California Governor Gavin Newsom recently signed several amendments to the California Consumer Privacy Act. Two of these amendments – commonly referred to as the “employee exemption” and the “business-to-business (B2B) exemption” – narrow the application of the CCPA. But, the word “exemption” vastly overstates their effect. In this alert, we break down how these two amendments reduce, but do not eliminate, CCPA compliance burdens with respect to these two groups.
The Employee Amendment Eliminates Only Consumer Request Rights
The employee amendment limits some business obligations for personal information that businesses collect about job applicants, employees, owners, directors, officers, and contractors (hereinafter “employees”) in their role as employees. (Codified at Cal. Civ. Code §1798.145(h)). As a result of the amendment, employees do not have the right to submit requests to know or delete information that their employers or former employers have collected about them. But, employees still have other rights under the CCPA.
First, employees are entitled to receive a “Notice at Collection” that informs them of (1) the categories of personal information that the business collects about them and (2) the purpose for which the information will be used. The Notice at Collection must be delivered to the employee at or before the time the information is collected.
Second, employees also have the right to sue businesses if their nonencrypted and nonredacted sensitive personal information (such as social security number, driver’s license number, financial account information, and medical or health insurance information) is breached as a result of the business’s failure to implement and maintain reasonable security procedures and practices. In the event of a breach of this type, employees may recover actual damages or statutory damages of $100 – $750 per consumer, per incident, whichever is greater. This is a game-changer, because California is now the only state in the country that provides for statutory damages in the event of a data breach. The consumer does not need to prove he or she has been harmed in order to recover.
The B2B Amendment Eliminates Only (1) Consumer Request Rights and (2) the Right to Notice at Collection
The B2B amendment limits a business’s CCPA obligations with respect to consumer information it receives from another company. (Codified at Cal. Civ. Code §1798.145(n)(1)). As a result of the amendment, businesses are not required to provide consumers whose personal information they receive in the B2B context with (1) a Notice at Collection or (2) the right to submit requests to know or delete their personal information. But businesses still have other obligations with respect to B2B data.
First, a business that receives data in the B2B context and then “sells” the data must still provide consumers with the ability to opt-out of the sale of their data and cannot discriminate against those who do. Such businesses therefore need to post “Do Not Sell My Personal Information” or “Do Not Sell My Info” links on their website. They also need to establish an internal process to receive, process, and respond to consumer requests to opt-out.
Second, consumers whose information is shared in a B2B context still have the right to sue for actual and statutory damages if their sensitive personal information is breached. This means that despite the B2B amendment, businesses must still secure sensitive information they obtain in a business context and are still subject to costly consumer class actions.
Two more important things to know about the B2B amendment:
- The amendment limits a business’s obligations with respect to B2B information only if the business receives the information from an employee (including an owner, director, officer, or contractor) of an organization solely within the context of the business conducting due diligence regarding, providing, or receiving products or services to or from the organization. If the company receives the personal information through an automated process, such as an API, the exclusion may not apply.
- There is disagreement about the scope of the amendment. Some commentators interpret the amendment as excluding only personal information that a business collects from an employee of another company about that particular employee (such as the employee’s contact information). Others interpret the amendment to exclude all personal information a business receives from an employee of another company about any California consumer
Although both the employee amendment and the B2B amendment are welcome news for businesses assessing their CCPA compliance obligations starting on January 1, 2020, the relief is short term. Both amendments become inoperative on January 1, 2021, meaning that as of that date California consumers whose personal information is collected in an employment context or in a B2B context will have full rights under the CCPA (unless the law is amended again).
– Keesal, Young & Logan Privacy and Data Security Group
This information has been prepared by Keesal, Young & Logan for informational purposes only and is not legal advice. Transmission of the information is not intended to create, and receipt does not constitute, an attorney-client relationship between you and Keesal, Young & Logan. You should not act upon this information without seeking professional counsel.