Memo #
34286

Employee and B2B Exemptions in California Privacy Law Set to Expire on January 1, 2023
| Print

[34286]

September 15, 2022

TO: ICI Members
Privacy Issues Working Group SUBJECTS: Privacy
State Issues RE: Employee and B2B Exemptions in California Privacy Law Set to Expire on January 1, 2023

 

We wanted to alert you to the fact that two exemptions—for employee information and certain information captured in business-to-business transactions—that have been in place in California's privacy law are set to expire on January 1, 2023. This will impact members with employees, officers, or directors who reside in California. 

Background

The California Legislature enacted the California Consumer Privacy Act of 2018 (CCPA) in 2018, and it became operative on January 1, 2020.[1] The CCPA imposed notice and disclosure requirements on businesses that collect information on California residents. However, it included an exception for information "collected, processed, sold, or disclosed pursuant to the federal Gramm-Leach-Bliley Act" (GLBA).[2]

Notably, the information that an entity subject to the GLBA collects on its California employees would likely not fall within the CCPA's GLBA exception because that is not information collected "pursuant to" the GLBA. The employee information that may fall within the CCPA's scope includes both the information the institution collects on its own California employees or trustees and the information it may obtain from individuals (consumers) associated with other businesses that the institution acquires in the course of due diligence or in connection with business transactions and communications. Therefore, under the CCPA as originally enacted, financial institutions would have had to implement the new requirements with respect to information collected, processed, or disclosed on employees or trustees.

Carveouts for employee information and B2B information

In 2019, the California Legislature adopted amendments to the CCPA, including two that provide carveouts for employee information and certain information shared between two businesses (the business-to-business, or B2B, data exemption).[3]

With respect to a business's own employees, officers and directors, the CCPA was amended to exempt:

  • Personal information that is collected by a business about a natural person in the course of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the natural person's personal information is collected and used by the business solely within the context of the natural person's role or former role as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or a contractor of that business;
  • Personal information that is collected by a business that is emergency contact information of the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of having an emergency contact on file; and
  • Personal information that is necessary for the business to retain to administer benefits for another natural person relating to the natural person acting as a job applicant to, an employee of, owner of, director of, officer of, medical staff member of, or contractor of that business to the extent that the personal information is collected and used solely within the context of administering those benefits.[4]

With respect to the employees of another business, the CCPA was amended to exempt:

  • Personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, non-profit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, non-profit, or government agency.[5]

Note that these categories of information were not completely carved out from the CCPA. Regarding the carveout for employee information, businesses must inform employees as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used (CCPA Section 1798.100(b)). Regarding both the employee and B2B carveouts, the consumer's right to institute a civil suit in the event of a reach of nonencrypted information will apply (CCPA Section 1798.150). Regarding the B2B carveout, the consumer's right to opt out of the sale of the consumer's information remains applicable (CCPA Section 1798.120).

Both exemptions have always been temporary, including a sunset provision, with the expectation that the General Assembly would address the privacy rights of employees in a more comprehensive fashion.

Consumer Privacy Rights Act of 2020

In November 2020, California voters approved by ballot initiative the Consumer Privacy Rights Act of 2020 (CPRA), which amends and builds on the CCPA.[6] The CPRA becomes operative January 1, 2023,[7] and enforcement begins July 1, 2023. The CPRA carried over the employee and B2B carveouts from the CCPA, but provided that the carveouts would sunset on January 1, 2023.

Legislative Efforts to Extend Exemptions

There were legislative efforts to extend the employee and B2B exemptions.[8] However, the potential legislative vehicles for the exemption extension failed to meet certain General Assembly deadlines in the last week the legislature was in session. As a result, the previously exempted employee and B2B information will consequently become subject to the CPRA's requirements on the law's effective date of January 1, 2023. We anticipate that the legislative efforts to extend, or reinstate, these carveouts will resume in the next legislative session.

 

 

 

 

Shannon Salinas
Associate General Counsel - Retirement Policy
 

 

endnotes

[1] For more information about the CCPA, see The California Consumer Privacy Act From 2018 Until Today: What ICI's Members Need to Know About its History and Impact and Analysis of the GLBA and Employee Information Exemptions in the California Consumer Privacy Act, available on ICI's California Consumer Privacy Law Resource Center.

[2] Section 1798.145(e) of the CCPA.

[3] See ICI Memorandum No. 32017, dated October 21, 2019, available at https://www.ici.org/memo32017.

[4] CCPA section 1798.145(g).

[5] CCPA section 1798.145(m).

[6] The CPRA largely tracks the CCPA, but amends and expands it in certain aspects. For example, the CPRA established a new state agency, the California Privacy Protection Agency (CPPA), to implement and enforce the law through administrative action, including issuing cease and desist orders and imposing administrative fines. Note that the CPRA includes a GLBA exclusion similar to the one in the CCPA, but it includes an improvement by exempting information "subject to" the GLBA rather than information collected "pursuant to" the GLBA.

[7] There is a look back period beginning on January 1, 2022 for access rights.

[8] For example, AB 2871 would have extended those exemptions indefinitely. AB 2891 would have extended those exemptions until January 1, 2026.