Since the California Consumer Privacy Act (CCPA) became operative in 2020, personal information collected in the employment and business-to-business (B2B) contexts has been exempted from many of the data-privacy law’s requirements. That exemption has always been temporary, however. While there was speculation that the Legislature might further extend the exemption or even make it permanent, its 2021–2022 session ended without any action taken.
The employee and B2B data exemption is now on course to expire on January 1, 2023. What does that mean for businesses and their CCPA compliance?
Employee and B2B data were both partially exempted from the CCPA’s requirements. With the expiration of those exemptions, the result is that employee and B2B data will be treated exactly the same as any other consumer data, such as from customers, email subscribers, and website visitors. To understand what that means, it’s helpful to examine what those exemptions covered.
The CCPA’s employee data exemption applies to personal information about a business’s employees (as well as job applicants, contractors, owners, and officers) that is collected and used within the context of that person’s role as an employee. This data was exempted from all provisions of the CCPA except its general privacy disclosure requirement and the private right of action arising from data breaches. Now, businesses will have to offer the full range of privacy rights and honor privacy requests from this group of consumers.
Under the B2B data exemption, much of the CCPA does not apply to personal information collected directly from a consumer in the course of B2B communications.
This data was exempted from all CCPA requirements except the right to opt out of the sale or sharing of personal information, the right to non-retaliation, and the private right of action arising from data breaches. As with employee data, businesses must now make full privacy disclosures and honor privacy requests from B2B contacts.
Businesses must make a fundamental shift in how they think of employee and B2B data, treating it with the same diligence as they do the data of other consumers. They should take a fresh look at their data privacy practices, paying particular attention to the following areas.
The CCPA requires businesses to disclose information about their data practices as well as inform consumers of their privacy rights. These disclosures must be made at or before the point of collection.
For employees, businesses already have to disclose what personal information they are collecting and why. This is typically done as part of the job application and onboarding of new employees. Now these disclosures must be expanded, and include a description of the CCPA's privacy rights.
As for B2B data, businesses did not have any disclosure responsibilities before; now they must consider their collection points and how to direct B2B contacts to the required information. At the least, this will likely mean including privacy policy links in business emails.
Honoring requests to know/access personal information has the potential to be problematic for these two groups, and especially so for employees. Businesses tend to collect large volumes of personal information on employees, from biographical data to internal messages to timesheets. Performance reviews can be of particular sensitivity, as they may contain frank assessments of an employee’s abilities and personality. Access requests may also be precursors to litigation, especially from former employees. When deciding how to respond to these requests (for example, whether some data should be redacted), it is a good idea to consult with an attorney.
Consumers have the right to request the deletion of their personal information, and this right is now being extended to employees and B2B contacts. With particular regard to employees, the ability to have their personnel records deleted could create chaos. Fortunately, the CCPA recognizes a number of important exceptions to the right to delete that will likely apply, including:
These two exceptions should keep businesses from being required to delete most employee and B2B data, provided they are not exploiting that data for wider purposes or disclosing it to third parties.
With the expiration of the employee and B2B data exemptions, CCPA compliance is becoming even more complicated. For many businesses, keeping up with these changes is an increasingly difficult task.
TrueVault Polaris is a software solution that simplifies compliance with the CCPA and other data privacy laws so that businesses can manage it on their own without the expense of hiring experts. The initial onboarding can be completed in as little as a few hours, and our comprehensive suite of automated tools and workflows make staying compliant a simple task.
Contact our team to learn more and schedule a demo.