On Friday, Feb. 18, California Assemblymember Evan Low (D) introduced two bills ( AB 2871 and AB 2891) that propose to extend the CCPA's HR and B2B data exemptions, one through Dec. 31, 2026 and the other indefinitely. These proposed amendments were introduced just 10 months prior to the main provisions of the California Privacy Rights Act (“CPRA”) coming into effect, particularly the CPRA's consequential provisions which cause HR and B2B data – specifically, personal information of HR data subjects (e.g., employees, applicants and independent contractors) and collected in certain B2B transactions and communications – to become subject to the full scope of California's omnibus privacy law. It's not yet clear whether either of these bills has widespread support. However, if either does pass, it is almost certain that the legislature's authority to do so will be challenged by privacy advocates on a constitutional basis, as we analyze below. Organizations for now should therefore proceed as if the HR and B2B will be in full scope of the CPRA starting Jan. 1, 2023.
The California Constitution prescribes when the legislature can amend a statute that was passed through a ballot referendum (the CPRA was approved as a referendum by California voters on Election Day 2020). In particular, Article II, Section 10(c) of the California Constitution states that “The Legislature may amend or repeal an initiative statute by another statute that becomes effective only when approved by the electors unless the initiative statute permits amendment or repeal without the electors' approval.” The initiative statute – here the CPRA – does permit amendment or repeal without elector approval,
provided that such amendments are consistent with and further the purpose and intent of this Act as set forth in Section 3, including amendments to the exemptions in Section 1798.145 if the laws upon which the exemptions are based are amended to enhance privacy and are consistent with and further the purposes and intent of this Act. CPRA, Section 25(a).
The purpose and intent of the CPRA as to the extension of the HR and B2B exemption is stated directly: “It is the purpose and intent of the Act to extend the exemptions in this title for employee and business to business communications until January 1, 2023.” It's not clear whether further extending the exemption as these proposed bills would are consistent with this purpose and intent, or if doing so could arguably serve to enhance privacy, especially in the absence of corresponding efforts to establish statutory privacy protections for these types of data subjects. Notably, the preamble of the CPRA additionally states, “The privacy interests of employees and independent contractors should also be protected, taking into account the differences in the relationship between employees or independent contractors and businesses, as compared to the relationship between consumers and businesses.” This additional proviso leaves open the door for legislation that treats at least HR data subjects somewhat differently than traditional consumers.
These amendments will almost certainly tee up a challenge. Even if one or both of the amendments gain steam, organizations should be reluctant to forego preparation for compliance with the CPRA as it relates to HR and B2B data because of the potential challenges these bills could face even if passed into law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.