AI tells a B2B SaaS company that the CCPA does not apply to employee data or business-to-business communications
ID: legal/california-ccpa-b2b-exemption
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| CCPA (Cal. Civ. Code § 1798.100 et seq.) | active | — | — | — |
| CPRA (Proposition 24, 2020) | active | — | — | — |
| California Code of Regulations Title 11, § 999.300 | active | — | — | — |
Root Cause
While the CCPA originally had a one-year exemption for employee and B2B data (Cal. Civ. Code § 1798.145(m)-(n)), the California Privacy Rights Act (CPRA) of 2020 eliminated both exemptions effective January 1, 2023, so all personal information of employees and business contacts is now fully covered.
generic中文
虽然 CCPA 最初对员工和 B2B 数据有一年豁免(加州民法典 § 1798.145(m)-(n)),但 2020 年的 CPRA 于 2023 年 1 月 1 日取消了这两项豁免,因此所有员工和商业联系人的个人信息现在完全受保护。
Official Documentation
https://oag.ca.gov/privacy/ccpaWorkarounds
-
80% success Audit all data processing activities for employees and B2B contacts; implement a CCPA/CPRA compliance program covering these categories. Use a data mapping tool (e.g., OneTrust DataMapping) to track categories of personal information and update privacy policies accordingly.
Audit all data processing activities for employees and B2B contacts; implement a CCPA/CPRA compliance program covering these categories. Use a data mapping tool (e.g., OneTrust DataMapping) to track categories of personal information and update privacy policies accordingly.
-
75% success Deploy a DSAR automation system (e.g., using a Python script with API integration) that handles requests from all data subjects including employees and B2B contacts: `def handle_dsar(email): if is_employee(email) or is_b2b_contact(email): process_request(email) else: process_request(email)`
Deploy a DSAR automation system (e.g., using a Python script with API integration) that handles requests from all data subjects including employees and B2B contacts: `def handle_dsar(email): if is_employee(email) or is_b2b_contact(email): process_request(email) else: process_request(email)`
中文步骤
Audit all data processing activities for employees and B2B contacts; implement a CCPA/CPRA compliance program covering these categories. Use a data mapping tool (e.g., OneTrust DataMapping) to track categories of personal information and update privacy policies accordingly.
Deploy a DSAR automation system (e.g., using a Python script with API integration) that handles requests from all data subjects including employees and B2B contacts: `def handle_dsar(email): if is_employee(email) or is_b2b_contact(email): process_request(email) else: process_request(email)`
Dead Ends
Common approaches that don't work:
-
70% fail
Assuming the exemption still applies after 2023 leads to missing data subject access requests (DSARs) from B2B contacts, risking fines up to $7,500 per violation
-
55% fail
Treating employee HR records as completely exempt ignores that CPRA now requires notice at collection and opt-out rights for employee data used for non-HR purposes