California Extends CCPA Exemptions on Employee and B2B Data Until 2022

Read Time: 3 minutes

On September 29, 2020, California Governor Gavin Newsom signed legislative bill AB 1281 to extend exemptions related to employment information and business-to-business communications contained in the California Consumer Privacy Act of 2018 (the “CCPA”) until January 1, 2022.

The CCPA, arguably the nation’s strictest and most expansive privacy law, not only affects businesses at home in California, but also businesses that hold or process some amount of personal data on California residents. The CCPA, which went into effect on January 1, 2020, includes temporary exemptions for employment-related information and business-to-business communications which were previously set to expire at the end of 2020.

Instead, the exemption will be extended for an additional year, allowing businesses more time to expand privacy compliance programming for employment-related information and business-to-business communications.

Under the current employment-related information exemption to the CCPA, personal information collected within the course of an employment relationship (as a job applicant, employee, owner, officer, director, medical staff member, or contractor) is exempt from the reach of the CCPA to the extent that the personal information is collected and used within the context of such relationship, to maintain an emergency contact on file, or to administer benefits. This means that employees cannot submit “data subject access requests” under CCPA asking to know or delete the personal information that their current and previous employers have collected on them. Even though this information is currently exempt from the CCPA, employers subject to CCPA are still required to safeguard this information and notify employees that they are collecting personal information and the purpose for which that information is to be used. Additionally, employers under the purview of CCPA can still be liable to employees if employees’ sensitive nonencrypted personal information (e.g., a social security number, driver’s license number, medical information) is breached due to the employer’s failure to reasonably safeguard personal information by implementing security procedures.

The business-to-business communications exemption excludes personal information collected in a business context. Specifically, the exemption carves out personal information collected by a business involved in business-to-business communications or transactions where an individual business contact is acting on behalf of another organization and the communications solely relate to the context of the business transaction. California residents do not have a right to notice of collection of this information nor the right to access or delete personal information. However, if a company sells this data, it must still provide business-to-business contacts the right to opt out of the sale of their information and cannot discriminate against those who do so. Additionally, businesses are still liable to those contacts for damages if sensitive nonencrypted personal information is breached due to the company’s failure to reasonably safeguard personal information by implementing security procedures.

Businesses should continue to evaluate data collection practices and consider internal and external policies and procedures that will need to be addressed after the exemptions expire. For advice on how to comply with the CCPA, or for other privacy and cybersecurity advice, please contact a member of the Koley Jessen Data Privacy and Security practice area.

This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.

Professionals

Related Services

Explore Our

Newsroom


Learn about the latest legal news, firm announcements, and upcoming events on the topics important to you and your business.

Jump to Page

Necessary Cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytical Cookies

Analytical cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.