The business-to-business (“B2B”) and human resources (“HR”) exemptions to the California Consumer Privacy Act (“CCPA”) have been extended for a full year, and will now expire no sooner than January 1, 2022 – and a further one-year extension seems likely.

The B2B and HR exemptions have thus far permitted businesses to omit these types of data from their CCPA compliance programs – a significant dose of business-friendliness in an otherwise burdensome regime. As we discussed in our end-of-summer recap “While You Were Out” blog post early last month, these exemptions are widely relied on, but have been subject to a January 1, 2021 sunset.

A few weeks ago, the California legislature passed AB 1281 – a one-year extension of the B2B and HR exemptions. Since then the business community has been watching to see if Governor Newsom would sign AB 1281 by the September 30 deadline. We can now report that the Governor did sign the bill on September 29, and the California Secretary of State “chaptered” AB 1281 into law the same day.

As with most things CCPA, the story does get a little more complicated. On November 3, Californians will vote on a referendum to approve, or not, the California Privacy Rights Act (“CPRA”). Among many other changes to California privacy law, CPRA would extend the HR and B2B exemptions for a further year, to January 1, 2023. Polling from earlier this summer – albeit, polling fielded by the CPRA’s leading sponsors – suggests widespread support among Californians for the CPRA. With the statutory extension now firmly in place, however, businesses can rely on the B2B and HR exemptions for at least one more year whether or not the CPRA passes in November.

To subscribe to the Data Blog, please click here.

The authors would like to thank Debevoise law clerk Stephanie Thomas for her contribution to this article.

Author

Jeremy Feigelson is a Debevoise litigation partner, Co-Chair of the firm’s Data Strategy & Security practice, and a member of the firm’s Intellectual Property and Media Group. He frequently represents clients in litigations and government investigations that involve the Internet and new technologies. His practice includes litigation and counseling on cybersecurity, data privacy, trademark, right of publicity, false advertising, copyright, and defamation matters. He can be reached at jfeigelson@debevoise.com.

Author

Avi Gesser is a Debevoise cybersecurity and litigation partner. He is a member of the Debevoise Data Strategy & Security Group, as well as the White Collar & Regulatory Defense Group. Avi has extensive experience advising on a wide range of cybersecurity matters, incident response issues, data strategy concerns and complex commercial litigation. He can be reached at agesser@debevoise.com.

Author

Jim Pastore is a Debevoise litigation partner and a member of the firm’s Data Strategy & Security practice and Intellectual Property Litigation Group. He can be reached at jjpastore@debevoise.com.

Author

Christopher S. Ford is an associate in Debevoise's Litigation Department who is a member of the firm’s Intellectual Property Litigation group and Data Strategy & Security practice. He can be reached at csford@debevoise.com.