# AI tells a B2B SaaS company that the CCPA does not apply to employee data or business-to-business communications - **ID:** `legal/california-ccpa-b2b-exemption` - **Domain:** legal - **Category:** data_error - **Error Code:** `CCPA-B2B-EXEMPTION-EXPIRED` - **Verification:** ai_generated - **Fix Rate:** 85% ## Root Cause While the CCPA originally had a one-year exemption for employee and B2B data (Cal. Civ. Code § 1798.145(m)-(n)), the California Privacy Rights Act (CPRA) of 2020 eliminated both exemptions effective January 1, 2023, so all personal information of employees and business contacts is now fully covered. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | CCPA (Cal. Civ. Code § 1798.100 et seq.) | active | — | — | | CPRA (Proposition 24, 2020) | active | — | — | | California Code of Regulations Title 11, § 999.300 | active | — | — | ## Workarounds 1. **Audit all data processing activities for employees and B2B contacts; implement a CCPA/CPRA compliance program covering these categories. Use a data mapping tool (e.g., OneTrust DataMapping) to track categories of personal information and update privacy policies accordingly.** (80% success) ``` Audit all data processing activities for employees and B2B contacts; implement a CCPA/CPRA compliance program covering these categories. Use a data mapping tool (e.g., OneTrust DataMapping) to track categories of personal information and update privacy policies accordingly. ``` 2. **Deploy a DSAR automation system (e.g., using a Python script with API integration) that handles requests from all data subjects including employees and B2B contacts: `def handle_dsar(email): if is_employee(email) or is_b2b_contact(email): process_request(email) else: process_request(email)`** (75% success) ``` Deploy a DSAR automation system (e.g., using a Python script with API integration) that handles requests from all data subjects including employees and B2B contacts: `def handle_dsar(email): if is_employee(email) or is_b2b_contact(email): process_request(email) else: process_request(email)` ``` ## Dead Ends - **** — Assuming the exemption still applies after 2023 leads to missing data subject access requests (DSARs) from B2B contacts, risking fines up to $7,500 per violation (70% fail) - **** — Treating employee HR records as completely exempt ignores that CPRA now requires notice at collection and opt-out rights for employee data used for non-HR purposes (55% fail)