For the past few years, California’s comprehensive privacy law known as the California Consumer Privacy Act (“CCPA”) included an important partial exemption for employees, applicants, and independent contractors (collectively, “workforce members”). The California Privacy Rights Act, which amended the CCPA, extended the exemption through December 31, 2022. While many expected the exemption would be extended, the current California legislative session ended on August 31, 2022, without a bill to do so.
The failure to get an extension across the legislative finish line leaves CCPA-covered businesses with not much time to begin expanding their CCPA compliance efforts. Currently, compliance with respect to workforce members, and certain others, is limited. It includes, in general, providing a notice at or before the time of collection of personal information and maintaining reasonable safeguards to protect certain personal information. By comparison, employers will need to, among other things, expand their privacy policy to address workforce members and be ready to respond to the requests of workforce members concerning their rights under the CCPA, including the right to delete their personal information.
Another exemption, known by some as the “B2B” exemption, generally excluded the personal information of individuals in their capacities as representatives of entities doing business with CCPA-covered businesses. It appears that exemption also will cease to apply in California on January 1, 2023.
For employers wondering if this applies to them and what needs to be done next, our CCPA/CPRA FAQs provide some helpful information, addressing questions such as:
-
Which businesses does the CCPA/CPRA apply to?
-
What is personal information under the CCPA?
-
Does the CCPA apply to employee/applicant data?
Of course, the last question is modified by this development and we will be updating the FAQs accordingly, as well as for CPRA regulations, which currently are in proposed form.
Key steps for compliance will include, among other things:
-
Getting a better handle on the personal information collected, used, retained, and disclosed about workforce members,
-
Updating the business’ privacy policy,
-
Updating agreements with service providers, and
-
Training staff on responding to requests from workforce members concerning their privacy rights under the CCPA.
It is worth noting that the other four states with comprehensive privacy laws – Colorado, Connecticut, Utah, and Virginia – all have excluded the personal information of individuals when acting in an employment or commercial context.