A New Day for Data Privacy: California Privacy Act Exemptions Will Expire


January 1, 2023, is now a more ominous deadline in the data privacy compliance world. Privacy professionals have been watching California’s 2022 legislative session to see whether California Consumer Privacy Act (CCPA) exemptions for employee data and business-to-business communications would be extended. Draft bills were floating around the California Assembly and Senate to extend these exemptions, but the California 2022 legislative session closed with no such reprieve.

This means businesses with operations in California that have over $25 million in revenue (or who meet other data processing thresholds) must get up to speed before January 1, 2023, on new privacy requirements going live in the Sunshine State. At the same time, newly expanded rights were already planned under California’s Consumer Rights Act (which amends and broadens the CCPA). For businesses with multi-state or multi-national concerns, this news increases the privacy heat map by deepening requirements in California on the heels of new enforcement actions being announced by the California Attorney General’s office.

Employee Requirements

Under the expiring exemptions, California employers merely had to provide short-form privacy notices and meet certain breach requirements. With exemptions expiring in 2023, employers must give more robust notices, privacy rights, and meet other requirements. Under California’s definitions, this can include employee applicant data. If data is being shared with third parties such as a benefits provider, that must be officially disclosed and properly documented.

This will also likely open a brand-new world of data-subject access requests by plaintiff attorneys in the employment space. Therefore, businesses must be prepared to manage employee-related access requests regarding the management of their data.

Business to Business Communications

Similarly, the current exemption for business-to-business communications will become inoperative on January 1, 2023. This means B2B businesses will no longer enjoy a reprieve from the heavy requirements of CCPA.

The First California Enforcement Action Announced

On August 24, 2022, the California Attorney General’s office announced the first settlement of an enforcement action with the makeup giant Sephora. The central issue of this enforcement is that the CCPA currently prohibits a business from “selling” consumer information without proper notice and stringent opt-out requirements for consumers.

The Attorney General’s complaint alleged that Sephora provides its customers’ personal information to advertising networks, business partners, and data analytics providers in exchange for services from these entities, such as free or discounted analytics and targeted advertising. The definition of “sale” under the CCPA encompasses exchanging personal information for “valuable consideration.” The complaint asserted that Sephora’s exchanges with third parties met this definition because it received analytics and advertising benefits. This indicates that the Attorney General and California Privacy Protection Agency construe the meaning of “valuable consideration” broadly when determining whether a sale occurred. As of January 1, 2023, mere “sharing” of information may constitute a sale.

Though the Sephora settlement is the first announced enforcement action under the CCPA, notices of noncompliance have been issued to several businesses. California is gearing up to be a hotbed of compliance settlements and enforcement actions. Any business hoping to stay under the radar would be wise to take note of these new enforcement actions.

Other Changes to Data Privacy Laws

For the first time, federal privacy legislation has gotten significant attention in Congress. California’s expiring exemptions will put additional pressure on creating a federal privacy regime. Absent that, multi-state businesses will be facing privacy laws in California, Connecticut, Colorado, Virginia, and Utah, which begin to roll out in 2023.

What should my business do now?

The prudent thing to do is to start planning today. Begin an audit of your data flows and reach out to a data privacy attorney to build a quick roadmap to compliance before the start of the new year. Privacy counsel can not only advise on the applicability of these new regulations to your individual business, but also develop the necessary privacy notices, rights request methodologies, and documentation your business needs in place to become compliant.


Jump to Page