Show all

Understanding the CCPA Worker Exemption

This blog is the second in a two-part series on CCPA, which focuses on the one-year “Workers Liberation”. For a n in depth survey by CCPA ] read the first post here.

Ever since California legislators rushed (about 72 hours) into the California Consumer Privacy Act this has created many areas of confusion. As a result, California legislators have been busy making various clarifying changes some of which range from simple grammatical corrections at one end to content-related changes such as the recently passed California Privacy Rights Act (CPRA) .

One of the more significant changes affects the extremely broad definition of a consumer. Under the original legislation, the definition of a consumer was interpreted to include employees of the organization. This led to the widely published "Workers' Liberation" to the CCPA, which was signed on October 11, 2019 by the Governor of California, Gavin Newsom.

This post will cover the employee liberation and other considerations.

The temporary exemption of the employee

The exemption is basically a one-year employee compliance waiver and is designed to give California lawmakers a one year to grant] Deadline for the adoption of a separate data protection invoice for employees. Note that the one year period of expires if an employee privacy law is not passed and that employee information must be treated the same as any other California consumer information.

According to this exemption, the requirements do not currently apply to personal data in the following groups of people:

  • Applicant
  • Employees
  • Owner
  • Director
  • Officer
  • Medical assistant
  • Sole proprietorship

This employee exemption only applies if the company collects or uses the personal data solely in connection with the role of the individual or his previous role in the company.

The "Worker Exemption" also excludes emergency contact information that the company may collect, as well as information that is necessary to administer the benefits. However, the exemption still requires notification of the use of employee data, while the employee continues to have a private right to sue for mismanagement of employee data. This means that employers with employees or contractors in California should continue to review and revise their employee privacy notices accordingly.

In connection with the "employee exemption" there is a new exemption that also expires in a year. Under this new exemption, personal information that a company collects as part of a business-to-business (B2B) transaction is exempt from most CCPA requirements, but only if such information is collected from a California resident in writing or oral communication or transaction with a business:

in the context of the business of performing due diligence on or providing or receiving a product or service for or from such an enterprise, partnership, sole proprietorship, non-profit organization or government agency. (full text of the CCPA)

Nevertheless, a private consumer right to infringement still applies in the B2B context. In addition, opt-out and non-discrimination rights continue to apply, so business contacts may still refuse to have their information "sold" to third parties, while a company may not refuse goods or services or charge business customers different prices for opting out. Note that this B2B exemption does not apply to cold calls or other marketing communications.

As such, a company must meet all CCPA requirements such as notification, access, deletion, deactivation and deletion when the personal information pertaining to potential business / customer contacts has been obtained from a third party, such as: Providers of marketing lists until there is a communication or transaction with the company, "within the framework of the company performing due diligence on such company or providing or receiving a product or service for or from that company".

Other state and federal concerns

Since 2017, some US federal agencies have issued statements that continue to focus on measures to protect the data, rather than on limits of collection or even monetization.

For example, the Federal Trade Commission has determined that failure to adequately secure personal information, including financial information, health information, and the content of communications, is a "misleading or unfair" business practice. ]

The Securities and Exchange Commission (SEC) is also pursuing lawsuits for material data breach. For example, the SEC alleged that Facebook Inc. made misleading statements about the risk of misuse of Facebook user data.

This resulted in an agreement with Facebook for USD 100 million. Several states have filed HIPAA data violation lawsuits for failure to protect electronic personal health information. Eventually the Consumer Fraud and Abuse Act was used to stop the scraping of data from other websites, but at least one case actually confirms that data collected from a public source is fair game are.

At the state level, since the CCPA was passed, many other state legislators have begun reviewing similar omnibus data protection laws, often based on either the CCPA or the GDPR. This has resulted in the adoption of extensive data protection laws in several more states, including Maine, Nevada, Oregon, and Washington. Another 13 states have either active bills or studies in progress that could lead to legislation in the next 2 years. In general, the new collective legislation proposed in these states shifts the focus of national law from data security and notification of violations to the right of data subjects to disable the use or sale of their data, as well as the right to request the deletion of their data.

The trend in states is to take a more active role in maintaining data protection within their borders, rather than following a federal approach to enforcement as in Europe. Prior to the CCPA's enactment, the focus of state regulations was primarily on privacy protection rather than consumers' right to determine how it was used, with the exception of exceptions for the removal of data from minors, as in California. Newer laws and changes to existing laws are increasingly focusing on providing opt-out provisions so that consumers can prevent their personal information from being stored and used.


The bottom line is that the rights granted to consumers over their data have landed on our banks. The rest of the country is starting to adjust, and at least 13 other states from Hawaii to Maine are proposing different types of privacy legislation.

Whenever you do business that affects California consumers in any way, it is advisable to adhere to CCPA compliance, starting with a close look at your retention schedule, supporting investigations, and privacy policies these of your third-party providers providers with whom you may exchange data.

If you think you may be outside of California, which is very difficult to avoid given its sheer population, you need to keep an eye on the various other states with pending laws.

It seems that the east coast is more aligned with the GDPR, while the west coast aligns with the CCPA. Either way, US privacy is not an issue where you can just tick a box and forget about it. The guidelines should be reviewed annually, depending on the growth of your business and the different data protection laws of the states in which you may access consumer data.

For more information and actionable insights, see the Whitepaper: A Plethora of Data Protection Legislation: IG Challenges for the Financial Sector

Comments are closed.