| Insights | Blog | Cybersecurity

California Advances Bills Extending CCPA Employee / B2B Exemption and Regulating Contact Tracing

On August 19, 2020, the California State Assembly on Appropriations ordered to a second reading Assembly Bill (“AB”) 1281, which would extend the exemption of the California Consumer Privacy Act (“CCPA”) in relation to employee information and business-to-business (“B2B”) transactions until January 1, 2022.  Specifically, AB 1281 would exempt information collected about a natural person in the course of such person acting as a job applicant, employee, owner, director officer, medical staff member, or contractor.  It would also exempt information reflecting a written or verbal communication or a transaction between the business and the consumer, if the consumer is a natural person who is acting as an employee, and whose communications or transactions with the business occur solely within the context of the business’s due diligence regarding a product or service. AB 1281 would only become operative if the California Privacy Rights Act (“CPRA” or “CCPA 2.0”) is not approved by voters during the November 2020 general election.

Two other bills, AB 660 and AB 1782, were also referred to the Appropriations Committee on August 19, 2020. AB 660 would prohibit data collected, received, or prepared for purposes of contact tracing from being used, maintained, or disclosed for any purpose other than facilitating contact tracing efforts. It would also require all data collected, received, or prepared for purposes of contact tracing to be deleted within 60 days, except if that data is in the possession of a state or local health department.  AB 1782 would create the Technology-Assisted Contact Tracing Public Accountability and Consent Terms Act. This would generally regulate public health entities and businesses that provide technology-assisted contact tracing. AB 1782 would also require a business or public health entity offering technology-assisted contact tracing to provide a simple mechanism for a user to revoke consent for the collection, use, maintenance, or disclosure of data and permit revocation of consent at any time.