The Bottom Line
- The California legislature has passed AB 1281, extending the CCPA’s temporary exemptions for certain B2B and employment information for one year until January 1, 2022.
- If the CPRA ballot initiative passes in California’s general election this November, the exemptions will expire on January 1, 2023.
- Now that the California AG is actively enforcing the CCPA and the final regulations have gone into effect, businesses collecting the personal information of California residents are on notice that they must comply.
In the latest California Consumer Privacy Act (CCPA) development, the California legislature passed Assembly Bill 1281 (AB 1281) on August 30, 2020. AB 1281 extends the CCPA’s temporary exemptions that apply to personal information processed in certain business-to-business (B2B) and employment related transactions by one year until January 1, 2022.
CCPA Obligations on Businesses Until Now
When the CCPA was initially enacted, businesses immediately raised concerns about the fact that the CCPA not only permitted consumers to exercise extensive rights to their personal information, but also permitted an organization’s own employees and others business contacts engaging in day-to-day activities to exercise such rights. This issue became an immediate focus of proposed CCPA amendments.
As a result, an amendment (AB 25) providing for a one year reprieve until January 1, 2021 for most, but not all, CCPA obligations was enacted October 11, 2019. With that 2021 date quickly bearing down on businesses subject to the CCPA, the industry again brought this attention to lawmakers. Those businesses can now breathe a sigh of relief, temporarily, with the passage of this latest amendment.
Notably, if the California Privacy Rights Act (CPRA) ballot initiative is passed during the state’s general election this November, the exemptions will extend under the CPRA until January 1, 2023 (and AB 1281 would not take effect).
Although the exemption extensions provide businesses with some measure of relief, it is important to understand that these are partial exemptions only and certain aspects of the CCPA continue to apply to B2B communications and employment information. For example, businesses must still comply with sales opt-out and non-discrimination obligations in connection with B2B communications and with pre-collection notice requirements in connection with employment information. Furthermore, the exemptions do not apply to the CCPA’s private right of action for data breaches.
As a reminder, businesses must ensure compliance with the CCPA now that the final regulations are in effect and enforcement has begun (as of July 1, 2020).
In fact, during a recent webinar hosted by the International Association of Privacy Professionals (IAPP), California’s Supervising Deputy Attorney General, Stacey Schesser, confirmed that the Attorney General’s office sent a wave of letters to businesses for alleged CCPA violations on July 1, 2020. While the substance of these letters are not public, Schesser indicated that the letters were targeted at online businesses from various industries that were missing key disclosures, especially in relation to the sale of personal information.
Businesses should be on high alert and vigilant in their CCPA compliance efforts.