Because the term “consumer” is so broad in the CCPA (remember: it’s any California resident), it would have applied to employee and job applicant data and all business contact information across the board. After much negotiation, the legislature enacted (and the Governor signed) two amendments dealing with this information. Until January 1, 2021, the CCPA will not apply to information collected about employees or job applicants, or in typical business-to-business (B2B) transactions by a business otherwise required to comply with CCPA.
Employees and job applicants. Certain information collected from (or about) employees and job applicants in the course of employment will be outside of the scope of the CCPA until January 1, 2021. This includes emergency contact information, so long as it is only used for that purpose. It also covers information that an applicant, employee, etc. provides in the context of applying for or receiving benefits for that individual or others related to the individual, again – so long as it is only used for that purpose. This leaves any other information that is received from any of these individuals in any other context. Examples are when an employee makes a purchase, signs up for a newsletter, or otherwise. We’ve written in detail about this exemption at our Brief Guide for Covered Employers. Businesses covered by CCPA are still required to give employees/job applicants notice of the collection/use practices and are also prohibited from collected additional information or using for additional purposes without first providing notice. Notices must be given “at or before the time of collection” of the information. The amendment does not apply to the employee or job applicant’s private right of action under Section 1798.150 in the event of a data breach of such information.
B2B information. This amendment temporarily exempts “information reflecting a written or verbal communication or a transaction between the business and a consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, non-profit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, non-profit, or government agency.” The amendment takes out of the CCPA scope any personal information in this context, whether the business the buyer or seller of goods or services, including when the business is preparing to buy or sell goods or services. The exemption in this amendment extends request for deletion (1798.105), request to know (1798.110), disclosure of information sharing (1798.115), and 1798.135 (implementing do-not-sell requests). The amendment does not exempt a CCPA-covered business from its “Do Not Sell” obligations, therefore, if your business collects this type of B2B information and “sells” in the meaning of the CCPA, you will be required to put a “Do Not Sell My Personal Information” link on your website, or provide some other means by which individuals can opt-out of such sales.
These amendments automatically sunset on January 1, 2021 unless the legislature takes further action in the 2020 legislative session.
Monday’s QOTD: Who is a “service provider” under the CCPA and why is it important?