For the past few years, California’s comprehensive privacy law known as the California Consumer Privacy Act (“CCPA”) included an important partial exemption for employees, applicants, and independent contractors (collectively, “workforce members”). The California Privacy Rights Act, which amended the CCPA, extended the exemption through December 31, 2022. While many expected the exemption would be extended, the current California legislative session ended on August 31, 2022, without a bill to do so.
Another exemption, known by some as the “B2B” exemption, generally excluded the personal information of individuals in their capacities as representatives of entities doing business with CCPA-covered businesses. It appears that exemption also will cease to apply in California on January 1, 2023.
For employers wondering if this applies to them and what needs to be done next, our CCPA/CPRA FAQs provide some helpful information, addressing questions such as:
- Which businesses does the CCPA/CPRA apply to?
- What is personal information under the CCPA?
- Does the CCPA apply to employee/applicant data?
Of course, the last question is modified by this development and we will be updating the FAQs accordingly, as well as for CPRA regulations, which currently are in proposed form.
Key steps for compliance will include, among other things:
- Getting a better handle on the personal information collected, used, retained, and disclosed about workforce members,
- Updating agreements with service providers, and
- Training staff on responding to requests from workforce members concerning their privacy rights under the CCPA.
It is worth noting that the other four states with comprehensive privacy laws – Colorado, Connecticut, Utah, and Virginia – all have excluded the personal information of individuals when acting in an employment or commercial context.
If you have questions about compliance requirements under CCPA/CPRA please reach out to a member of our Privacy, Data, and Cybersecurity practice group.