Effective January 1, 2023, companies subject to the California Consumer Privacy Act (“CCPA”) will face heightened compliance requirements when collecting personal information about their workers, business partners, and job applicants. The partial moratoriums in the CCPA that had applied to these data sets are set to expire, meaning that the CCPA will now apply with full force come the new year. Further, the California Privacy Rights Act (“CPRA”), which amends and reenacts the CCPA, becomes fully effective on January 1, 2023, and enforced beginning July 1, 2023, with a look-back period to January 1, 2022. The CPRA provides additional obligations and consumer data rights that will further complicate covered businesses’ compliance efforts with regard to the personal information of their employees and business contacts.

What were the partial exemptions?

The exemptions relieved California businesses from the CCPA’s obligations, but only for certain data sets.

The so-called HR exemption relieved employers from having to comply with many of the CCPA’s obligations relating to their California employees’ personal information, such as the requirement to offer consumer data rights to job applicants, employees, owners, officers, and independent contractors of a business, including where relating to employee benefits information and emergency contact information. However, this was only a partial exemption. Under the CCPA, businesses have been required to, at or before the point of collection, inform all California employees and job applicants of the categories of personal information being collected about them and the purposes for which it will be used and a business could be held civilly liable by employees and applicants for data breaches of their personal information involving non-encrypted data.

The B2B exemption prevented businesses from having to engage in the puzzling task of providing a comprehensive privacy notice to business contacts at the point of collection and providing California residents with CCPA data rights, except for the right to opt-out of sale of their personal information, which has applied since the CCPA went into effect on January 1, 2020.

What happened to these limited exceptions?

The CCPA’s exemptions for this type of data were never intended to be permanent: the original sunset date was extended to January 1, 2021, and then with the passage of Assembly Bill No. 335 in October 2021, extended to January 1, 2023. Legislative efforts to further extend the exemptions primarily manifested as two bills proposed in the California Assembly in February 2021, one to extend the exemptions until January 1, 2026, (AB 2891) and the other permanently (AB 2871). Both bills languished and then expired in committee. A last-ditch effort in mid-August to amend Assembly Bill 1102 to extend the moratoriums to 2025 also failed. The conclusion of the legislative session on August 31st (the last day for each house of the California State Legislature to pass bills) ended any real hope of a continued reprieve from the CCPA’s full application to these data sets.

An additional extension or permanent exemption appears to be outside the rule-making purview of the California Privacy Protection Agency (CCPA), and, at any rate, the CPPA’s current draft update of the CCPA’s regulations, although only partial at this time, indicates no attempt to forestall or prevent the CCPA’s application to HR and B2B personal information. Further, despite its initial momentum, the U.S. federal privacy bill now faces bigger roadblocks to passage, in part due to the California congressional delegation’s belief that ADPPA would put a ceiling on privacy protections via preemption.

What does this mean?

All of the CCPA’s onerous obligations, particularly the requirement to offer consumer data rights, will now apply to personal information from all California consumers collected and held by a business, including employees and B2B contacts. Due to the differences between how a business treats the personal information of its employees, customers, and business relationships, the upcoming compliance obligations present new challenges and pose a busy fourth quarter for companies that are subject to these new CCPA requirements. The same policies and procedures that a business currently utilizes to respond to consumer data requests are likely ill-suited to handling the same requests from that business’s employees or business contacts, some of whose personal information will reside in various data systems.

Under the current CCPA regulations, a business can accommodate a request to obtain specific pieces of personal information by directing employees to existing HR sites where they can look up their own data. However, if there is personal information about employees that is inaccessible to them (such as reviews, employee files, etc.), a business may need to develop a process to provide that information. With regard to requests to delete, the CCPA has exceptions that allow a business to maintain the personal information of current employees for a variety of reasons. For rejected job applicants and former employees, there are likely fewer exceptions that would apply, so a business may need to delete employment records, resumes, interview notes, or other materials upon request.

