Wednesday, August 31, 2022
HR and B2B Exemptions Under California Privacy Law Expiring; Enforcement Heats Up
Employee and other HR-related personal data and certain business-to-business personal data (collectively, “HR and B2B Data”) has been exempt from most California Consumer Privacy Act (“CCPA”) requirements for the past two and a half years. Businesses have not yet been required to provide California-based employees, contractors, job applicants, or business-to-business contacts with the full suite of individual rights currently provided to consumers under the CCPA. However, with the California legislature having failed to pass an extension to these exemptions, they will expire on January 1, 2023, when the California Privacy Rights Act (“CPRA”) goes into full force.
Efforts to extend the exemptions looked promising at first. On February 18, 2022, California Assembly Member Evan Low introduced two bills, AB 2871 and AB 2891, which would have extend the duration of the current exemptions for HR and B2B Data. AB 2871 would have extended the HR and B2B exemptions indefinitely, while AB 2891 would have extended the exemptions until 2026. Senate Member Bob Archuleta also introduced SB 1454, which would have extended the HR and B2B exemptions indefinitely. However, those bills did not advance out of committee. August 25, 2022 was the last day for the California State Assembly to amend any bills on the floor and no other active bill was successfully amended to include an extension to the exemptions. At this point in the legislative calendar, companies can safely assume that there will be no permanent or long-term HR and B2B Data exemption prior to the CPRA taking effect at the start of 2023.
California’s Attorney General has emphasized that privacy enforcement will remain a top priority throughout the remainder of 2022. On August 24, 2022, he announced that cosmetic retailer Sephora would pay $1.2 million to settle a CCPA enforcement action for failing to acknowledge Global Privacy Control opt-outs. Businesses in receipt of CCPA notices from the AG’s office during the remainder of 2022 should respond quickly and thoroughly to avoid a similar outcome. Starting in 2023, the 30-day cure period will expire, and businesses need to ensure they are fully compliant with the CPRA to avoid enforcement action.
California is not the only state that businesses should have on their radar. New privacy laws in Colorado, Connecticut, Utah, and Virginia will also go into effect over the course of 2023 and businesses within the scope of those laws will need to adjust their privacy compliance programs, accordingly. Key compliance action items may include:
- Assessing the scope of each law to understand whether and the extent to which each one applies to your organization.
- Conducting or updating data inventory and mapping to identify and document the categories of HR and B2B Data your organization collects and how that data is used, stored, and shared (both within the business and with third parties).
- Updating your business’s privacy notices to account for HR and B2B Data and new state laws.
- Updating your organization’s individual rights response process to account for HR and B2B Data and new state laws.
- Revisiting your organization’s third-party agreements and incorporating legally-required updates.
If you have any questions about how to prepare your business for these upcoming changes or for assistance with any other privacy issues your business is facing, contact a member of Maynard Cooper’s Cybersecurity and Privacy Team.
To view this alert as a PDF, click here.
This Client Alert is for informational purposes only and should not be construed as legal advice. The information in this Client Alert is not intended to create and does not create an attorney-client relationship.