California privacy law exemptions expire January 2023

The California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide consumers with substantial rights regarding the disclosure and use of their personal information collected by companies. subject to law. Significantly, CCPA/CPRA define the term “consumer” to mean any resident of California. This broad definition not only encompasses a company’s individual customers, but also its employees, job applicants and even its business-to-business (B2B) contacts. We have already discussed the compliance requirements of these data privacy laws for organizations doing business in California, and the B2B and employee/candidate data moratoriums that the legislature had put in place to exempt covered businesses from comply with certain legal requirements.[1] Unless extended by the legislature (which seems unlikely) or preempted by federal privacy legislation (which seems even more unlikely), the moratoriums will end on January 1, 2023. privacy of consumer data.

The operational and compliance challenges created by the CCPA/ACPL’s expanded definition of “consumer” are evident. As part of their day-to-day operations, companies may collect large amounts of personal information about current employees and job applicants, from an unlimited number of locations and residing in an unlimited number of locations or systems. Protected information can be generated from any division or department of a company and can be stored in the cloud, on local network drives, in hard copies, or all three. Additionally, the information can be collected as structured data (for example, in databases and HRIS systems) or in an unstructured form, such as in emails. Additionally, data may be stored (and essentially shared) with third-party vendors. The information exchanged daily between companies (whether competitors, suppliers, customers or partners) can be voluminous. Locating all of this data and responding to an access, right to know, or deletion request from employees or other consumers seeking to exercise their rights under the CCPA/CPRA will present significant, complex, and burdensome challenges that companies will have to be ready to meet. Failure to comply with a request can have reputational consequences, not to mention financial consequences. Knowing where, how and why personal information is stored is essential in assessing how to comply with CCPAs (see, for example, Cal. Civil. Code § 1798.145) data privacy notice and application obligations of employees, while balancing other corporate obligations (for exampleto preserve evidence, defend legal claims).

What are the existing employee and B2B data exemptions included in the California Consumer Privacy Act and the California Privacy Rights Act (CPRA)?

The CCPA contains a limited exemption for personal information collected by a business about an individual who is a job applicant or an employee, owner, director, or independent contractor of the business. The employee exemption is limited, in part, in that it only applies when the information is collected and used “solely in the context of [the individual’s] role or former role” as a job applicant, employee, owner, director or independent contractor. In the context of a B2B relationship, companies do not need to notify the collection, and the “consumer” does not have a right to know or a right to deletion.

When do exemptions currently expire and what attempts have been made to extend exemptions?

The exemptions were included in the original version of the CCPA and were originally scheduled to expire in January 2021. In September 2020, legislation was enacted to extend the exemptions for an additional year (as the COVID-19 pandemic had hampered efforts to corporate compliance). Then the CPRA, which passed a ballot initiative in November 2020, extended the moratorium until January 1, 2023.

Although state lawmakers have proposed a number of bills this year to further expand the exemptions, they were not passed until August 31, 2022, when the legislative session closed. Attempts to include an extension in a November ballot initiative also failed. If new extensions fail, the exemptions will expire from the new year.

Given that the exemptions are unlikely to be extended past the January 1, 2023 deadline, how should companies prepare?

The European General Data Protection Regulation (GDPR) applies to B2B and employee data; thus, companies already subject to (and compliant with) the GDPR should be in a good position to comply with the requirements of the CCPA/CPRA. All businesses subject to the CCPA/CPRA should consider the following compliance measures:

  • Beginning with human resources, benefits, and information technology departments, employers should map the collection, use, and disclosure of personal data of California residents within the organization and any sharing or disclosure of this data with third parties.

  • Documenting the business purposes for collection and use of each category of personal information collected or processed, including as required by applicable law (g.laws that require the maintenance of certain employment and business records).

  • Assess the value of personal information collected and follow good data minimization principles ( not collect what is not necessary to achieve the business objective).

  • Update employee and/or candidate notices beyond the abbreviated notice currently required to provide additional required information, including disclosure of individual rights under the CCPA/CPRA, information regarding any data collection sensitive information (e.g., race, ethnicity, government identifiers), any disclosure of personal information to third parties, and company information retention policies.

  • Ensure that the company’s mechanism and policies for responding to employee requests to exercise their privacy rights (including expanded rights under the CPRA) are extended to include human resources and other personal data.

  • Develop operational policies and procedures to respond to CPRA’s rights requests (including right to know, delete, and access) in light of the organization’s collection and use practices.

  • Ensure that all employee and other personal information is reasonably protected against hacking and other foreseeable cybersecurity threats.

  • Review contracts with downstream service providers and contractors who hold employee or B2B data for cooperative purposes and other downstream data protection clauses.

  • Review contracts with business partners regarding B2B information to meet CCPA/CPRA compliance responsibilities.


[1] See Companies must begin to assess their data practices to meet the requirements of the California Privacy Rights Act; Comply with California Enhanced Cybersecurity Safeguards.

©2022 Epstein Becker & Green, PC All rights reserved.National Law Review, Volume XII, Number 251