Search for:
Debevoise Data Blog
CCPA

CCPA Will Cover Employee and B2B Data — Amendments Fail to Pass

By: , , and

On August 31, 2022, the legislative session in California came to a close without any amendments that would further extend—or make permanent—existing limited exemptions under the California Consumer Privacy Act (the “CCPA”) for personal information collected from California individuals in context of recruitment and employment (“HR”) or business-to-business (“B2B”) arrangements.

Unlike other state privacy laws, some of which exclude individuals acting in a commercial or employment context, the CCPA extends rights to all California residents. Although a series of amendments had previously provided limited exemptions on B2B and HR data, those exemptions will now expire on January 1, 2023, the day that the California Privacy Rights Act (“CPRA”), which amends the CCPA, will come into force. As we have written about previously,  rulemaking to address the CPRA amendments is also underway, and businesses should track the draft regulations and the forthcoming compliance obligations.

Businesses relying on these exemptions to omit B2B and HR data from their CCPA compliance programs were hopeful that proposed legislation, most notably AB 2871, AB 2891 and SB 1454, would extend or make permanent these exemptions. Businesses, including those businesses that previously relied on their data being primarily B2B or covered by another data-based exemption such as data covered by the Gramm-Leach-Bliley Act, will now have to quickly pivot and adapt CCPA-compliant procedures aimed at covering these buckets of personal information.

Major compliance projects might encompass: (1) data mapping to what HR and B2B data businesses have, where it comes from and how it is shared; (2) drafting and/or revising notices at collection and privacy policies to cover this HR and B2B personal information; (3) reviewing and updating service provider and contractor contracts relevant to HR and B2B data to include CCPA-compliant provisions; and (4) reviewing and updating California consumer rights policies and processes, as well as operationalizing those policies and processes going back to January 1, 2022, to encompass HR and B2B data and comply with the CPRA’s look-back provisions. A host of other steps companies may already be considering for 2023 compliance should be expanded to account for this data and to enhance CCPA programs.

To subscribe to the Data Blog, please click here.

Author

Avi Gesser is Co-Chair of the Debevoise Data Strategy & Security Group. His practice focuses on advising major companies on a wide range of cybersecurity, privacy and artificial intelligence matters. He can be reached at agesser@debevoise.com.

Author

Tricia Bozyk Sherno is a member of Debevoise's Litigation Department, concentrating in employment and general commercial litigation. She has a broad-gauged employment law practice, with experience representing clients in matters involving discrimination and harassment, contracts, corporate raiding and compensation across a broad range of industries. She can be reached at tbsherno@debevoise.com.

Author

Johanna Skrzypczyk (pronounced “Scrip-zik”) is a counsel in the Data Strategy and Security practice of Debevoise & Plimpton LLP. Her practice focuses on advising AI matters and privacy-oriented work, particularly related to the California Consumer Privacy Act. She can be reached at jnskrzypczyk@debevoise.com.

Author

Michael R. Roberts is a senior associate in Debevoise & Plimpton’s global Data Strategy and Security Group and a member of the firm’s Litigation Department. His practice focuses on privacy, cybersecurity, data protection and emerging technology matters. He can be reached at mrroberts@debevoise.com.

Related Posts