As the California Privacy Rights Act (CPRA) comes into effect on January 1, 2023, the temporary and partial exceptions for employment and business-to-business information will expire, making California the first and only state with a general privacy law that applies to this type of information. The current partial exceptions, which were proposed in 2019 as part of a set of amendments to the California Consumer Privacy Act (CCPA), were originally extended again until January 1, 2023 as part of the ballot initiative that enacted the CPRA. While multiple bills were proposed to extend the partial exceptions either by one additional year or indefinitely, all of the proposed bills failed to make it out of committee and passed by the California legislature by August 31, 2022, the last day for such bills to be passed in the legislative year.
The current exceptions included many, but not all, of the provisions in the CCPA relating to employment and business to business information. The employment information exception applied to personal information collected by a business about a consumer acting as a job applicant or who is a past or current employee of, owner of, director of, officer of, medical staff member of, or contractor of the business and their beneficiaries and dependents (Employment-Related Information), so long as the business used the information solely in the context of the employment relationship. Under the CCPA’s exception for Employment-Related Information, the business was only required to provide the employee with a shortened privacy notice and the CCPA provided the employee with a private right of action in the event of a data breach where the business failed to use reasonable security measures. Businesses should be reminded that “personal information” under the CPRA is defined broadly, and Employment-Related Information may now include things like network monitoring, video surveillance, photographs, and document metadata. It may also biometric data (including fingerprints and face and voice recognition when used to identify or authenticate the employee), which may be applicable to some businesses. Businesses should also be aware that biometric data may come under other stringent privacy statutes in and of itself (e.g., see, the Biometric Information Privacy Act in Illinois – 740 ILCS 14 and California SB 1189).
The business-to-business exception applied to personal information collected and used by the business about a consumer acting as an employee, owner, director, officer, or contractor of another company, partnership, sole proprietorship, nonprofit, or government entity, but solely to the extent the business used this personal information in the context of conducting due diligence regarding, or providing or receiving a product or service to such company, partnership, sole proprietorship, nonprofit, or government agency (B2B Information). Under the CCPA, businesses were only required to provide the consumer with an opportunity to opt-out of the disclosure of their B2B Information for monetary or other valuable consideration (i.e., a “sale” under the CCPA), if any, but was not required to provide a privacy notice and the CCPA did not otherwise provide a private right of action for data breaches.
With the partial exceptions for Employment-Related Information and B2B Information expiring, the CPRA in its entirety will apply to these categories. This includes:
While current and former employees, job applicants, and business relations should always have been counted for the purposes of determining whether a business met the thresholds for CCPA, the full applicability of the CPRA to Employment-Related Information and B2B Information underscores the need to consider these individuals for the purpose of determining the applicability of the CPRA.
Businesses that are subject to both the CPRA and the GDPR should be familiar with the application of privacy requirements and data subject rights to Employment-Related Information and B2B Information, as the GDPR made no distinction between these classes of individuals and other data subjects. However, the expiration of the partial exceptions increase the compliance burden for businesses that are subject to the CPRA but not the GDPR. Such businesses should:
The right of a consumer to access, delete, and correct their personal information may be especially troubling for Employment-Related Information. Employment-Related Information may include information that the business needs to keep confidential, such as the raw feedback related to performance appraisals, information about investigation activities, hiring/firing/disciplinary decisions, and other similar information. Businesses should consider the applicability of the exemptions set forth in Section 1798.145 of the CPRA when developing policies and procedures to comply with consumer requests from current, past, and prospective employees, owners, directors, officers, medical staff members, and contractors (and their beneficiaries and dependents). Applicable exceptions may include:
Businesses should also carefully review their policies and procedures for redacting certain personal information from responses to access requests. Businesses may collect and use categories of personal information as part of Employment-Related Information that it doesn’t collect from the rest of its consumers and which the CPRA regulations prevent the business from producing as part of a consumer access request. This includes a consumer’s social security number, driver’s license number or other government-issued identification number, financial account number, any health insurance or other medical identification number, account passwords, security questions and answers, or unique biometric data generated from measurements or technical analysis of human characteristics. The CPRA regulations prohibit disclosure of the specific pieces of these types of personal information in response to a consumer access request, but must still disclose a generic description of this type of information when collected by the business.
The impact on B2B Information may be less troublesome than Employment-Related Information. Most businesses will not have as much sensitive information about their business relations, if any. Nevertheless, businesses should still consider if the exceptions described above apply to any B2B Information in light of a request from a consumer in the business-to-business context.
For more information about complying with the CPRA for Employment-Related Information and B2B Information, or for information about compliance with the CPRA in general, please contact any of the authors or any Partner or Senior Counsel in Foley’s Cybersecurity and Data Privacy team.