09/06/2022

California Legislature Fails To Extend CCPA HR And B2B Exemptions - Now Each Are Set To Expire

Co-Authored By: Stacey Shadden and Micah Carlson (Graduate Clerk)

The California legislature has entered its recess period without passing any bill that would extend the California Consumer Privacy Act’s (CCPA) two biggest exemptions: the Human Resources (HR) and Business-to-Business (B2B) exemptions. Now, both exemptions are set to expire on January 1, 2023. Here’s what that means for your business’s compliance obligations:

What are these exemptions?

The HR and B2B exemptions remove certain types of data from the scope of CCPA’s obligations. Under the HR exemption, the personal information of employees, contractors, job applicants, and other personnel is exempted from the CCPA’s general protections. Under the B2B exemption, an individual’s personal information is not granted CCPA protections when the individual gives such personal information to a covered business in the scope of acting as an employee, owner, director, officer, or contractor of another business.

The HR and B2B exemptions have been in effect since CCPA first became enforceable on July 1, 2020. The exemptions were originally set to expire on January 1, 2021; however, the sunset date for the two exemptions has been pushed back twice: once by the California legislature and once by the passage of the California Privacy Rights Act (CPRA), approved in November of 2020. The CPRA established January 1, 2023, as the sunset date for the two exemptions.

Under California’s state constitution, September 1, 2022, was the deadline to pass a bill that would have extended the HR and B2B exemptions past January 2023. Although several bills that would have extended the effectiveness of the exemptions were introduced during California’s most recent legislative session, the legislative houses adjourned on August 31, 2022, without passing any such bill.

What does this mean for businesses subject to CCPA?

• The personal information of your employees will be subject to CCPA requirements and consumer rights. Employees, contractors, job applicants, and other personnel held very few rights under the HR exemption. Starting in January, such personnel will possess all CCPA consumer rights in their “HR” data, including the right to access their information and request deletion, and covered businesses will be required to recognize such rights.
• Employees will need to be given full CCPA disclosures. Previously, employers were only required to give a limited privacy disclosure to employees that set out what personal information the employer collects and for what purpose. With the expiration of the HR exemption, employers will be required to give full disclosures to employees, including a recognition of the individual rights granted to consumers under the law.
• Personal information will be given full CCPA protections, even when such information is given in the course of a consumer acting as a representative of a business. Communications between a covered business and an individual representing a business were not granted full CCPA protections under the B2B exemption, even when such communications contained personal information. Now, covered businesses will need to be prepared to provide full CCPA disclosures to the representatives of other businesses before collecting any personal information. Additionally, covered businesses will be required to recognize the CCPA-granted rights to such business representatives.
• Compliance policies will need to be updated to remove any exemptions for HR and B2B data. If your business has specifically exempted HR and B2B data from its internal compliance policies and procedures, you should begin working to cut such references from your documents and begin implementing on-the-ground practices to recognize HR and B2B data as being equivalent to any other type of personal information.

Contact a member of McGrath North’s Privacy and Cybersecurity Team today to learn more about new and emerging regulatory requirements for implementing a compliant cybersecurity framework in California and elsewhere. Our attorneys will help you tackle new requirements head-on to best protect your business now and into the future.