Possible Extension of CCPA Exemptions for B2B and Employee Data
The California Consumer Privacy Act (CCPA) was amended in 2019 to add two exemptions, one for certain personal information (PI) collected from consumers in business to business (B2B) transactions and the other for certain employee information. These two exemptions are scheduled to sunset on January 1, 2021. As of June 25, 2020, a bill to extend these exemptions through January 1, 2022 is now pending in the California Senate.
The CCPA exempts covered businesses from having to comply with all of the requirements of the CCPA when they process PI reflecting a written or verbal communication or a transaction between the business and a consumer if:
- The consumer is a natural person acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, non-profit, or government agency (collectively, “B2B entities”), and
- Those communications or the transaction with the covered business occur solely within the context of the business conducting due diligence regarding or providing or receiving a product or service to or from such B2B entities.
For example, a bank may collect the PI of an individual guarantor in approving, closing, and servicing a commercial loan to a B2B entity borrower. This consumer PI would be subject to the B2B exemption and exempt from coverage under the CCPA, provided that the bank used the guarantor’s PI solely in the context of that B2B transaction.
The B2B exemption does not, however, entirely exempt consumer PI obtained in B2B transactions from the CCPA. These consumers still have the right to opt out of the sale of their PI, businesses still have an obligation not to discriminate against these consumers for attempting to exercise any of their other CCPA rights, and these consumers retain the right to bring a legal action under the CCPA in the event of a breach of their PI.
The B2B exemption is scheduled to expire as of January 1, 2021. At that time, all consumer PI obtained in B2B transactions will be covered by all of the provisions of the CCPA.
Certain PI collected from employees and other personnel has also been temporarily exempt from the scope of the CCPA. The CCPA does not apply to the following:
Human Resources Management - PI that is collected by a business about a natural person in the course of the natural person acting as a job applicant to or employee, owner, director, officer, medical staff member, or contractor of that business (collectively, “Applicant/Employee”) to the extent that the natural person’s PI is collected and used by the business solely within the context of the natural person’s role or former role as an Applicant/Employee of that business.
Emergency Contact Information - PI that is collected by a business as emergency contact information of an Applicant/Employee to the extent that such PI is collected and used solely within the context of having an emergency contact on file.
Benefits Administration - PI that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as an Applicant/Employee of that business to the extent that the PI is collected and used solely within the context of administering those benefits.
Like the B2B exemption, this “employee exemption” is limited in scope. Businesses covered by the CCPA are still required to provide a notice of their data collection and use practices to Applicants/Employees and Applicants/Employees may bring a private right of action under the CCPA in the event of a breach of their PI.
The employee exemption is scheduled to expire as of January 1, 2021. All consumer PI obtained in connection with human resources management, as emergency contact information, and for benefits administration, as described above, will be covered by all provisions of the CCPA at that time.
Recent Legislative Development
On June 25, 2020, Assembly Bill (AB) 1281, a facial recognition technology disclosure bill languishing in the California Senate since early 2019, was gutted and replaced with text extending the sunset date for the B2B and employee exemptions under the CCPA to January 1, 2022. AB 1281 may be side-lined in the state legislature by other competing priorities in the current coronavirus pandemic. However, AB 1281, even if signed into law by the California Governor, may be side-lined by something else. AB 1281, by its terms, would only become operative if California voters do not approve the ballot initiative (the “California Privacy Right Act) to amend the CCPA in the statewide general election on November 3, 2020. The ballot initiative would amend the CCPA to, among other things, extend these two exemptions through January 1, 2023.
Keep calm and carry on with your current CCPA compliance program but keep an eye on the status of AB 1281. This is not the first time the California legislature has reacted to a privacy ballot initiative with proposed legislation. Although two avenues are now open to extend the sunset date of the B2B and employee exemptions, a legislative extension of the exemptions is not guaranteed and passage of the ballot initiative is not a foregone conclusion. It may be prudent to, at least, begin thinking about how the expiration of these two exemptions on January 1, 2021 would impact your current CCPA compliance program.