The California Consumer Privacy Act (CCPA) is California's groundbreaking legislation that seeks to give California consumers certain rights over how a business handles "personal information" collected about its consumers. On October 11, 2019, California Governor Gavin Newsom signed AB 25 into law, which provided businesses with temporary relief by exempting personal information that is collected in certain employment contexts and in a business-to-business (B2B) context from the scope of the CCPA until January 1, 2021. As previously reported, Governor Newsom signed AB 1281 into law on September 29, 2020, providing a one-year extension to the partial employee and B2B exemptions to January 1, 2022, applicable only in the event that the California Privacy Rights Act (CPRA) ballot initiative failed. When the CPRA was approved during the 2020 election by California voters, the exemptions were extended one final time to January 1, 2023. On August 31, 2022, the California legislature adjourned without extending the exemptions, which automatically expire on January 1, 2023 in conjunction with the CPRA effective date.
Types of Employee and B2B Data Now Subject to CPRA
The CCPA contains a partial employee exemption for personal information collected by a business about a person who was either a job applicant or past/current employee or in an otherwise related position, including owners, directors, officers, contractors and beneficiaries/dependents. The exemption is limited to when the business used the information provided "solely" for employment-related actions. The B2B exemption applies to personal information of employees or business contacts that a business collected to aid in providing or receiving a product or service to and from another business.
What Should I Do Now With Employee Data and Personal Information Collected in a Business Context?
This development marks California as the first and only state with a general privacy law that applies to this type of personal information. Personal information collected in certain employee contexts and in a B2B context will now be subject to the onerous compliance requirements under the CPRA. Businesses will have to immediately pivot their data privacy compliance efforts and:
-
Assess the personal information collected, used and disclosed from California employees and job applicants. This will require employers to map employee data and work with their human resource and information technology departments.
-
Update employee, job applicant and other privacy notices and disclosures to incorporate personal information collected in an employment and B2B context.
-
Businesses will be required to disclose a full text privacy notice to employees, as opposed to the previously abbreviated version permitted under the exemptions. These notices will have to include a variety of information, including: (i) the categories of sensitive personal information and personal information collected and processed; (ii) the purposes for the processing; (iii) the retention period by category of personal information; (iv) the description of the rights available; and (v) the manner in which individuals may exercise such rights.
-
Assess the personal information collected by service providers and third parties.
-
Review and update any contracts with service providers and contracts that process employee personal information or personal information collected in a B2B context.
-
Review and update policies and procedures to include the expanded rights under the CPRA.
In short, the CPRA ramps up notice requirements and imposes compliance obligations and other duties on more businesses than previously covered in the CCPA.
What Are Some Other New Issues That Need to Be Assessed?
There are multiple new requirements under the CPRA that will apply to personal information collected from consumers, as well as in the employment or recruitment context and when transacting with actual or prospective business contacts. Some of the key new requirements include:
-
The CPRA's expanded rights will now grant the right to know and access, the right to deletion and the right to correction of personal information.
-
The CPRA expands the scope of behavior covered by the CCPA by amending all mentions of "selling" to include "sharing." This term is defined as any disclosure of personal information to third parties for cross-context behavioral advertising, regardless of whether consideration is exchanged. Where a business engages in sharing, it must post a link titled "Do Not Share My Personal Information" and provide consumers an opportunity to opt out of sharing.
-
The CPRA introduces the new concept of "sensitive personal information," which will require businesses to develop additional disclosures about the use of sensitive personal information in their privacy notices and responses to individuals' requests exerting their expanded CPRA rights.
-
The CPRA introduces new data minimization and data retention requirements. Businesses must not collect more personal information than is necessary and must not retain personal information for longer than is reasonably necessary for disclosed purposes. Accordingly, businesses will have to develop, review and update internal data retention policies and procedures.