LawFlash

California Consumer Privacy Act: Employee and B2B Exemptions Expire January 1, 2023

October 14, 2022

The California Consumer Privacy Act (CCPA) exemptions for employee and business-to-business (B2B) personal information have not been extended, further complicating the privacy regulatory landscape for businesses in California. California employers must prepare to provide an array of new privacy rights to employees as of January 1, 2023, which is the effective date of the California Privacy Rights Act (CPRA) amending the CCPA. 

California is currently on track to be the first state to provide expansive privacy rights to employees. In addition, new privacy rights will apply to personal information collected in the context of a business “providing or receiving a product or service to or from” another business.

Two bills had been introduced in the California Legislature that would have extended or made permanent the employee and B2B exemptions, but neither bill had been enacted when the legislature’s session expired on August 31, 2022. Given that the legislature will not reconvene until January 1, 2023, it is now unlikely that the employee and B2B exemptions will be extended before the January 1 compliance date.

The CCPA currently imposes limited obligations on employers with respect to employee data if they qualify as “businesses” subject to the law. The CCPA applies to the personal information of “consumers,” but defines that term so broadly that it would include employees, job applicants, officers, directors, and independent contractors. California employers are currently required to provide those categories of consumers with a privacy notice that explains the type of employee data that is collected and the purposes of that collection.

New Employee Privacy Rights

Employers must update the CCPA privacy notice provided to California employees to describe and explain how employees can submit requests under the following new privacy rights, effective January 1.

Right to Know

Under the CPRA, employees will have the right to know about the personal information that the business collects about them. Most California employers should have in place certain processes consistent with the right to know, but the interaction between the CPRA and existing California laws will need to be assessed. For example, under the California Labor Code, employees are already entitled to know certain information that an employer has collected, such as payroll records (Cal. Labor Code § 226), signed documents (Labor Code § 432), and personnel files (Labor Code § 1198.5).

The CPRA would appear to give employees the right to know about other categories of personal information that are not subject to those Labor Code provisions, such as geolocation, biometrics, and internet activity. The CPRA will also require response timelines that differ from the Labor Code provisions (10 business days to confirm the receipt of the request and 45 calendar days to respond).

Right to Delete

The CPRA grants employees the right to delete personal information collected from them, subject to exceptions. For example, the CPRA provides an exception to the deletion right “to comply with a legal obligation.” Employers will need to assess federal, state, and local retention requirements when responding to a CPRA deletion request, including, but not limited to, the Americans with Disabilities Act, Family Medical Leave Act, Age Discrimination in Employment Act, and Fair Labor Standards Act.

Right to Opt Out of Sale or Sharing

The CPRA grants employees the right to opt out of an employer’s sale or sharing of their personal information. While most employers do not “sell” employee data as that term is typically understood, the CPRA’s definition of “sale” is very broad and would include disclosing employee personal information to a vendor, such as a payroll company, without entering into a CPRA service provider agreement with the vendor. “Sharing” is defined to mean sharing with a third party for cross-context behavioral advertising.

Right to Opt Out of Automated Decision-Making Technology

The CPRA provides consumers, including employees, with the right to opt out of a business’s use of “automated decision-making technology,” which includes profiling employees based on their “performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements.”

This right has yet to be defined by the California Privacy Protection Agency (the Agency), which is charged with adopting related regulations.

Right to Correct Inaccurate Personal Information

The CPRA creates a new right to correct personal information that is inaccurate, which would extend to employees. An employer must use “commercially reasonable efforts” to correct inaccurate personal information upon the employee’s request, but this right has yet to be clarified in regulations to be issued by the Agency.

Right to Limit Use and Disclosure of Sensitive Personal Information

The CPRA also grants employees a new right to limit use and disclosure of “sensitive personal information,” which is defined to include (1) precise geolocation data, (2) racial or ethnic origin, (3) union membership, (4) the contents of certain employee email and text messages, and (5) biometric information.

However, this right only applies to use of sensitive personal information other than what would be “reasonably expected by an average” consumer/employee. Collection of sensitive personal information by an employer, such as racial or ethnic origin, for diversity and inclusion purposes may therefore be permitted under an exception.

How Employers Can Prepare for January 1

In addition to updating the CCPA employee privacy notice to grant the new rights listed above, employers should take the following steps to prepare for the January 1, 2023, CPRA compliance date.

Conduct Updated Data Inventory

An employer should review the employee and applicant personal information that it collects in order to ensure that its privacy notice properly describes the categories of personal information collected, used, and disclosed by the employer and to identify “sensitive personal information” subject to the new CPRA right. An inventory is also an important tool to make sure that the employer properly responds to right to know, right to delete, and other CPRA rights requests.

Enter Into Data Processing Agreements With Service Providers

Employers that share employee personal information with service providers must enter into data processing agreements that include certain required terms. Not only are such provisions required, but without an executed service provider agreement, routine disclosures to vendors may be deemed “sales” triggering opt-out rights.

Understand New Employee Rights and Exceptions

An employer should, prior to receiving its first employee privacy request after January 1, 2023, examine its interpretation of the various business exceptions to the rights, some of which are touched on above, and determine how it will respond to requests based on those interpretations.

Review Existing Employee Privacy Practices

Employers should reexamine existing employee policies and procedures in light of the CPRA. For example, employee monitoring programs should be revisited to consider whether they satisfy the CPRA’s standard that collection, use, retention, and sharing of a consumer’s personal information “must be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed.”

Don’t Forget About B2B Information

While there is more focus on the expiration of the employee exemption, a similar exemption for B2B personal information is also expiring, effective January 1, 2023. As a general matter, personal information that a business collects about business contacts will be subject to the same CPRA privacy rights and obligations summarized above with respect to employee personal information.

Employers can take a bit of comfort from the fact that new CPRA requirements, such as those applicable to sensitive personal information, will not be enforced until July 1, 2023. Nevertheless, employers should prepare for CPRA compliance now, and closely monitor the progress of the CPRA regulations that the Agency is currently developing.

For additional information on the CCPA, CPRA, and other data privacy legislation, visit our US Consumer Privacy Acts resource page.

Contacts

If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following: