On August 31, California's legislature ended its 2022 session without extending the California Consumer Privacy Act (CCPA) exemptions regarding B2B and employee personal information. Unless a special legislative session is called, the current exemptions will expire as of January 1, 2023, the same day the California Privacy Rights Act (CPRA) goes into effect.

Until now, the CCPA primarily applied to for-profit "businesses" that do business in California and process the personal information of California residents, excluding data governed by other privacy laws such as HIPAA.

Now, all for-profit organizations whether business-to-business (B2B) or business-to-consumer (B2C) who meet the following criteria:

• A business with gross annual revenue of over $25 million per year.

OR

• A business that derives 50% or more of its annual revenue from sharing or selling California consumers’ personal information.

OR

• A business that annually buys, shares, or sells personal information to over 100,000 consumers.

must comply with CPRA and include the data collected from their employees, applicants, owners, officers, directors, and independent contractors in the context of employment and employment applications.

The business needs to identify any third parties with whom they share this information.

Additionally, personal information reflecting written and verbal communications or collected during transactions between businesses will be subject to the same laws as those with individual customers.

What You Can Do Now

1. Contact us. Your friends at Consilien can help you meet the “Reasonable Security Standards,” required by CCPA/CPRA and help you create systems to help you adhere to the regulation.
2. Contact an attorney who specializes in Data Privacy. If you do not have an attorney and please contact sales.dept@consilien.com and we will send you a list of referrals.
3. Stay in touch. We will be having an informational webinar soon regarding the regulation. There you can ask your questions of the experts.

References:

1. CCPA/CPRA Will Apply to Employee AND B2B Data — Five Steps to Prepare for the January 1, 2023 Effective Date | Troutman Pepper - JDSupra
2. California Fails to Extend CCPA's Employee and Business-to-Business Data Exemptions | Thought Leadership | Baker Botts
3. California Legislature Fails to Extend CCPA Employee and B2B Data Exemptions | Byte Back (bytebacklaw.com)
4. CCPA to Apply to Employment Data as of January 1, 2023 | Saul Ewing Arnstein & Lehr LLP - JDSupra