Governor Newsom signed two new laws at the end of the legislative session this year that modify the California Consumer Privacy Act. Most crucially for the majority of businesses in California, one of the laws extends the temporary employee and business-to-business (“B2B”) exemptions from the definition of “Consumer” in the CCPA. The second changes how businesses must treat health privacy.
The “employee” exemption to the CCPA refers to data collected within the employment relationship, including job applicants, employees, owners, directors, officers, and contractors. This data is currently exempt from significant CCPA obligations. The B2B exemption refers to data in business-to-business interactions, where the data subject is providing personal information on behalf of a business, and the communications or transactions are solely related to providing or receiving a product or service to or from another business.
AB 1281 extends the employee and B2B exemptions until January 1, 2022. This legislation only applies if the California Consumer Privacy Rights Act (“CPRA”) ballot initiative does not pass during the state’s November 3rd general election. If, however, the CPRA is successful, the ballot initiative would also extend these particular exemptions until January 1, 2023.
The legislature created the first exemption in 2019, and it was set to expire at the end of 2020 in order to give the legislature time to create a more permanent solution. With the steep decrease in legislative activity in response to the COVID-19 crisis, legislators chose to push this issue off for another year. However, it is clear that the CCPA will in the future impose major obligations with respect to employee data and BRB-related data exchanges.
AB 713 exempts certain health information from the CCPA. It clarifies that information deidentified (i.e. made anonymous) pursuant to the Privacy Rule of the Health Information Portability and Accountability Act (“HIPAA”) would be exempt from the CCPA. Like other categories of personal data subject to the CCPA, subsequently reidentified would no longer be eligible for the exemption.
This law is unlikely to impact the vast majority of businesses that are not directly involved in medical services or medical research. However, it should serve as a reminder to California businesses that the CCPA covers a wide range of data, and that any data sharing that touches on sensitive areas such as health should be reviewed by competent counsel.