The business-to-business (“B2B”) and human resources (“HR”) exemptions to the California Consumer Privacy Act (“CCPA”) have been extended for a full year, and will now expire no sooner than January 1, 2022 – and a further one-year extension seems likely.

The B2B and HR exemptions have thus far permitted businesses to omit these types of data from their CCPA compliance programs – a significant dose of business-friendliness in an otherwise burdensome regime. As we discussed in our end-of-summer recap “While You Were Out” blog post early last month, these exemptions are widely relied on, but have been subject to a January 1, 2021 sunset.

A few weeks ago, the California legislature passed AB 1281 – a one-year extension of the B2B and HR exemptions. Since then the business community has been watching to see if Governor Newsom would sign AB 1281 by the September 30 deadline. We can now report that the Governor did sign the bill on September 29, and the California Secretary of State “chaptered” AB 1281 into law the same day.

As with most things CCPA, the story does get a little more complicated. On November 3, Californians will vote on a referendum to approve, or not, the California Privacy Rights Act (“CPRA”). Among many other changes to California privacy law, CPRA would extend the HR and B2B exemptions for a further year, to January 1, 2023. Polling from earlier this summer – albeit, polling fielded by the CPRA’s leading sponsors – suggests widespread support among Californians for the CPRA. With the statutory extension now firmly in place, however, businesses can rely on the B2B and HR exemptions for at least one more year whether or not the CPRA passes in November.

To subscribe to the Data Blog, please click here.

The authors would like to thank Debevoise law clerk Stephanie Thomas for her contribution to this article.


Jeremy Feigelson is a Debevoise litigation partner, Co-Chair of the firm’s Data Strategy & Security practice, and a member of the firm’s Intellectual Property and Media Group. He frequently represents clients in litigations and government investigations that involve the Internet and new technologies. His practice includes litigation and counseling on cybersecurity, data privacy, trademark, right of publicity, false advertising, copyright, and defamation matters. He can be reached at


Avi Gesser is Co-Chair of the Debevoise Data Strategy & Security Group. His practice focuses on advising major companies on a wide range of cybersecurity, privacy and artificial intelligence matters. He can be reached at


Jim Pastore is a Debevoise litigation partner and a member of the firm’s Data Strategy & Security practice and Intellectual Property Litigation Group. He can be reached at


Christopher S. Ford is a counsel in the Litigation Department who is a member of the firm’s Intellectual Property Litigation Group and Data Strategy & Security practice. He can be reached at