The California legislature has extended partial exemptions under the California Consumer Privacy Act (CCPA) for the collection and processing of personal information related to business contacts and employees/independent contractors until January 1, 2022. Originally slated to expire on January 1, 2021, these exemptions remove the vast majority of CCPA’s obligations with regard to personal information collected from business contacts in the context of business-to-business transactions and from employees/independent contractors within the scope of their employment/contractor relationship.
The California Privacy Rights Act (CPRA), scheduled to appear on the ballot in November, would extend these exemptions until January 1, 2023 when all the CPRA’s changes become effective. The CPRA will, amongst other things:
- Broaden consumer rights under the CCPA to include the right to correction of inaccurate personal information,
- Create additional obligations related to sensitive personal information such as precise geolocation, biometrics, financial information, health data, and race/ethnicity,
- Implement a new California Privacy Protection Agency,
- Require new regulations related to automated decision-making, and
- Obligate businesses engaging in high-risk data processing to conduct annual cybersecurity audits and regular risk assessments.
Although businesses received a little more “breathing room” with the extension of the business contact and employee/independent contractor exemptions, they shouldn’t lose sight of their overall CCPA compliance obligations and new changes likely to come in November.