The California Consumer Privacy Act (CCPA) became effective January 1, 2020, but not without some major changes. In fact, leading up to the effective date, the California Legislature alone introduced over one hundred privacy bills in 2019, many proposing changes to the CCPA. Two important amendments to the CCPA were passed in fall 2019 and partially excluded employee information and business-to-business (B2B) information from the stringent coverage of the CCPA.
Specifically, one late amendment (Civ. Code § 1798.145(h)) included a moratorium on the applicability of covered information related to job applicants, employees, contractors, and agents. Under the moratorium, so long as the data is used solely in the context of the employee relationship, these categories of individuals do not have the right to request access or erasure of personal information or the right to opt-out of the sale of certain information. However, businesses would still need to provide a privacy notice upon collection of personal information.
Additionally, the California Legislature passed another amendment (Civ. Code § 1798.145(n)) including a moratorium on the applicability of the CCPA to certain B2B information. This exception is limited to communications and transactions occurring solely within the context of due diligence or the provision or reception of services or products. Similar to the employee moratorium, this amendment gives businesses a pass from complying with the obligation to provide access to or erase B2B information. Business still have to comply with the opt-out and non-discrimination obligations.
Initially, the moratoria were set to expire on January 1, 2021. However, on August 31, 2020, the California Legislature passed a bill to extend the moratoria under the end of 2021, largely citing the COVID-19 economic disruption in the state. The California Legislature had also hoped to develop an employee privacy bill to adopt in place of the CCPA applying to employee data, but given the shortened legislative session, it did not.
The California Privacy Rights and Enforcement Act initiative, which will be on the ballot in November proposes to extend the moratoria until the end of 2022. Yet, business can breathe a sigh of relief a few months earlier knowing that they do not need to integrate the CCPA requirements into their B2B and employee data practices by January 1, 2021.
This relief may be short-lived, however, if the California Privacy Rights and Enforcement Act is passed, CCPA-covered businesses will need to develop plans to accommodate expanded employee privacy protections by 2023.