This blog is the second in a two part series covering CCPA, this one focusing on the one year “employee exemption.” For an in–depth overview of CCPA, read the first post here.
Since California legislators created the California Consumer Privacy Act in haste (approximately 72 hours), it has resulted in many areas of confusion. As a result, California legislators have been busy enacting various clarifying amendments, some of which range on one end from simple as grammatical corrections to the other end with substantive carve outs such as the recently passed California Privacy Rights Act (CPRA).
One of the more substantive amendments impacts the extremely broad definition of a consumer. Under the original legislation, the definition of a consumer was interpreted to include employees of the organization. This prompted the much-publicized “employee exemption” to CCPA, signed by California Governor Gavin Newsom on October 11, 2019.
This post will cover the employee exemption as well as other considerations.
The exemption is basically a one year reprieve from compliance for employee data, and was designed to give California legislators a one year deadline to pass a separate employee privacy bill. Note that if an employee privacy bill does not pass, the one year deadline will expire and employee data will need to be afforded the same treatment as any other California consumer data.
For the time being, per this exemption, the requirements will not apply to personal data in the following categories of individuals:
This employee exemption will only apply if the business collects or uses the personal information exclusively within the context of the individual’s role or former role in the business.
The “employee exemption” also excludes emergency contact information that the business may collect, as well as information needed to administer benefits. Nevertheless, the exemption still requires notice on the use of employee data, while the employee still has a private right of action for mismanagement of employee data. This means that employers with employees or contractors in California should still review and revise employee privacy notices accordingly.
Related to the “employee exemption” is a new exemption that is also set to expire in one year. Under this new exemption, personal information that a business collects in a business-to-business (B2B) transaction is exempted from most CCPA requirements, but only if such data is collected when a California resident makes a written or verbal communication or transaction with a business:
within the context of the business conducting due diligence regarding, or provision or receiving a product or service to or from such company, partnership, sole proprietorship, non-profit, or government agency. (full text of CCPA)
Even so, a consumer private right of action for breach continues to apply in the B2B context. Also, opt-out and non-discrimination rights continue to apply, so business contacts may still opt-out from having their information “sold” to third parties, while a business may not deny goods or services or charge different prices to business customers because they have opted out. Note that this B2B exemption does not extend to cold-calling or other marketing communications.
As such, a business must comply with all CCPA requirements such as notice, access, deletion, opt-out and deletion if the personal information belonging to potential business/customer contacts were obtained from a third party, such as a marketing list provider, until a communication or transaction occurs with the business “within the context of the business conducting due diligence regarding, or provision or receiving a product or service to or from” such business.
Since 2017, a few US federal agencies have issued opinions that continue to focus on the measures taken to protect the data, and not on limits on collecting it or even monetizing it.
The Federal Trade Commission, for instance, has deemed that failing to reasonably secure personal information, including financial information, health information and contents of communications, constitutes a “deceptive or unfair” commercial practice.
The Securities and Exchange Commission (SEC) is also pursuing lawsuits for what are essentially privacy violations. The SEC alleged, for instance, that Facebook Inc. was making misleading disclosures regarding the risk of misuse of Facebook user data.
This resulted in a $100M settlement with Facebook. Multiple states have filed HIPAA data breach lawsuits for failure to protect electronic personal health information. Finally, the Consumer Fraud and Abuse Act has been invoked to stop scraping of data from other websites, but at least one case actually confirms that data collected from a public source is fair game.
At the state level, ever since the adoption of CCPA many other state legislatures have begun to consider similar omnibus privacy laws, often based on either the CCPA or on GDPR. This has led to adoption of comprehensive privacy laws in a few more states, including Maine, Nevada, Oregon, and Washington. Another 13 states have either active bills or ongoing studies that could progress to legislation over the next 2 years. In general, the new omnibus legislation proposed in these states shifts the state law focus from data security and breach notification to giving data subjects rights to opt-out of use or sale of their data, along with the right to request deletion of their data.
The trend in the states is to take a more active role to preserve data privacy within their borders instead of a federalist approach to enforcement, as has been done in Europe. Prior to the passage of CCPA, focus of the state regulations was primarily on the act of protecting the data, and not as much on the rights of consumers to dictate how it is used, barring exceptions for removal of the data of minors as required in California. Now, newer statutes and amendments to existing statutes place an increased focus on providing opt-out provisions to enable consumers to prevent storage and use of their personal information.
The bottom line is that the rights given to consumer over their data have landed on our shores. The rest of the country is starting to fall in line, with at least 13 other states from Hawaii to Maine proposing different flavors of privacy omnibus legislation.
If you think you are staying out of California, which is very hard to avoid given the sheer size of its population, then you need to keep an eye on the several other states with pending legislation.
It appears that the east coast is more likely to align itself with GDPR, while the west coast is aligning with CCPA. In any event, privacy in the United States is not an issue where you can simply tick off a box once and forget about it. Policies should be reviewed annually depending on the growth of your business and the different privacy laws of the states where you may be accessing consumer data.
For more context and actionable insights, read the whitepaper: A Plethora of Privacy Laws: IG Challenges for the Financial Sector