• Regulations

California Fails to Extend Employee & B2B Data Exemptions


Rick Buck Chief Privacy Officer

The California Legislature adjourned its 2022 legislative session on August 31, 2022 failing to pass legislation that would have extended exemptions under the CCPA applicable to personal information in employee, human resources and business-to-business contexts.

The exemption expires under the CPRA effective on January 1, 2023.  The exemptions that will expire include the personal information of job applicants, employees, owners, directors, officers, and independent contractors in the context of an individual’s employment or application for employment, and to personal information reflecting written and verbal communications where a consumer is acting in a business-to-business commercial transaction. They also apply to personal information collected by a business for emergency contact information and personal information necessary for a business to retain and administer employee benefits, provided the information is used only for those purposes.

Covered businesses will need to take a close look at their privacy programs to ensure they comply with CPRA, particularly as it relates to the removal of these exemptions.

  • Know where your data is: Map and inventory data across all systems, assets and processing activities that collect and process employee and business-to-business personal information.
  • Update your Data Subject Rights (DSAR) portal: Additional functionality and work flows will need to be created to process workforce  subject rights.
  • Be transparent: CPRA has taken an acute position of what needs to be included in your privacy notice including:  the categories of personal information a business collects, the purpose information is used, and what privacy rights consumers have.  Remember under CPRA, your workforce is considered ‘consumers’.
  • Understand if you sell/share or process sensitive personal information: If you do, disclose it in your privacy notice and provide all consumers including employees and workforces members a clear and conspicuous way to opt-out or limit the use of that information.
  • Update service provider and contractor agreements: CPRA requires that data processing agreements are in place with all service providers, contractors, and other third parties that process covered employee or B2B personal information

Processing employee access requests will likely present new challenges.  Personal information about other employees may be exposed, requests may be coming from disgruntled employees, the information requested might be related to litigation, and data will need to be redacted.  All of this may cause an undue burden on businesses.

WireWheel offers a complete solution to help manage the requirements of CPRA, including a solution to fulfill employee DSARs, including an integration with Microsoft Priva and connectors to over 500 plus systems including HR systems such as Workday and Oracle. Contact us to learn more.

Rick Buck is the WireWheel Chief Privacy Officer and acts as a Privacy Advisor to WireWheel clients, helping them with the implementation and optimization of their privacy programs. Over the past 20 years, Rick has…