Time to Comply: CCPA/CPRA grace period for B2B and HR ends Jan. 1

On August 31, the California legislative session ended without enacting Assembly Bill 1102. That bill would have extended the grace periods for certain business-to-business and human resources personal information under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). CCPA/CPRA will now become fully enforceable on January 1, 2023, for B2B and HR personal information and will adhere to the same rigorous privacy regulations as “consumer” personal information under California law.

The direct applicability of CCPA/CPRA is the first time comprehensive privacy regulation for B2B and HR personal information has come to the U.S. For those not subject to nor familiar with the European Union’s General Data Protection Regulation (GDPR), the direct regulation of B2B and HR personal information will likely come as an unpleasant surprise to many companies doing business in California. Unless a carve-out applies, such as for Health Insurance Portability and Accountability Act (HIPAA)-regulated protected health information, companies have less than four months to be ready to meet strict privacy obligations for personal information about a broad range of individuals, such as job applicants, B2B customer contacts and prospects, employees, contractors, web and mobile application visitors, supplier contacts and other individuals. The new regulations will allow California employees to leverage new privacy rights for pre-litigation discovery and other aspects of disputes. On the B2B side, the specifics will vary by company and industry, but if customer contacts have any kind of sensitivity to privacy or compliance, or savvy competitors assert privacy compliance as a brand differentiator, it will be critical to establish and maintain an effective privacy compliance program. While an in-depth discussion of compliance procedures is not possible here, impacted businesses should consider the following to get started:

• Determine whether your business engages in the “sale” or “sharing” of personal information and amend or update contracts accordingly. B2B companies may engage in such activities in connection with certain advertising and digital marketing. For HR personal information, most companies will want to structure their disclosures of HR personal information to avoid “sales” and “sharing.” In other situations, the company could consider whether it has or could implement service provider terms that qualify for an exception to sale and sharing.
• Develop a core inventory of California personal information. For each core working group, HR, B2B and consumers, develop an inventory of key systems and assets that collect and process the relevant personal information. The inventory should also reflect how and under what terms such information is disclosed to other parties, including vendors, suppliers, distributors, business partners and others. This information will be critical for businesses to carry out all other privacy compliance aspects.
• Determine whether your business engages in any use or disclosure of sensitive personal information that might be subject to instructions to limit use and disclosure. CPRA has a long list of personal information that is considered “sensitive,” including such obvious things as Social Security Numbers and biometric information, and maybe less obvious items such as information about one’s sexual orientation and the contents of an individual’s mail, email, and text messages. CPRA establishes a general rule that individuals must be able to limit the use or disclosure of sensitive personal information beyond what is "reasonably necessary to provide the services or provide the goods reasonably expected by an average consumer," or other limited exceptions. Most companies will likely want to collect and process sensitive personal information only as strictly needed for such purposes as providing benefits and/or compliance with the law and therefore take the position that the company only uses and discloses sensitive personal information as permitted by CPRA, (without needing to offer employees the choice to limit the use and disclosure of such sensitive personal information).
• Update privacy notices. All privacy notices will need to be reviewed and updated where applicable, and for some, created for the first time to comply with the new regulations.
• Prepare and provide B2b and HR contacts with the opportunity to exercise their rights with respect to their personal information. All B2B and HR contacts should be able to exercise the full rights afforded to them under the CPRA as of Jan. 1, 2023, including access and right to know, correction, and deletion rights.

We are here to help businesses navigate the new regulations.