California Legislature Extends CCPA’s Exemptions for Personal Information in the Employment and Business-to-Business Context

Privacy & Cybersecurity Update

Date: September 18, 2020

Key Notes:

  • California legislature provides one-year extension for CCPA’s exemptions in the employment and business-to-business context.
  • Same extension would become inoperative if CPRA approved by voters in November, as CPRA extends exemptions by two years.
  • Under either scenario, businesses have more time to take advantage of the exemptions than CCPA originally provided.

Businesses that are subject to the
California Consumer Privacy Act (CCPA) have been awaiting clarity as to whether personal information collected and processed in the employment and business-to-business context would be subject to the full scope of the law on January 1, 2021, or whether the CCPA’s temporary exemption for such data would be extended. In response, the California General Assembly recently passed Assembly Bill 1281 (AB-1281), which extends both of these exemptions until January 1, 2022.

However, the timeframe set forth in AB-1281 would become inoperative if the California Privacy Rights Act (CPRA) is voted into law by Californians on November 3, 2020. The CPRA includes many new data privacy rights and protections for California residents. It also contains the same exemptions for employment and business-to-business data as is set forth in AB-1281, but the CPRA’s exemptions do not expire until January 1, 2023. In other words, AB-1281 is intended to provide a backstop if the CPRA fails to become law by preventing these two exemptions from expiring at the end of this year. As a reminder, the two exemptions addressing personal information collected and processed in the employment and business-to-business context are as follows:

  • Employment Context. With some exceptions, the personal information that employers collect from their employees is exempt from the CCPA, provided the personal information is collected and used within the context of the employment relationship. The CCPA expressly exempts personal information that is collected and used by businesses solely within the context of having an emergency contact data on file or administering employee benefits. The exemption also applies to the personal information furnished by an individual in connection with a job application to a business. Notwithstanding this exemption, the CCPA still requires businesses to formally notify employees, job applicants, and contractors as to the categories of personal information they are collecting and the purpose for which it would be used. As we have previously discussed, these notices are themselves subject to several requirements pertaining to form, substance, and accessibility.
  • Business-to-Business Communications. The CCPA largely exempts from its scope certain personal information that is derived from written communications or transactions between a business and an individual who is acting on behalf of a third-party, provided the communications or transactions solely relate to conducting due diligence, or providing or receiving a product or service to, or from, the third party. The exemption applies regardless of whether such communications are written or verbal (e.g., email, telephone helpline). However, businesses must still provide such individuals with notice of the right to opt-out of the “sale” of their personal information, if so applicable. Yet, in order to satisfy other data protection laws, or in preparation for when this CCPA exemption expires, many organizations have begun including clauses in their business-to-business contracts that address the exchange and use of contact and professional information related to their employees and agents, such as clauses (i) creating rights for the parties to use such data for business purposes, (ii) establishing obligations that employee contact data be accurate, and (ii) incorporating more detailed privacy notices and statements (e.g., website privacy policy) into the contract by reference.

Notwithstanding these two exemptions, the CCPA’s provisions affording individuals with the right to initiate a private right of action for certain security incidents involving their personal information in the custody or control of a business subject to the CCPA, applies to personal information collected and processed in the employment and business-to-business context. This is especially important in the “HR” context given the highly sensitive data that businesses collect and retain regarding their employees, job applicants, and contractors (e.g., Social Security numbers, driver’s license numbers).

We will continue to track the progress of AB-1281 and the CPRA and keep you apprised of developments as they arise.


For more information, please contact:

Thomas F. Zych

Steven G. Stransky

Darcy M. Brosky

Craig A. Foster

Mona Adabi

Brian Doyle-Wenger

or any member of our Privacy & Cybersecurity group.

This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.

This document may be considered attorney advertising in some jurisdictions.