California Legislature Extends CCPA’s Exemptions for Personal Information in the Employment and Business-to-Business Context
Privacy & Cybersecurity Update
Date: September 18, 2020
Businesses that are subject to the California Consumer Privacy Act (CCPA) have been awaiting clarity as to whether personal information collected and processed in the employment and business-to-business context would be subject to the full scope of the law on January 1, 2021, or whether the CCPA’s temporary exemption for such data would be extended. In response, the California General Assembly recently passed Assembly Bill 1281 (AB-1281), which extends both of these exemptions until January 1, 2022.
However, the timeframe set forth in AB-1281 would become inoperative if the California Privacy Rights Act (CPRA) is voted into law by Californians on November 3, 2020. The CPRA includes many new data privacy rights and protections for California residents. It also contains the same exemptions for employment and business-to-business data as is set forth in AB-1281, but the CPRA’s exemptions do not expire until January 1, 2023. In other words, AB-1281 is intended to provide a backstop if the CPRA fails to become law by preventing these two exemptions from expiring at the end of this year. As a reminder, the two exemptions addressing personal information collected and processed in the employment and business-to-business context are as follows:
- Employment Context. With some exceptions, the personal information that employers collect from their employees is exempt from the CCPA, provided the personal information is collected and used within the context of the employment relationship. The CCPA expressly exempts personal information that is collected and used by businesses solely within the context of having an emergency contact data on file or administering employee benefits. The exemption also applies to the personal information furnished by an individual in connection with a job application to a business. Notwithstanding this exemption, the CCPA still requires businesses to formally notify employees, job applicants, and contractors as to the categories of personal information they are collecting and the purpose for which it would be used. As we have previously discussed, these notices are themselves subject to several requirements pertaining to form, substance, and accessibility.
Notwithstanding these two exemptions, the CCPA’s provisions affording individuals with the right to initiate a private right of action for certain security incidents involving their personal information in the custody or control of a business subject to the CCPA, applies to personal information collected and processed in the employment and business-to-business context. This is especially important in the “HR” context given the highly sensitive data that businesses collect and retain regarding their employees, job applicants, and contractors (e.g., Social Security numbers, driver’s license numbers).
We will continue to track the progress of AB-1281 and the CPRA and keep you apprised of developments as they arise.
FOR MORE INFORMATION
For more information, please contact:
Thomas F. Zych
Steven G. Stransky
Darcy M. Brosky
Craig A. Foster
or any member of our Privacy & Cybersecurity group.
This advisory bulletin may be reproduced, in whole or in part, with the prior permission of Thompson Hine LLP and acknowledgment of its source and copyright. This publication is intended to inform clients about legal matters of current interest. It is not intended as legal advice. Readers should not act upon the information contained in it without professional counsel.
This document may be considered attorney advertising in some jurisdictions.
© 2020 THOMPSON HINE LLP. ALL RIGHTS RESERVED.