Many businesses do not maintain B2B contact personal information in a centralized structured database or standard format like they might with customer or employee data. Names, emails, and other types of personal information could be distributed in e-mail folders, internal documents, and a personally maintained virtual ‘Rolodex.’

Note, however, that the scope of employees’ and business contacts’ data rights under the CCPA will be heavily influenced by the inevitably updated CCPA regulations. While currently still in draft form, the updated regulations may provide leeway (or not) regarding how far a business must go in complying with a consumer data request that seeks unstructured personal information not used for commercial purposes.

Final note.

There are currently four other U.S. states with comprehensive privacy bills on the books: Colorado, Connecticut, Virginia, and Utah. All are currently slated to come into effect at various points in 2023, with Virginia kicking in first on January 1, 2023, but each of these other states has permanently excluded HR and B2B personal information from their scope.

Key takeaways and Q4 action items to consider:
  • Update data inventory to include employee, job applicant, and business personal information now fully subject to CCPA.
  • Update consumer facing disclosures/notices to comply with the new CCPA requirements.
  • Evaluate third-party/vendor contractual relationships that may be impacted by these changes.
  • In particular, employers should begin preparing for changes by mapping data flows, updating employee forms and notices, reviewing privacy policies and incident response procedures, and training managers and supervisors on these changes to ensure compliance.
  • Also, employers should use caution regarding the collection of sensitive personal information of California employees as CCPA has heightened requirements as to that category of personal information.

For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.

To sign up for Dykema’s The Firewall Blog e-mail updates, please click here. For information regarding our Blog, please contact our Blog editors:  Dante Stella  and Jennifer Torrez

As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2022 Dykema Gossett PLLC.

Note: This story featuring commentary from Dykema’s Cinthia Granados Motley was originally published by Bloomberg Gov

  • Critical infrastructure industries would have to report hacks
  • Spending deal heading for House vote later on Wednesday

By Maria Curi | March 9, 2022, 5:31AM ET

Cybersecurity legislation that would impose new hack and ransomware reporting requirements on businesses was included in a spending bill lawmakers unveiled early Wednesday.

The Senate passed the cyber reporting requirements on March 1 under a bill (S. 3600) from Sen. Gary Peters (D-Mich). Peters previewed their inclusion in the spending bill Tuesday. Continue Reading Cyberattack Reporting Requirements Included in Spending Deal

The Illinois Supreme Court unanimously ruled on Thursday that the Illinois Biometric Information Privacy Act (BIPA) is not preempted by the Illinois Workers’ Compensation Act (IWCA).

This decision clears the way for employees to pursue BIPA statutory damages ($1,000 for each negligent violation or $5,000 for each intentional or reckless violation), a significant and costly defeat for employers in a case that was followed closely by attorneys on both sides of the bar.

Continue Reading BIPA Lives On: Illinois Supreme Court Rejects Common Employer Defense of Workers’ Comp Preemption

It has been impossible to ignore the constant spam of news articles detailing the epidemic of malicious attempts at data disruption and theft. While the cybersecurity risks of ransomware, malicious data extraction, and business e-mail compromise have been top of mind for professionals in heavily regulated industries for some time now, data from 2020 and the first half of 2021 compels an alarming new conclusion: cybercriminals are no longer a problem just for banks, health care organizations and oil pipelines to worry about. Businesses from a wide range of previously untargeted industries are now squarely in the cross-hairs of malicious threat actors. Continue Reading Cybercriminals Finding Success In Targeting New Industries

On August 11, 2021, the Federal Financial Institutions Examination Council (the “FFIEC”) issued new guidance on risk management principles for access to and authentication of electronic funds transfers for the first time in over a decade, titled Authentication and Access to Financial Institution Services and Systems (the “New Guidance”).[1] The New Guidance effectively replaces the FFIEC’s prior guidance on this topic, including its original guidance issued in 2005, Authentication in an Internet Banking Environment (the “Original Guidance”), and the supplement issued in 2011 in response to increased fraud in Internet-based financial transactions (the “Supplement,”[2] and together with the Original Guidance, the “Guidance”). The Guidance was intended to set regulatory expectations for financial institutions offering Internet-based financial services to both commercial and consumer customers.

