Skip to main content

Extension to CCPA’s Employment and Business-to-Business Exemption Passes Legislature

On Aug. 30, 2020, the California legislature passed Assembly Bill 1281 (AB-1281), which would extend the exemptions for “employee” information and business-to-business (B2B) transactions from its original expiration date of Jan. 1, 2021, to Jan. 1, 2022, if approved by the governor.

  • Under the “employee” exemption, personal information of consumers within an employment relationship (a job applicant, employee, owner, director, officer, medical staff member, or contractor) is largely exempt from the California Consumer Privacy Act (CCPA) to the extent that the personal information is collected and used within the context of (i) the employment relationship, (ii) having an emergency contact on file, or (iii) administering benefits. However, pursuant to CCPA section 1798.100(b), businesses must still provide notice to these categories of consumers.
  • Under the “B2B” exemption, personal information involved in B2B communications or transactions where the consumer is acting on behalf of a business, and the communications or transactions solely relate to providing or receiving a product or service to or from another business. Businesses must still provide B2B consumers the right to opt out of the sale of their information.

Notwithstanding these exemptions, all personal information collected is still subject to the CCPA’s private right of action for certain security incidents.

Should the California Privacy Rights Act (CPRA) be voted into law on Nov. 3, 2020, AB-1281’s one-year extension will not be operative, as the CPRA extends the expiration date for these exemptions to Jan. 1, 2023, to align with the effectuation of the CPRA. Under either scenario, the exemptions will not expire on Jan. 1, 2021, but if the CPRA is not voted into law, businesses will only receive a one-year extension of the employee and B2B exemptions, which would be a reprieve for businesses adversely impacted by COVID-19.

For more information on the CCPA, CPRA, and other Data, Privacy & Cybersecurity issues, visit GT’s Data Privacy Dish blog.