California Legislature Adjourns Without Extending CCPA Temporary Exemptions

Written By Haley Metteauer

On August 31, 2022, the California legislature adjourned without issuing an extension of the temporary exemptions set to expire on [DATE], from the reporting and compliance requirements under the California Consumer Privacy Act (“CCPA”) for the collection of personal information derived from job applicants, employees, and contractors (collectively, the “workforce”) in employment contexts.

Under the current exemption, when businesses collect this type of personal information, they are only required to provide notice to workforce members of the data that will be collected and the purpose for which the collected information will be used.

With the exemption expiring, and the California Privacy Rights Act (“CPRA”) amendments  set to take effect on January 1, 2023, workforce members will have the same privacy rights as all other consumers, including:

  • Restrictions on the collection and business use of their personal information for only the “reasonably necessary” purpose that was given to the data subject at the time of collection;

  • The right to request the disclosure of:

    • the categories of personal information collected,

    • the sources of such information,

    • third parties that received the information, and

    • what information was sold/shared and to third parties

  • The right to request the deletion of improperly collected personal information;  

  • The right to request the correction of any inaccurate personal information retained by the business;

  • The right to opt-out of the sale or sharing of their personal information with any third parties; and

  • The right to direct a business to limit the use, sale, or distribution of sensitive personal information to only those uses which are necessary to perform the service or provide the goods reasonably expected by the consumer.

Considering this upcoming regulatory change, covered entities under the CPRA should consider examining their existing privacy policies and practices to ensure compliance with the emerging privacy requirements.

Haley Metteauer
Previous

CISA Issued RFI on Cybersecurity Reporting Requirements
Next

ICO Releases Draft Guidance on Privacy Enhancing Technologies