California Extends Employee and B2B Communication Exemptions under the CCPA until January 2021

California and data privacy continue to make headlines. Last week, California Governor Gavin Newsom extended two key exemptions under the California Consumer Privacy Act of 2018 (“CCPA”) until January 1, 2022:

  1. Employee personal information; and
  2. Business to business communications.

See AB1281. Now, before you pop champagne, it is important to understand how these exemptions apply to personal information, and the CCPA in general.

Employee Personal Information Exemptions

Under the CCPA, certain employee personal information is exempted. The exemption applies to personal information that relates to “natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business.” 1798.145(h)(1). And, it applies in three circumstances:

  1. Personal Information collected in the course of a person’s application for employment or actual employment of the business;
  2. Emergency contact information; or
  3. Personal Information that is necessary for the administration of benefits. 

1798.145(h)(1). In essence, personal information collected from prospective, current, and terminated employees is not covered under the CCPA.

For many businesses, this exemption was viewed as a natural consequence of the phrasing of the CCPA. Even in its title, it appears to relate to “consumers” and not generally personal individuals. Businesses often are surprised that employees were not naturally carved out of the regulation.

B2B Communications

Additionally, the CCPA certain business communications are exempt from the CCPA protections:

The obligations imposed on businesses by Sections 1798.100, 1798.105, 1798.110, 1798.115, 1798.130, and 1798.135 shall not apply to personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, non-profit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, non-profit, or government agency.

1798.145(n)(1). Importantly, this exemption does not apply to the right to opt-out of the sale of a consumer’s personal information. Further, it is important to understand that this exemption is only triggered in the context of a business relationship. So, arguably, if an employee is reaching out to prospective employees or conducting general networking, it may not extend to those communications. Because its scope is very nuanced, it places a huge burden on the business to accurately categorize its communications and truly understand if those communications fall under the exemption. 

What does this mean for compliance under the CCPA?

While many businesses are still struggling to wrap their heads around the requirements of the CCPA, especially privacy rights they may (mistakenly) see this as a full exemption and it is not. 

For example, not all employee data is exempted. If an employee makes a request to know what information a business has on her, the business must comply. 1798.145(h)(3). Further, the business to business communications exemptions is confusing, to say the least. And, for both exemptions, the business has the burden to support how it interprets and applies the exemption.

So while this extends the  time to address these two classes of personal information, businesses can expect that eventually, there will be privacy protections related to this information. So this perceived relief is temporary, but not permanent. 

Organizations need to understand how these exemptions will apply to the data the business collects.: This means your organization should conduct a data mapping / inventory exercise. Knowing what data you maintain, and how you use it, is pivotal to determining the scope of these exemptions. It will also give your organization key insights into how to address data privacy compliance under regulations like the CCPA. 

Understanding the nuances of the CCPA, and its application to your business and industry, is key to compliance, risk mitigation, and financial efficiencies. Our team regularly works with clients to understand their data, and identify data inventories. If you have a concern, reach out today to learn more! 

* * * * * *

Nothing contained in this blog should be construed as creating an attorney-client relationship or providing legal advice of any kind.  If you have a legal issue regarding cybersecurity, domestic or international data privacy, or electronic discovery, you should consult a licensed attorney in your jurisdiction.