In just a few months, companies subject to the California Consumer Privacy Act (CCPA) will need to start providing the same CCPA rights to their California employees and business-to-business (B2B) contacts as to other California residents. Although the CCPA has provided temporary exemptions for personal information collected in certain employment and B2B contexts,[1] those exemptions sunset on January 1, 2023. This will significantly expand the CCPA obligations of covered businesses.
What Companies Will be Subject to These Extended Requirements?
As a reminder, a company typically is subject to the CCPA if it is a for-profit business that does business in California and: (1) has gross annual revenues of over $25 million; (2) buys, sells, or receives or shares for commercial purposes the personal information of 50,000 or more California residents, households, or devices (increasing to 100,000 or more as of January 1, 2023); or (3) derives 50% or more of its annual revenue from selling or sharing California residents’ personal information. The CCPA also applies to any entity that controls or is controlled by a business that is subject to the CCPA, shares common branding with that business, and receives personal information from that business.[2]
Notably, the CCPA is not limited to B2C companies that interact with California residents in their capacity as individual consumers. Rather, the CCPA defines “consumer” as any natural person who is a California resident.[3] This can result in companies being subject to the CCPA even if they operate solely on a B2B basis, for example.
What Actions Will Companies Need to Take?
Presently, the CCPA’s HR data exemption applies to personal information that a company collects about its job applicants, employees, owners, directors, officers, and contractors, when the company uses this information solely within the context of the individual’s employment or other work relationship with the company. The CCPA’s B2B-related exemption, on the other hand, applies to personal information reflecting a written or verbal communication or transaction between the company and an individual who is acting as an employee, owner, director, or similar capacity of another business, where the communication or transaction occurs solely within the context of the company conducting due diligence regarding that other business, or receiving a product or service from that other business. Personal information covered by these exemptions is currently excluded from most CCPA obligations.
Now that these exemptions will soon expire, covered businesses will need to expand their CCPA compliance measures to cover: (1) their job applicants, employees, owners, directors, officers, contractors, or other personnel who are California residents (“California personnel”); and (2) individuals at other companies whose personal information is obtained in the course of B2B relationships (such as contact people at customers or vendors), where the individuals are California residents (“B2B contacts”). This includes the following key changes:
- Developing and providing CCPA notices to California personnel and B2B contacts: Covered businesses will need to start providing detailed CCPA privacy notices to their California personnel and B2B contacts, which include granular details such as: (i) the statutory categories of personal information collected and processed, including sensitive personal information as defined under the CPRA, the categories of sources from which the personal information is collected, and the categories of third parties to whom the business discloses personal information; (ii) the business or commercial purposes for its processing; (iii) how long the personal information will be retained, or the criteria used to determine the retention periods; (iv) a description of the rights available to the individual; and (v) how individuals may exercise their rights under the CCPA.
- Providing access, correction, and deletion rights to California personnel and B2B contacts:
- Covered businesses will need to give their California personnel and B2B contacts new rights to request access to the personal information that the company maintains about them (including a copy of the specific pieces of personal information), request correction of that personal information, and request deletion of personal information collected from the individual. This significantly expands the rights that California employees have under existing laws, such as to access their personnel and payroll records, and may give rise to concerns about employees using these rights to collect information in preparation for litigation against the employer. California personnel and B2B contacts also will be able to take advantage of the new right under the CPRA amendments to direct the company to limit use of their sensitive personal information.
- As a reminder, the CCPA prohibits companies from discriminating against California personnel or B2B contacts who exercise these rights under the CCPA. This issue of non-discrimination appears particularly important to the California Privacy Protection Agency, because the current draft of the updated CCPA regulations specifically prohibits a company from engaging in discriminatory treatment of an employee, applicant, or independent contractor for exercising their CCPA rights.
- Addressing “sale” or “sharing” of personal information of California personnel or B2B contacts:
- Covered businesses that engage in “sale” or “sharing” under the CCPA will need to provide their California personnel and B2B contacts with the ability to opt out of sale or sharing, and covered businesses that believe they do not currently engage in “sale” or “sharing” will need to assess whether they disclose personal information of their California personnel or their B2B contacts in a manner that might be considered “sale” or “sharing” under the CCPA.
- For example, companies that share B2B lead data with other companies will need to assess whether this may constitute a “sale,” and companies that share employees’ personal information with third party partners will need to assess whether those partners qualify as “service providers” or whether the disclosures may constitute a “sale.”
- Updating agreements with parties receiving information about California personnel or B2B contacts: Covered businesses will need to update their agreements with service providers, contractors, and other third parties that process relevant employee or B2B personal information to ensure these contain the applicable terms required under the CCPA, which have been expanded under the CPRA amendments.
What are Potential Consequences of Noncompliance?
Violations of the CCPA can result in civil penalties of up to $2,500 per violation or up to $7,500 per intentional violation. The CCPA is enforceable by the California Attorney General and the new California Privacy Protection Agency. Although the CCPA generally does not provide a private right of action for individuals to file civil claims against companies for CCPA violations, the CCPA does provide a private right of action that allows California consumers to file civil lawsuits if their personal information is subject to certain data security breaches that result from the company’s failure to implement and maintain reasonable security procedures and practices. As of January 1, 2023, this private right of action may be available to a company’s California employees and B2B contacts as well.
The sunset of the CCPA’s exemptions for HR data and B2B data will significantly increase CCPA compliance obligations, particularly for B2B companies that may have felt that they had limited exposure to CCPA until now. Covered businesses should use the remaining time to assess the potential implications to them of this sunset.
[1] Cal. Civ. Code 1798.145(m) and (n), as amended by the California Privacy Rights Act (CPRA). These temporary exceptions initially would have expired on January 1, 2021, but the CPRA extended them until January 1, 2023. A proposed bill (Assembly Bill 1102) would have extended these exceptions until January 1, 2025, but this bill was not enacted. As a result, these exceptions will expire on January 1, 2023.
[2] See Cal. Civ. Code 1798.140(c) for more detail about CCPA applicability standards.