In 2018, the California Legislature adopted the California Consumer Privacy Act (CCPA) and became the first state to enact a comprehensive law designed to protect the privacy of consumers’ personal information. Businesses that are subject to the CCPA are required, among other things, to respond to consumers who wish to view the personal information collected by the business, delete personal information, and opt-out of the sale of personal information. The CCPA was amended in 2020 when California voters approved the California Privacy Rights Act of 2020 (CPRA), which added additional requirements and restrictions regarding the collection, use, sale and sharing of personal information.
Employee and Business Personal Information
While the CCPA is aimed at protecting consumers’ personal information, the terms of the law extend to the personal information of employees and business contacts. The California legislature reacted by exempting employment information and “business to business” (B2B) personal information from many of the provisions of the CCPA until January 1, 2021, which was extended in the CPRA to January 1, 2023.
The Exemption and its Demise
The broad consensus after the adoption of the CPRA was that the California legislature would extend the exemptions of employee and B2B personal information. While there were a number of attempts to come to an agreement, ultimately, the California Legislature adjourned on August 31, 2022 without adopting an extension. As a result, it is a certainty that full consumer rights will apply to personal information obtained from employees or as a result of a B2B relationship.