On September 29, California Governor Gavin Newsom signed an amendment (AB 1281) that extends the California Consumer Privacy Act (CCPA) partial employee and business-to-business exemptions through December 31, 2021. The extended exemptions may provide some relief to businesses struggling to comply with changing local, state and federal COVID-19 requirements.
Partial Employee and B2B Exemptions
The amendment extended the exception for businesses from complying with certain CCPA requirements with respect to the personal information of California employees, applicants and business contacts.
The partial employee exemption specifically exempts personal information that is collected by a business about a person in the course of the person acting as a “job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of” the business to the extent that the personal information is collected and used solely within the employment context. The exemption also applies to personal information used for emergency contact purposes, as well information that is necessary to administer employment benefits.
Under the exemption, employers are still required to inform employees and applicants, at or before the time of collection, of the categories of personal information to be collected and the purposes for which the information will be used (i.e., a “notice at collection”). Further, employers are not exempt from the “duty to implement and maintain reasonable security procedures and practices.” And employees and applicants retain the private right of action in the event that certain of their personal information is subject to a data breach.
Under the B2B exemption, businesses are not required to provide certain notices or extend certain consumer rights to their business contacts. Specifically, the exemption applies to information “reflecting a written or verbal communication or a transaction” between the business and an employee or contractor of another organization (i.e., a business, non-profit or government agency), where the communication or transaction occurs in the context of the business conducting due diligence on that other organization, or the business providing or receiving a product or service to or from such organization.
Both the employee exemption and the business exemption were set to expire on January 1, 2021. The passage of AB 1281 extends these exemptions through December 31, 2021.
Will the Exemptions Extend Through 2022?
AB 1281 will only take effect if California voters do not approve the California Privacy Rights Act (CPRA) ballot initiative. The CPRA would provide new and expanded rights to California consumers and impose additional duties on businesses, contractors and service providers. If approved on the November 3 ballot, the CPRA would extend the B2B and employee exemptions for another year, until December 31, 2022.
Businesses subject to the CCPA should make sure they are satisfying the CCPA’s requirement to provide applicants and employees a notice at collection, taking into consideration any new or additional data collection practices in response to COVID-19.
Employers should ensure that employee notices meet the requirements under the CCPA regulations. Employee notices should include (1) a list of the categories of personal information to be collected, written in a manner that provides a “meaningful understanding” of the information being collected, and (2) the purpose for which the personal information will be used. The regulations also require that notices be designed and presented in a way that is easy to read and understandable.
Last and crucially, businesses should determine if they are using the personal information of applicants and employees outside the employment context or using the personal information of business contacts outside the business-to-business relationship. If yes, the exemptions may not apply, and businesses should confirm that they are otherwise complying with the full requirements of the CCPA.
As always, we are available to address any question or concerns you may have about CCPA compliance.
Michael A. Gold is the co-chair of the Cybersecurity and Privacy Law Group at Jeffer Mangels Butler & Mitchell LLP. Known for both legal expertise and an understanding of technology, he works with Boards of Directors, C-Suite executives, and IT directors to address cyber risks. He advises clients on domestic and international requirements for information privacy and security. He represents companies in complex litigation and arbitrations, including class action defense actions connected with data breach and privacy claims. Contact Mike at MGold@jmbm.com or +1 310.201.3529.
JMBM’s Cybersecurity and Privacy Group counsels clients in a wide variety of industries, including accounting firms, law firms, business management firms and family offices, in matters ranging from development of cybersecurity strategies, creation of data security and privacy policies, responding to data breaches and regulatory inquiries and investigations, and crisis management. The Cybersecurity and Privacy Group uses a focused intake methodology that permits clients to get a reliable sense of their cybersecurity readiness and to determine optimal, client-specific approaches to cybersecurity.