Even though the California Consumer Privacy Act (“CCPA”) has been in effect since January 1, 2020, and enforcement of all CCPA provisions has been available since July 1, 2020, significant uncertainty exists regarding the substantive application of the CCPA and whether its provisions will endure. Three areas of uncertainty predominate: (1) when will exemptions for employee and business-to-business (“B2B”) information expire; (2) which companies are the early targets of the California Attorney General’s enforcement and on what basis; and (3) will the California Privacy Rights Act (“CPRA”) pass on November 3?
The CCPA currently contains exemptions related to certain employee and B2B information collected by covered businesses. These exemptions insulate businesses from compliance with many of the CCPA’s provisions as they relate to employee and B2B information, significantly lessening an onerous regulatory burden. However, these exemptions were passed originally as merely legislative stopgaps. Both the employee and the B2B exemptions are currently set to expire on January 1, 2021.
The timeline for exemption expiration was recently thrown into question by the California legislature with the passage of AB 1281. Through AB 1281, the California legislature extends the employee and B2B exemptions until January 1, 2022, unless the CPRA is passed by Californians on November 3. The CPRA’s passage would moot AB 1281, and the employee and B2B exemptions would instead continue until January 1, 2023. The Governor of California will have until September 30 to sign AB 1281 into law. Thus, it appears that businesses are likely to obtain either a one or two year extension of the exemptions.
The roving expiry date of the employee and B2B exemptions is not the only ambiguity coloring the current CCPA regulatory environment. In July, the California Attorney General began enforcing violations of the CCPA, sending allegedly non-compliant businesses “Notices of Violation.” However, because the letters have remained confidential to date, they have had no instructive value for the many businesses that may have hoped to learn by example.
The as-yet unclear impact of the CPRA heightens the uncertainty. The CPRA could once again upend the California privacy law landscape, if passed on November 3. The CPRA has been called “CCPA 2.0,” given its modification and expansion of the CCPA. Based on current polling statistics, the CPRA is expected to become law. Of note, the CPRA has gained some high-profile supporters. Andrew Yang, former Democratic Party presidential candidate, was recently named chair of the Californians for Consumer Privacy advisory board (the same group that spearheaded the CCPA and is now sponsoring the CPRA).
If enacted, the CPRA would become fully operative on January 1, 2023 and through it, Californians would impose new requirements on businesses above and beyond those in the CCPA, such as limitations on the use of sensitive personal information and requirements in connection with data minimization, among other changes. While the state of flux may prove unnerving to businesses eager to wrap up their compliance efforts, now is not the time to throw in the proverbial towel on compliance. The trend nationwide is toward more fulsome privacy obligations, and businesses, regardless of the outcome on November 3, will be well-served to continue to assess, strengthen, and document their privacy and data security regimes.
We are actively monitoring these issues and will provide updates as they become available.