Loss of Exemptions Means Additional CPRA Compliance Obligations
The California legislature adjourned the 2022 session without extending certain exemptions set to expire on January 1, 2023, the effective date of the California Privacy Rights Act (“CPRA”). The expiring exemptions include those for employee and transactional business (“B2B”) data as associated with the California Consumer Privacy Act (“CCPA”). Such information may include personal information collected by a business about a person who was either a job applicant or past/current employee or in an otherwise related position, including owners, directors, officers, contractors and beneficiaries/dependents, and individuals at actual or prospective business customers, vendors, and suppliers.
The expiration of these exemptions means that businesses subject to CCPA will be required to extend their CCPA compliance programs to also include personal information for employees and B2B contacts. The result is that the CCPA’s full suite of privacy disclosures and rights, such as deletion and access to data, will apply fully to personal information collected for purposes of employment or potential employment or about individuals at vendors, suppliers, and actual or prospective business customers.
Employers with operations in California that meet the definition of a business under the CCPA should immediately take heed of these new obligations. To ensure compliance, it is crucial that employers understand where personal information is located within their businesses, and to undertake a data mapping exercise to assess how and where personal information is stored and/or processed. Employers should also review their records retention policies to ensure compliance, and also develop an internal framework to handle requests from employees for access and/or deletion. Finally, companies subject to the CCPA will need to update their California privacy disclosures to include employment and business data and any ancillary privacy statements that will need to link to those privacy disclosures.