California Employee Data Exemption expires on January 1

On January 1, 2023, the employee exemption under the California Consumer Privacy Act (CCPA) will expire. Under this exemption, the CCPA did not apply to personal information collected about job applicants or past or current employees, including owners, directors, officers, contractors, beneficiaries, and dependents.

With the expiration of the exemption, employees of affected businesses in California will have the same rights as other consumers under the CCPA and its successor, the California Privacy Rights Act (CPRA), including the right to be informed about, and exercise a certain degree of control over, the processing of their personal information.

To prepare for the expiration of the employee exemption, businesses that are subject to the CPRA and employ California residents should begin taking steps to expand their compliance efforts to their workforce members, including without limitation:

• Conducting a data privacy inventory to identify the types of personal information collected and retained about employees and what actions the business takes with respect to that personal information;
• Evaluating whether and to what extent the business’s current policies and procedures can be adapted for their employees, which may include revisiting their privacy policies, establishing new vehicles for employees to submit their data requests, and managing vendor contracts related to employee information; and
• Identifying any gaps in the business’s current practices, as they relate to employees, and addressing those gaps ahead of January 1, 2023.

Finally, employers should be mindful that the CPRA only applies to employees who are California residents. While employers may consider applying a uniform approach to all employees, businesses should keep in mind that employment and data privacy laws of other jurisdictions may impose different levels of protection for personal information collected from those jurisdictions’ residents in the context of the employment relationship. [For more information about changes to data privacy legislation in 2023, see our blog post.]

Related to the employee exemption, businesses should also be aware of the anticipated January 1, 2023, expiration of the “B2B” exemption. This exemption largely excluded personal information of business contacts—that is, individuals acting as employees in the context of “providing or receiving a product or service to or from” the covered business—from the scope of the CCPA. Future blog posts will dive further into this exemption and its implications for business to business relationships.