Businesses Explore Options as CCPA Exemption Sunsets
Businesses will continue to seek a way forward on a concerning, soon-to-expire exemption in California's privacy law for employee and business-to-business (B2B) data, a California Chamber of Commerce (CalChamber) official told us Friday. Many privacy lawyers are warning businesses about the carve-out sunsetting at year-end due to the legislature failing to pass an extension. Starting Jan. 1, the California Consumer Protection Act (CCPA) is “really no longer just a consumer law,” said Sheppard Mullin’s Julia Kadish in an interview.
California legislators failed to pass an extension to the sunset before their session ended Aug. 31, though they introduced bills that would have done so (see 2202280040). Lawmakers previously extended the employee exemption from 2021 through the California Privacy Rights Act (CPRA), which succeeds CCPA on Jan. 1. Before the session ended, CalChamber and industry groups including CTIA, USTelecom, TechNet and the California Cable and Telecommunications Association urged legislators to extend the carve-out. Employees and B2B relationships and transactions “were never intended to be covered” by CCPA or CPRA, and implementation will be costly, they wrote.
“Our member companies had spent a lot of time and money in preparation to comply with these exemptions ending,” said CalChamber Policy Chief of Staff Ben Golombek in an interview. “We’ll certainly be exploring any and all possibilities to address the issue in the coming months.”
CalChamber was disappointed the California Labor Federation, in the last two weeks of the legislative session, “decided to unilaterally end months of productive negotiations,” he said. “We were optimistic about reaching a deal.” The groups had been working on “a permanent exemption of these two pieces of information that were never meant to be part of the consumer privacy act,” he said. The federation wanted “various employee-related policy changes and we had made some good progress on a deal of that nature” before the labor group walked out, he said.
Labor had “numerous conversations” with CalChamber, but was “unable to win meaningful protections for workers this year,” responded the federation: Workers should know what data is collected on them and have the right to access and correct it, and there should be limits on technology used to surveil workers. The labor group said the sunset will be good for workers, giving them “critically important rights” for “personally identifiable data, their basic labor rights [and] their right to organize.” Rules specifically catered to the workplace could be preferable to the consumer privacy law, said the federation: The group plans to pursue additional protections at the legislature, “hopefully” as soon as next year.
The exemption’s sunset will “disrupt a number of everyday operations across the board for industries of every sector of the economy, particularly those that handle data,” including telecom and broadband companies, said Golombek, previously an AT&T assistant vice president. Some CalChamber members said they each spent tens of millions of dollars to prepare for compliance, he said. No other states with privacy laws have applied rules to employees or B2B, he added.
Labor groups say it doesn’t make sense to apply a consumer privacy framework to the workplace, said Electronic Frontier Foundation Senior Staff Attorney Lee Tien: The CCPA exemption was to allow time to develop worker-specific rules, he said: “That did not happen this year.” A flurry of letters urging legislators to extend the exemption before the session closed reflected the failure of labor and business groups to reach a deal, he said. How it will be resolved is unclear, but Tien thinks there's “still a lot of room for them to make some kind of a deal.”
Most of CCPA’s requirements haven’t applied to human resources and B2B data, but starting next year, California employees, job applicants and contractors will have privacy rights, said Kadish, a privacy attorney for businesses. Contracts with payroll providers and other vendors handling employee data also will require updates, she said. “We’re looking at less than four months” for businesses to implement changes, “and I think many really have been holding out” because they expected the carve-out to be extended, she said.
Some companies may find it simplest to implement California rules for all employees, said Kadish. As of Jan. 1, California privacy law will cover companies with at least $25 million annual revenue globally or that buy, sell or share personal information of at least 100,000 California residents yearly, or that derive 50% or more of annual revenue from selling or sharing consumer information. The law applies to many industries, including telecom, and sunsetting the exemption will “pick up a lot of companies that were in the B2B space and less consumer-facing,” including those that are “some link in the chain of telecom infrastructure,” said Kadish.
Giving employees rights to access and delete data could raise some thorny questions for businesses, said the privacy attorney. Rights could be invoked as “a runaround for pre-litigation discovery” if, for example, former employees tried to get information from their personnel files, she said. “Companies will want to carefully think through and advance some of the exceptions that might apply to responding to rights to request.”
Those already complying with Europe's general data protection regulation might have less to do, said Kadish: “The expiration of this exemption brings the law really more in line with some other non-U.S. privacy laws like GDPR. The California Privacy Protection Agency, which will enforce CPRA starting Jan. 1, will have “autonomy to decide … enforcement priorities,” noted Kadish: She doubts the employee and B2B piece will be a significant priority for at least the first six months.
Many business privacy lawyers warned about the exemption’s sunset in recent weeks. “This is a significant change for California employers that may require a re-assessment of how personal data is handled and maintained, policy and procedure changes, or even a complete overhaul of privacy and cybersecurity activities,” Seyfarth Shaw attorneys wrote last week.
“Fulfilling an access, right to know or deletion request from an employee seeking to exercise rights under the CCPA/CPRA could present significant logistical challenges and a failure to fulfill a request can have both reputational and financial consequences,” Epstein Becker lawyers blogged Sept. 7. Extending the exemption seems unlikely with the legislative session done, they said. “The prospects … are even further diminished as attempts to include an extension as a ballot initiative in November 2022 have also fallen short.”
“Clamor” from businesses seems “self-serving” and blown out of proportion, considering the bigger businesses to which rules will apply are already subject to GDPR, said EFF’s Tien. “You guys are protesting way, way too much.”