CA Fails to Extend Privacy Exemptions for B2B and Employment Data from the CCPA into 2023

Privacy and Data Security

Right now, beginning on January 1, 2023, the California Consumer Privacy Act (the CCPA), as amended by the passage of the California Privacy Rights Act in the November 2020 election, will apply to personal information collected by companies subject to the CCPA about their employees, job applications, and individuals at actual or prospective business customers, vendors, and suppliers. This outcome was assured this weekend, when the Legislature’s deadline expired to pass bills taking effect before January 1, 2023. We caution that it is possible that developments in next year’s legislative session, or the passage of a preemptive federal law, could change the present outlook.

Practical Takeaways

Companies that have been hard at work updating their CCPA compliance programs need to immediately fold employment-related and business-to-business (B2B) data into their readiness efforts.

Immediate steps should include:

  • Examining the types and uses of employee and job applicant data and about individuals at vendors or suppliers or business customers to inform 2023 CCPA readiness efforts.
  • Evaluating which exceptions to the 2023 CCPA’s various rights, including to delete, correct, and limit, may apply to employment and business data and the company’s use cases for those categories of data.
  • Updating the company’s CCPA privacy disclosures to include employment and business data and any ancillary privacy statements that will need to link to those privacy disclosures.

In this latest development of a years-long saga in Sacramento, legislators failed to extend the CCPA exemptions for employment-related and B2B data from the full scope of the CCPA as amended beginning in 2023. Without action, those categories of data now will be regulated by the CCPA on January 1, 2023.  The result is that the CCPA’s full suite of privacy disclosures and rights, such as deletion and access to data, will apply fully to personal information collected for purposes of employment or potential employment or about individuals at vendors, suppliers, and actual or prospective business customers.

Until now, the CCPA contained exemptions that substantially relieved companies from applying the its privacy obligations to those categories of data. For example, employment-related data was exempted from the CCPA’s do-not-sell, access, and deletion rights, as well as certain disclosure obligations; and companies were not obligated to provide disclosures to, or operationalize access or deletion rights for, individuals at business customers, suppliers, and vendors. Those exemptions were passed in 2018, after the CCPA’s passage, and were subsequently extended by the passage of the CPRA through the end of this year.

Please reach out to your Manatt representative for further guidance on these recent major developments.



pursuant to New York DR 2-101(f)

© 2024 Manatt, Phelps & Phillips, LLP.

All rights reserved