California Fails to Extend CCPA's Employee and Business-to-Business Data Exemptions
The California legislature failed to extend the California Consumer Privacy Act’s (“CCPA”) temporary exemptions for employee and human resources (“HR”) data and business-to-business (“B2B”) communications before the end of the legislative session on August 31, 2022. These exemptions will automatically expire on January 1, 2023, the same date that the California Privacy Rights Act (“CPRA”) becomes fully effective.
The current exemptions under the CCPA broadly apply to the personal information of job applicants, employees, owners, directors, officers, and independent contractors in the context of an individual’s employment or application for employment, and to personal information reflecting written and verbal communications where a consumer is acting in a business-to-business commercial transaction. Exemptions also apply to personal information collected by a business for emergency contact information and personal information necessary for a business to retain and administer employee benefits, provided the information is used only for those purposes.
Now that the HR and B2B exemptions expire in less than four months, covered businesses will need to ensure they comply with the CCPA and CPRA with respect to virtually all employee and HR data, which will likely require significant updates to privacy programs. Businesses and organizations that have not yet prepared for compliance should begin immediately, and should take several proactive steps we previously highlighted that include:
- Inventorying key systems and assets that collect and process relevant personal information for HR, B2B, and consumers.
- Implementing mechanisms and policies to respond to requests to access, correct, and delete personal information from employees and business representatives.
- Providing a detailed privacy notice that informs all consumers about the categories of personal information a business collects, including sensitive personal information as defined under the CPRA, the purposes for which such information is used, and what rights an consumers have with respect to that information.
Additionally, while working towards compliance, all covered businesses should:
- Determine whether it “sells” or “shares” employee personal information, and if so, provide employees and business representatives a clear and conspicuous way to opt-out. Businesses will also need to consider whether it collects sensitive personal information and, if so, whether it must provide employees the right to limit the business’ use of that information.
- Ensure that compliant data processing agreements are in place with all service providers, contractors, and other third parties that process covered employee or B2B personal information.
- Update internal and external privacy notices to comply with the CCPA and CPRA.
Employee data raises unique challenges, particularly because California is the first state to include such data in comprehensive privacy legislation. For example, businesses that engage in employee monitoring will now need to consider how the CCPA and CPRA apply, and whether such monitoring is “reasonably necessary and proportionate” and consistent with what an employee would expect when the information was collected.
Employee access requests also raise particularly sensitive issues because such requests are often made by disgruntled employees and may be directly related to anticipated litigation. We have seen similar requests through the EU’s General Data Protection Regulation (“GDPR”), and they have proved for many companies to be time-consuming, costly, and often difficult to manage.
Businesses’ top leadership should focus on working towards compliance with the CCPA and CPRA, and understand that, given the short window before the new regulations become effective, the business may need to prioritize compliance for certain core activities.
We will continue to closely monitor privacy developments in California and elsewhere. If you have a question about how to comply with privacy obligations under state, federal, or international law, Baker Botts attorneys can help. Please reach out to any members of the Privacy and Data Security team for further assistance.
ABOUT BAKER BOTTS L.L.P.
Baker Botts is an international law firm whose lawyers practice throughout a network of offices around the globe. Based on our experience and knowledge of our clients' industries, we are recognized as a leading firm in the energy, technology and life sciences sectors. Since 1840, we have provided creative and effective legal solutions for our clients while demonstrating an unrelenting commitment to excellence. For more information, please visit bakerbotts.com.