The California Consumer Privacy Act (CCPA) took effect on January 1, 2020, instituting requirements on certain businesses processing personal information about California consumers. Businesses subject to the law currently benefit from temporary and partial exemptions to certain CCPA requirements if the personal information processed by the business is (i) human resources (HR) information about the employees of the business or (ii) was collected in a business to business (B2B) context. Although these exemptions were originally intended to expire on January 1, 2021, California passed the California Privacy Rights Act (CPRA) on November 3, 2020, extending the exemptions to January 1, 2023.

With these exemptions in place, California employees and B2B contacts have a right to know how a business treats their personal information; however, they do not currently have a right to request access, modification, or deletion of their personal information. Beginning in 2023 when the aforementioned exemptions expire, they will have such rights.

By the end of 2022, businesses should prepare to comply with CCPA and CPRA requirements for HR and B2B personal information. For most businesses, this preparation will likely be similar to general CCPA compliance activities – now with the additional requirement to treat HR and B2B personal information in the same manner it does the personal information of other types of California consumers.

Consideration should be given to the following steps:

1. Determine CCPA/CPRA Applicability 

a) CCPA and CPRA only apply to for profit organizations that do business in California AND that: (i) have annual gross revenue in excess of $25 million in the preceding calendar year; (ii) buys, sells, or shares the personal information of 100,000 or more consumers or households per year; or (iii) generates 50% or more of its annual revenue from selling or sharing the personal information of consumers.

2. Map HR and B2B Personal Information

a) Businesses should consider what HR and B2B personal information they process, where it comes from, where it is stored, and how to access, modify, and delete it. Once a business knows what personal information it processes, it can establish meaningful procedures for compliance with various data rights of employees and B2B data subjects. For example, businesses may want to consider developing a process and informing employees how to request access, modification or deletion of their personal information (although several exceptions to deleting HR information will continue to apply even after the exemptions described above expire).

3. Include HR and B2B Personal Information in Data Subject Response Policies

a) If businesses do not already have policies and procedures in place for responding to requests from data subjects, the business should consider establishing such policies and procedures, including those defining how to respond to HR or B2B requests. If such policies and procedures already exist, then the business should consider how the responses should be modified for HR and B2B personal information.

4. Update DPAs, Customer Contracts, and Vendor Agreements

a) Businesses should consider reviewing service provider and other relationships to ensure required contractual terms, such as a Data Protection Agreement (DPA), are included in applicable commercial contracts. DPAs and other relevant documentation should also be reviewed and updated as needed. For HR personal information, such service providers may include payroll, benefits, and other HR service providers. For B2B personal information, such service providers may include customer relationship management platforms (CRMs), and other marketing service providers.

5. Provide Opt-Out links

a) CPRA expands data subject rights to request certain information not be shared with third parties. By January 1, 2023, all California consumers, including employees and B2B contacts, must have easy access to opt out of sharing of their personal information that is (i) sensitive personal information; (ii) shared for certain behavioral marketing; or (iii) sold to third parties. Businesses should consider how to implement these requirements, including engaging information technology, web development, and other stakeholders to develop an effective process to honor opt-out requests.