On August 31, 2022, the legislative session in California came to a close without any amendments that would further extend—or make permanent—existing limited exemptions under the California Consumer Privacy Act (the “CCPA”) for personal information collected from California individuals in context of recruitment and employment (“HR”) or business-to-business (“B2B”) arrangements.
Unlike other state privacy laws, some of which exclude individuals acting in a commercial or employment context, the CCPA extends rights to all California residents. Although a series of amendments had previously provided limited exemptions on B2B and HR data, those exemptions will now expire on January 1, 2023, the day that the California Privacy Rights Act (“CPRA”), which amends the CCPA, will come into force. As we have written about previously, rulemaking to address the CPRA amendments is also underway, and businesses should track the draft regulations and the forthcoming compliance obligations.
Businesses relying on these exemptions to omit B2B and HR data from their CCPA compliance programs were hopeful that proposed legislation, most notably AB 2871, AB 2891 and SB 1454, would extend or make permanent these exemptions. Businesses, including those businesses that previously relied on their data being primarily B2B or covered by another data-based exemption such as data covered by the Gramm-Leach-Bliley Act, will now have to quickly pivot and adapt CCPA-compliant procedures aimed at covering these buckets of personal information.
Major compliance projects might encompass: (1) data mapping to what HR and B2B data businesses have, where it comes from and how it is shared; (2) drafting and/or revising notices at collection and privacy policies to cover this HR and B2B personal information; (3) reviewing and updating service provider and contractor contracts relevant to HR and B2B data to include CCPA-compliant provisions; and (4) reviewing and updating California consumer rights policies and processes, as well as operationalizing those policies and processes going back to January 1, 2022, to encompass HR and B2B data and comply with the CPRA’s look-back provisions. A host of other steps companies may already be considering for 2023 compliance should be expanded to account for this data and to enhance CCPA programs.
To subscribe to the Data Blog, please click here.