CCPA exemptions set to expire on January 1, 2023, for the personal information of:
- “Personnel” (employees, job applicants, officers, directors, owners, medical staff members, and independent contractors) and
- “B2B” contacts (prospective business customers, vendors, and suppliers).
Two key exemptions of California's Consumer Privacy Act (CCPA) are set to expire on January 1, 2023. As enacted in 2018, the CCPA contained a so-called “personnel exemption” and a so-called “B2B exemption” (as further described below). As a result, the personal information of certain personnel and business contacts has been exempt from the CCPA. Both exemptions will sunset on January 1, 2023. Therefore, the personal information of these individuals will be subject to the CCPA, and these individuals will be consumers, with the same rights as other consumers under the CCPA.
As originally enacted in 2018, the personnel exemption and the B2B exemption were scheduled to sunset on January 1, 2020, but the California Privacy Rights Act (CPRA), which was adopted by referendum, extended the sunset provisions to January 1, 2023 (and otherwise amended the CCPA). Two bills were introduced in the California legislature to further extend the personnel exemption and the B2B exemption, but they were not adopted prior to the adjournment of the 2022 session. Therefore, these exemptions will expire at the end of this year. As a result, the personal information of (i) employees, job applicants, officers, directors, owners, medical staff members, and independent contractors (“personnel”); and (ii) prospective business customers, vendors, and suppliers (“business contacts”), will be subject to the CCPA, and these individuals will have the same rights as other consumers under the CCPA.
Businesses subject to the CCPA must act now to achieve compliance by January 1, 2023.
Practical Steps with a Looming Compliance Deadline:
- Create or update a data inventory for all personal information and sensitive personal information of personnel and business contacts. Sensitive personal information is a new subcategory of data created by the CPRA. The data inventory should catalog where each piece of personal information and sensitive personal information was originally collected, where it is stored, what the data is used for, who it is shared with, and the business purpose of sharing the information.
- Revisit data retention standards. Without the personnel and B2B exemptions, the CPRA will require providing notice to personnel and business contacts about how long the business will keep their personal information and sensitive personal information, and implement procedures to securely delete the data under the same schedule.
- Review the interplay between existing laws related to employee data, and the CPRA rights and obligations. California employment laws and ERISA provide rights and obligations concerning employment data. These may overlap or conflict with CPRA rights as they will apply to personnel data. Consider carefully the potential for overlaps and conflicts, and develop internal processes to manage and respond to requests submitted under either regime.
- Implement processes for personnel and business contacts to submit CCPA requests. Businesses must extend to personnel and business contacts their mechanisms for submitting CCPA requests to know, delete, opt out of the sale of, and correct personal information, and to limit the use of sensitive personal information.
Locke Lord’s Privacy & Cybersecurity Group has a dedicated CCPA Initiative that can help meet the looming deadline for California personnel and business contacts.