On September 29th, California Governor Gavin Newsom signed into law AB 1281, an amendment to the California Consumer Privacy Act (“CCPA”) that would extend the current exemption on employee personal information from most of the CCPA’s protections, until January 1 2022. The exemption on employee personal information was slated to sunset on December 31, 2020. It is important to highlight that under the current exemption, while employees are temporarily excluded from most of the CCPA’s protections, two areas of compliance remain: (i) providing a notice at collection, and (ii) maintaining reasonable safeguards for a subset of personal information driven by a private right of action now permissible for individuals affected by a data breach caused by a business’s failure to do so.
Notably, the operation of the extension is contingent upon voters not approving ballot proposition 24 in November, the California Privacy Rights Act (“CPRA”), which would amend the CCPA to include more expansive and stringent compliance obligations and inter alia, would extend the employment personal information exemption until January 1, 2023.
As a reminder, during this challenging time, it is important for employers, regardless of jurisdiction, to remain vigilant on the types of personal information collected from employees and how it is used. Pre COVID-19, employers, for example, were not thinking of performing temperature checks on employees or collecting other personal information in connection with COVID-19 screenings, and as a result may need to update their privacy notices to capture this category of information and the purpose it was used.
A full discussion on AB 1281 is available here.
During the same session, Governor Newsom vetoed an additional privacy bill, AB 1138, which would have required parental or guardian consent for creation of a social media or application account for children under 13. Under the federal Children’s Online Privacy Protection Act (COPPA) operators of Internet websites or online services to obtain parental or guardian consent before collecting personal information from a child known to be under 13. States have the authority to enforce COPPA. In Governor Newsom’s veto statement, he highlighted that “Given its overlap with federal law, this bill would not meaningfully expand protections for children, and it may result in unnecessary confusion.” However, Governor Newsom concluded that his Administration is “open to exploring ways to build upon current law to expand safeguards for children online”.
California continues to be a leader in privacy and cybersecurity legislation. We will continue to update on CCPA and other related developments as they unfold.