Because the California Consumer Privacy Act (CCPA) gives consumers more control over their personal information, the definition of a consumer is very important. Under the privacy law, the term has an extremely broad meaning: any California resident. Businesses do not have to have a customer-type of relationship with a person in order for them to be a consumer. This can be complicated in some situations, such as when the consumer is an employee/job applicant or a business-to-business (B2B) contact.
In order to address this issue, the California legislature amended the CCPA in 2019 to include temporary exemptions for both employee personal information and B2B communications. With the passage of the California Privacy Rights Act (CPRA) by ballot initiative in 2020, the exemptions were further extended. They are currently set to expire on January 1, 2023.
Neither of these exemptions is absolute, however. Businesses still have some CCPA obligations with respect to both groups. Here we’ll go over how the exemptions are defined and what they mean for businesses in terms of CCPA compliance.
Including employees and job applicants as CCPA consumers presents a big problem for businesses. In the normal course of daily operations, businesses regularly collect large amounts of personal information about employees and job applicants—everything from telephone numbers to emails to performance evaluations. Having to keep track of all that information would be burdensome and disruptive, and if it were subject to deletion requests the results could be chaotic.
For these reasons, the CCPA contains a limited exemption for personal information collected by a business about anyone acting as a job applicant to or employee, owner, director, officer, medical staff member, or independent contractor of that business. However, this exemption only applies to the extent that the information is collected and used “solely within the context of [the person’s] role or former role” as a job applicant, employee, etc. So if a consumer works as an employee of a retailer but is also a customer, the personal data collected while they are acting as a customer is fully covered by the CCPA.
The statute also specifically exempts personal information collected from employees to maintain emergency contact information and to administer employee benefits.
It is a partial exemption because the statute identifies two provisions that still apply to employees and job applicants. First, a business must still make a notice at collection that discloses to employees and job applicants what personal information it is collecting and for purposes it is used. As far as CCPA compliance goes, this means businesses must update their employment agreements and job applications to include this information.
Second, this information is not exempt from the CCPA’s private right of action. The CCPA allows consumers to sue businesses when their personal information is subject to unauthorized access due to the business’s failure to implement reasonable data security procedures. If an employee or job applicant’s personal information were subject to such a data breach, they would still have a private right of action against the business. This means businesses should exercise the same level of care with this personal data as with that of all other consumers.
Similar to the exemption for employees, the CCPA also has a partial exemption for personal information collected during dealings with other businesses and organizations. In this context, the business does not have an obligation to disclose its data privacy practices, and the consumer does not have a right to know or right to delete.
Specifically, the CCPA exempts:
Personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who acted or is acting as an employee, owner, director, officer, or independent contractor of a company, partnership, sole proprietorship, non-profit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, non-profit, or government agency.
To summarize in clearer language: Any personal information collected during direct communications or transactions with an employee (or owner, director, etc.) of another organization is partially exempted from the CCPA’s rules. The other organization can be a for-profit business, a non-profit entity, or even a government agency. However, the exemption only applies to personal information obtained in the course of doing business with the other organization.
Importantly, the B2B exemption does not cover personal information obtained from third parties, regardless of its use in a business context. Take for example when a business purchases leads from a data broker for use in an email marketing campaign targeted at other businesses. The personal information contained in those leads (email addresses, names, etc.) is not exempted from the CCPA’s rules, because it was not obtained during direct communication with those consumers.
Overall, the business-to-business exemption makes sense. The CCPA’s main goal is to protect consumers, but in the B2B context there is less of a power imbalance between businesses and consumers, and the personal information involved is less likely to be sensitive. Also, if it were not for this exemption, the CCPA would be giving businesses a powerful tool for obtaining (and deleting) data from other businesses.
It is a partial exemption, though, so which CCP requirements still apply?
First, these consumers still have the right to opt out of the sale of their personal information. This right is somewhat diminished, though, because businesses are exempted from having to disclose whether they sell personal information. Second, B2B consumers have a right to non-discrimination for exercising their right to opt out. Third, this personal information is not exempt from the CCPA’s private right of action regarding cybersecurity. As with employee-related information, businesses should implement reasonable data protection measures.
While the employee and B2B data exemptions greatly benefit businesses, they add yet another layer of complexity to the process of becoming and staying CCPA compliant. Businesses must divide consumers into groups based on the context in which the personal information was collected, then apply different rules to the different groups. Furthermore, no one knows if the exemptions will be extended, made permanent, or allowed to expire in January 2023.
TrueVault Polaris is a compliance automation tool that helps businesses manage all of these rules and stay ahead of future changes to the law. With it, your business can quickly create a detailed data map with custom consumer groups for employees, business contacts, and others, and be sure you are complying with the most current version of CCPA regulations and rules.
Contact our team today to get started.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.