California Governor Gavin Newsom on September 29 signed into law Assembly Bill 1281, which ensures that the California Consumer Privacy Act (CCPA) limited exemptions for employment-related and business-to-business (B2B) data will be extended until at least January 1, 2022. The enactment of AB 1281 is a welcome development for businesses and employers that have been relying on these two important exemptions, which were set to sunset on January 1, 2021.
For many businesses, the most important aspect of the exemptions is that the “request” provisions of the CCPA that allow for requests to know, requests to delete, or requests to opt out of sale do not extend to employees, contractors, job applicants, or B2B contacts. Governor Newsom also signed AB 713, which amends the CCPA with respect to protected health information that is de-identified in accordance with Health Insurance Portability and Accountability Act (HIPAA) standards.
AB 1281, sponsored by Assemblyman Edwin Chau, was introduced to address uncertainty regarding the status of the CCPA’s employment-related and B2B exemptions. Without AB 1281, the two CCPA exemptions would expire on January 1, 2021. It is possible that the exemptions will be further extended to January 1, 2023, if California voters pass Proposition 24, the Consumer Personal Information Law and Agency Initiative. That initiative will be on the November 3, 2020, ballot.
But the uncertain fate of Proposition 24 in November left businesses and employers that are relying on the employment-related and B2B exemptions in a quandary: should they begin preparing to extend full CCPA consumer privacy rights, including creating systems to respond to requests from new classes of individuals, particularly employees, effective January 1, 2021, in case the ballot measure was voted down? AB 1281 resolves that uncertainty, since its one-year extension of the two exemptions is effective only if Proposition 24 fails to pass in November. If California voters approve Proposition 24, then the ballot measure’s two-year extension of the exemptions will be effective. AB 1281 was unanimously passed by the California Assembly and Senate on August 28 and 30, respectively, in advance of the adjournment of the legislature’s two-year session on August 31.
The CCPA generally exempts from its provisions certain information collected by a business about a natural person in the course of the natural person acting as a job applicant, employee, owner, director, officer, medical staff member, or contractor of a business. These categories of individuals must still receive a CCPA privacy notice at or before the point of collection that describes the categories of personal information collected and the purposes for which that personal information will be used. But, given the exemptions, businesses do not have to respond to requests to know, delete or opt out from applicants, employees or contractors. For more on the applicability of the CCPA to employers and employees, see Morgan Lewis Insight: Employee and Other Notices By January 1, 2020, and Related Issues for Employers.
The CCPA also generally exempts personal information reflecting a written or verbal communication or a transaction between the business and a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit or government agency, and whose communication or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from that company, partnership, sole proprietorship, nonprofit or government agency. Due to this exemption, businesses do not have to respond to requests to know or delete with respect to this type of B2B information. However, the CCPA’s right to opt-out of the sale of personal information does apply to B2B information if it is “sold,” as that term is broadly defined by the statute.
AB 713, the other bill signed by Governor Newsom on September 29 amending the CCPA, clarifies that protected health information that is de-identified in accordance with HIPAA standards is not subject to CCPA requirements. The CCPA statute had previously included a general exception to the definition of “personal information” for “consumer information that is de-identified or consumer information,” but which did not expressly reference the HIPAA de-identification standard.
The bill makes clear that HIPAA business associates, like HIPAA covered entities, are generally exempt from the CCPA. AB 713 also expands the CCPA’s exemption for personal information collected, used, or disclosed in research activities.
AB 713 further requires that a business that sells or discloses HIPAA de-identified data, which is otherwise exempt from the CCPA’s privacy notice requirement, must provide notice to consumers whether the business sells or discloses de-identified patient information and, if so, which of HIPAA’s two de-identification methods was utilized.
The bill also prohibits a business or other person from re-identifying information that was de-identified, unless an exception is met. Commencing on January 1, 2021, a contract for the sale or license of de-identified information must include certain provisions relating to the prohibition on re-identification. These new contracting requirements will be significant for the many healthcare companies, particularly digital health ventures, that engage in commercialization of de-identified health information.
The enactment of AB 1281 and AB 713 further defines the CCPA regulatory and enforcement landscape, following the August 14 approval of the final CCPA regulations by the state’s Office of Administrative Law. See Morgan Lewis Insight: CCPA Final Regulations Approved and Immediately Enforceable by the California Attorney General. With the Final CCPA regulations now approved and in effect, we anticipate broadened attorney general enforcement activity to remedy not just alleged violations of the statute, but also alleged violations of the final regulations. However, the enactment of AB 1281 allows California employers and businesses that collect personal information of business partners to take some comfort from the fact that they may continue to rely on two important CCPA exemptions. AB 713 clarifies the scope of the CCPA’s exemptions for HIPAA covered entities and medical information, but also imposes new contractual requirements with regard to sales and licenses of de-identified data.
The Morgan Lewis privacy team is providing practical privacy advice to more than 200 businesses on compliance with the CCPA and proposed regulations. If you have any questions or would like more information, please contact any of the following Morgan Lewis lawyers: