Businesses will need to take additional steps to ensure compliance as exemptions under the California Consumer Privacy Act expire at the end of 2022.

By Robert Blamires, Michael H. Rubin, Robert W. Brown, and Jennifer Howes

The California legislature adjourned its 2022 session without extending the exemptions under the California Consumer Privacy Act (CCPA) for personal information collected about California residents in a personnel/HR or business-to-business (B2B) context. Therefore, starting next year all obligations (and rights) in the CCPA, including those introduced under the California Privacy Rights Act (CPRA), will extend to such information.

As a result, businesses covered by the CCPA may need to make material adjustments to their privacy programs, including updating and supplementing existing privacy notices and policies, assessing whether they are processing “sensitive” personal information or “selling” personal information about personnel or B2B contacts, and extending rights to individuals in relation to personal information collected about them in these capacities.

The Exemptions

When it came into effect in 2020, the CCPA included important exemptions for personal information about California-resident personnel and B2B contacts. Under these exemptions, none of the CCPA’s obligations applied to such information, other than: for personnel, the obligation to provide notice at the point of collection; for B2B contacts, key obligations regarding “selling” personal information; and, for both categories, the private right of action for certain data breaches.

These exemptions were originally due to sunset at the end of 2021, although the CPRA extended that deadline to the end of 2022. California lawmakers subsequently proposed several bills to extend the exemptions further or indefinitely. However, on August 31, 2022, the California legislature ultimately adjourned its session without passing any of these bills, meaning that the exemptions will expire at the end of this year.

Scope and Impact

Once the exemptions expire on January 1, 2023, the CCPA will fully regulate personal information about the following California residents:

  • Personnel: Job applicants, employees, owners, directors, officers, medical staff members, and contractors of a covered business (and their emergency contacts and relatives)
  • B2B contacts: Employees, owners, directors, officers, and contractors of an organization collected by a covered business

This development has broad implications. For example, all California residents, regardless of their status as an employee or a representative of a business, will now have the right to make requests in relation to personal information about them, and covered California businesses must extend all aspects of the CCPA and CPRA to them. Therefore, covered businesses may need to take significant additional steps and make material adjustments to their privacy program, including to:

  • update employee and job applicant privacy notices to include additional disclosures and account for newly available rights, such as the right to request access, correction, and deletion of their personal information;
  • begin providing to B2B contacts a privacy notice at or before the point of collecting their personal information;
  • update online and offline privacy policies to cover the collection, use, and disclosure of personal information about business contacts, if not already covered;
  • assess their processing of “sensitive” personnel information and consider whether a right to limit such processing must be offered to personnel;
  • assess whether they are “selling” personal information about employees and, if so, consider relevant exceptions and take corresponding compliance measures; and
  • modify the scope and operation of consumer rights and related procedures, policies, and training.

These obligations will apply only with respect to California residents. No other state data privacy law in the US has extended similar obligations to personnel and B2B contacts to date; upcoming data privacy laws in Colorado, Connecticut, Utah, and Virginia incorporate exemptions for such individuals indefinitely. However, EU data privacy laws, in particular the GDPR, have long provided rights to individuals in all capacities, including in an employment or B2B context. Many organizations subject to these laws have experienced employees in the EU and UK exercising their corresponding rights (e.g., to access their personnel file or personal data contained in emails and documents), including as an unofficial discovery exercise. Businesses subject to the CCPA would be wise to consider any experiences they have had in other jurisdictions, including under the GDPR, in preparing for the new obligations in 2023.

Lastly, the CCPA is the last in a long line of data privacy laws in California. Existing data privacy laws in the state already impose a range of obligations on companies doing business in California. Therefore, these latest developments should be considered not as stand-alone data privacy requirements but rather as an additional layer supplementing the existing California data privacy legal framework, and as a set of obligations that covered businesses should integrate into their overall data privacy program and approach to compliance.