses, contractors and service providers. If approved on the November 3 ballot, the CPRA would extend the business-to-business and employee exemptions for another year until the end of 2022.
What should I do now?
Regardless of whether the CPRA is approved, businesses subject to the CCPA have some breathing room to develop CCPA compliance plans with respect to their employee and business contact operations. As of now, businesses should ensure that they are satisfying the CCPA’s requirement to provide applicants and employees a notice at collection, taking into consideration any new or additional data collection practices in response to COVID-19.
Additionally, now that the CCPA regulations are in effect and enforceable, employers should ensure that employee notices meet the requirements under the regulations. Notably, employee notices should include (1) a list of the categories of personal information to be collected, written in a manner that provides a “meaningful understanding” of the information being collected, and (2) the purpose for which the personal information will be used. The regulations also require that notices be designed and presented in a way that is easy to read and understandable, and:
Use plain, straightforward language and avoid technical or legal jargon;
Use a format that draws the reader’s attention and makes the notice readable, including on smaller screens, if applicable;
Be available in the languages in which the business typically provides contracts and other information to individuals in California; and
Be reasonably accessible to consumers with disabilities.4
Lastly, businesses should assess whether they are using the personal information of applicants and employees outside the employment context or using the personal information of business contacts outside the business-to-business relationship. If so, the exemptions may not apply, and businesses should confirm that they are otherwise complying with the full requirements of the CCPA.