California Extends Employee and B2B Exemptions under the CCPA

Governor Gavin Newson signed into law AB 1281 on September 29, 2020. The bill amends Section 1798.145 of the California Consumer Privacy Act (CCPA), but it only becomes operational if voters do not approve a ballot initiative that amends the CCPA on the November 3^rd election—namely, the California Privacy Rights Act (CPRA). The provisional amendment includes two important CCPA exemption extensions: (1) employee information (1798.145(h)(1)) and (2) business-to-business (B2B) transactions (1798.145(n)(1)).

The employee information exemption provides that the CCPA generally does not apply to personal information collected by a business about consumers that are employees, job applicants, or owners, when that “information is collected and used by the business solely within the context of” (1) the individual’s role as an employee, job applicant, owner etc., (2) maintaining emergency contact information, and (3) the administration of benefits. Importantly, the amendment states that the notice requirements of Section 1798.100(b) of the CCPA are still in effect. The net result is that employee data does not fall within the ambit of the CCPA, but California employees and job applicants must be presented a notice of collection or a privacy policy.    

The B2B exemption provides that the CCPA generally does not apply to personal information collected by a business about an individual consumer, when the consumer is acting as an employee on behalf of their employer in the context of “providing or receiving a product or service to or from” the business. The rights covered by this exemption include, for example, notice, deletion, and access.

Note that the private right of action under Section 1798.150 is not affected by these exemptions.

As noted above, AB 1281 only takes effect if the CPRA does not pass by referendum on November 3^rd, 2020. If it passes, the CPRA creates an FTC-like agency—the California Privacy Protection Agency—with a five-member board to govern the administration and enforcement of the Act. The Act also creates a narrower category of “sensitive personal information” and accompanying rights to restrict the use of this information. And the Act provides a number of new rights, including data correction rights, geolocation data limitations, and data storage limitations. 

Under AB 1281, these exemptions would be extended to January 1, 2022. If the CPRA passes, these exemptions would last until January 1, 2023.