Continue Reading An Enhanced Standard of Commercial Reasonableness for Security Procedures? The FFIEC Updates Its Authentication Guidance for Internet-Based Financial Services

The Federal Trade Commission’s increased activity in the data security arena continues, as the FTC has ordered nine social media and video streaming companies—including Facebook, Twitter, TikTok, and Reddit—to provide data on their data privacy practices. The orders seek to discover on (i) how these companies collect, use and present personal information, (ii) their advertising, (iii) their user engagement practices, and (iv) how their practices affect children and teenagers.

In issuing the orders, the FTC focused on social media’s monetization of users’ activities and “the industry’s increasing intrusion into our private lives.” In a joint statement, the FTC wrote: Continue Reading FTC Launches Investigation Into Facebook, Twitter, and Other Social Media Sites

The FBI, the Cybersecurity and Infrastructure Security Agency (CISA), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) have issued a joint warning that malicious cyber actors are targeting kindergarten through twelfth-grade (K-12) educational institutions. These actors are initiating ransomware attacks, data thefts, and general disruption of distance learning efforts. The agencies expect these attacks to continue through the 2020-21 academic year.

Among other things, cyber actors have launched ransomware attacks against school computer systems, rendering them inaccessible for distance learning and other basic functions. They have also stolen and threatened to leak confidential student data and personal information unless the institutions paid a ransom. In August and September 2020, 57 percent of ransomware incidents reported to MS-ISAC involved K-12 school, compare to 28 percent of such incidents from January through July. Continue Reading Cyber Actors Hit K-12 Distance Learning Efforts With Ransomware and Phishing Attacks

Last week FireEye announced publicly that it had suffered a cyber-attack by  a “highly sophisticated state-sponsored attacker utilizing novel techniques.”[1] FireEye is a leading cybersecurity firm whom provides information security services and tools, including forensic investigation services, to high profile clients worldwide. In its public disclosure of the breach, FireEye reported the threat actor specifically targeted its Red Team tools. FireEye then preemptively released the means and methods to detect those Red Team tools. In its investigation of the incident, FireEye discovered that a widely used IT service provider, SolarWinds®, had also been hacked. The threat actor infiltrated SolarWinds and then packaged a malicious trojan into a normal SolarWinds update. SolarWinds believes as many as 18,000 clients may have download the update with the malicious trojan. Continue Reading CISA Issues Warning to Mitigate Widespread Vulnerability

While public attention focused on the federal and state elections, Michigan voters made an important decision—they adopted Proposal 20-2, which amended Michigan’s Constitution to extend its protection from unreasonable searches and seizures to electronic data and communications. With the proliferation of personal electronic devices and storage of business information on computers used at home in the past few decades, federal and state courts, including the Supreme Court, have grappled with how to apply Fourth Amendment protections against unreasonable searches and seizures in a digital age. Although Proposal 20-2 might not change investigative practice, it clarifies that electronic data and communications are subject to the same protection against unreasonable search and seizure as other “traditional” information, such as paper records. Continue Reading Michigan Voters Add Constitutional Protections for Electronic Data and Communications

On November 9, the FTC announced a settlement of its complaint against Zoom Video Communications, Inc. The complaint charged Zoom with deceptive and unfair privacy and security practices, including claiming that it offered end-to-end encryption.

The end-to-end encryption claim has garnered the most attention. As the complaint states, Zoom represented that it offered end-to-end encryption. Instead, as this blog has previously explained, Zoom offered transport encryption, which meant that the Zoom service itself could access the unencrypted video and audio content of meetings. This meant that the confidentiality of recorded Zoom meetings depended entirely upon Zoom servers’ security from hackers—a particular concern for some users given that Zoom has servers in China. (As of October 26, Zoom began offering true end-to-end encryption as a technical preview, meaning that the company is proactively seeking feedback from its users.) Continue Reading FTC Settles Complaint Against Zoom Regarding End-to-End Encryption