Keypoint: Businesses subject to the CCPA will need to revise their compliance programs before the exemptions expire on January 1, 2023.

As previously reported, the California legislature had been considering multiple bills to extend the employee and business-to-business data exemptions under the California Consumer Privacy Act (CCPA). On August 31st, however, the California legislature adjourned without extending the exemptions which automatically expire on January 1, 2023 – the same day the California Privacy Rights Act (CPRA) goes into effect.

Generally speaking, the current exemptions apply to (1) personal information of job applicants, employees, owners, directors, officers, and independent contractors in the context of the individual’s employment or application for employment and (2) personal information reflecting written and verbal communications or a transaction where the consumer is acting in a business-to-business commercial transaction. With the exemptions set to expire, California will become the first state to apply comprehensive restrictions on the collection and use of such information.

Businesses subject to the CCPA and that have California employees or deal with other California companies will need to engage in substantial efforts to update their privacy programs. We outline some of the necessary steps below.

  1. Data Inventory

Businesses should start by inventorying their employee and business-to-business data collection activities to determine what personal information the business collects, how it handles personal information, and the necessary steps to comply with California law by January 1, 2023. Note the CPRA includes a 12-month “look-back” provision that requires businesses to map out all information retained since January 1, 2022.

In the employee context, the CCPA’s definition of “personal information” is much broader than employers may anticipate. This means that the employee data subject to California’s restrictions will go beyond personnel files and payroll data to include metadata and usage data, photos, audio and video recordings, biometric data, key swipe records, network logs, geolocation data, and much more.

  1. Privacy Disclosures

Businesses will need to prepare and distribute more detailed privacy notices for employees that explain what categories of personal information, including sensitive personal information, the business collects, how that information is handled and for what purpose, and what rights an employee has with respect to that information.

Although the CPRA regulations are still not finalized, draft § 7011 provides a window into the types of detailed disclosures the CPRA regulations will require, including identifying the length of time the business will retain personal information or, if that is not possible, the criteria used to determine that period. Businesses will also need to ensure that existing privacy notices incorporate disclosures relating to business-to-business data processing.

In the employee context, any employee monitoring activities will need to be closely scrutinized. For example, in addition to the CPRA’s notice requirements, § 1798.100(c) provides that a “business’ collection, use, retention, and sharing of a consumer’s personal information shall be reasonably necessary and proportionate to achieve the purposes for which the personal information was collected or processed, or for another disclosed purpose that is compatible with the context in which the personal information was collected, and not further processed in a manner that is incompatible with those purposes.” Section 7002 of the draft CPRA regulations provides that, to be reasonably necessary and proportionate, the business’s processing “must be consistent with what an average consumer would expect when the personal information was collected.” Businesses will want to consider how any employee monitoring activities comply with these – and other – CPRA requirements.

  1. Employee Requests

Businesses must develop internal and external policies and procedures for accepting, verifying, and responding to employee requests to access, correct, and delete personal information collected on the employee. They also will need to analyze whether they are “selling” or “sharing” employee personal information and, if so, allow employees to opt out of the same. Finally, businesses will need to consider whether they are collecting sensitive personal information as the CPRA defines the term and, if so, whether they must provide employees with the right to limit the business’ use of such sensitive personal information.

Employee access requests will prove to be especially sensitive and challenging as they can be a precursor to litigation. Businesses should treat any such requests like discovery requests in litigation and ensure that the information provided is limited to the statutory requirements, reflects a complete search of company records, and that any necessary redactions are made.

  1. Data Transfers

As of January 1, 2023, businesses will need to have data processing agreements for all transfers of personal information to other entities. This includes transfers to service providers, contractors and third parties. Businesses will need to negotiate new data processing agreements with vendors that process employee or business-to-business data to include specific California provisions. We discussed the CPRA’s data processing agreement requirements in further detail here.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Owen Davis Owen Davis

Owen assists employers across industry sectors – from small businesses to Fortune 500 corporations – to identify changing workplace law at a local, state and federal level. He offers legal guidance on employment agreements, restrictive covenants, personnel policies and other human resources issues.

Owen assists employers across industry sectors – from small businesses to Fortune 500 corporations – to identify changing workplace law at a local, state and federal level. He offers legal guidance on employment agreements, restrictive covenants, personnel policies and other human resources issues. Owen also represents employers before state and federal courts as well as administrative agencies on matters related to discrimination, retaliation, harassment, and wage and hour violations.

Photo of Keith Ybanez Keith Ybanez

Keith represents clients in a wide range of labor and employment litigation matters. He is dedicated to working closely with clients in order to assess and analyze risk while executing appropriate and cost-effective strategies for all phases of litigation. While Keith has a…

Keith represents clients in a wide range of labor and employment litigation matters. He is dedicated to working closely with clients in order to assess and analyze risk while executing appropriate and cost-effective strategies for all phases of litigation. While Keith has a broad background in litigation, he chose to focus his practice on labor and employment because of the opportunities the area presented to offer preventative counsel outside of the courtroom.

Photo of Shelby Dolen Shelby Dolen

Clients and legal teams appreciate Shelby’s passion for the law as it relates to protecting technology and company assets. She regularly monitors and researches fast-changing consumer privacy laws, with the understanding that critical strategy and success for any business includes oversight of data…

Clients and legal teams appreciate Shelby’s passion for the law as it relates to protecting technology and company assets. She regularly monitors and researches fast-changing consumer privacy laws, with the understanding that critical strategy and success for any business includes oversight of data privacy policies and intellectual property portfolios.

Photo of David Stauss David Stauss

David is leader of Husch Blackwell’s privacy and cybersecurity practice group. He routinely counsels clients on responding to data breaches, complying with privacy laws such as GDPR and the California Consumer Privacy Act, and complying with information security statutes. He also represents…

David is leader of Husch Blackwell’s privacy and cybersecurity practice group. He routinely counsels clients on responding to data breaches, complying with privacy laws such as GDPR and the California Consumer Privacy Act, and complying with information security statutes. He also represents clients in data security-related litigation. David is certified by the International Association of Privacy Professionals as a Privacy Law Specialist, Certified Information Privacy Professional (US), Certified Information Privacy Technologist, and Fellow of Information Privacy.