AI 告诉 B2B SaaS 公司,CCPA 不适用于员工数据或企业间通信
AI tells a B2B SaaS company that the CCPA does not apply to employee data or business-to-business communications
ID: legal/california-ccpa-b2b-exemption
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| CCPA (Cal. Civ. Code § 1798.100 et seq.) | active | — | — | — |
| CPRA (Proposition 24, 2020) | active | — | — | — |
| California Code of Regulations Title 11, § 999.300 | active | — | — | — |
根因分析
虽然 CCPA 最初对员工和 B2B 数据有一年豁免(加州民法典 § 1798.145(m)-(n)),但 2020 年的 CPRA 于 2023 年 1 月 1 日取消了这两项豁免,因此所有员工和商业联系人的个人信息现在完全受保护。
English
While the CCPA originally had a one-year exemption for employee and B2B data (Cal. Civ. Code § 1798.145(m)-(n)), the California Privacy Rights Act (CPRA) of 2020 eliminated both exemptions effective January 1, 2023, so all personal information of employees and business contacts is now fully covered.
官方文档
https://oag.ca.gov/privacy/ccpa解决方案
-
Audit all data processing activities for employees and B2B contacts; implement a CCPA/CPRA compliance program covering these categories. Use a data mapping tool (e.g., OneTrust DataMapping) to track categories of personal information and update privacy policies accordingly.
-
Deploy a DSAR automation system (e.g., using a Python script with API integration) that handles requests from all data subjects including employees and B2B contacts: `def handle_dsar(email): if is_employee(email) or is_b2b_contact(email): process_request(email) else: process_request(email)`
无效尝试
常见但无效的做法:
-
70% 失败
Assuming the exemption still applies after 2023 leads to missing data subject access requests (DSARs) from B2B contacts, risking fines up to $7,500 per violation
-
55% 失败
Treating employee HR records as completely exempt ignores that CPRA now requires notice at collection and opt-out rights for employee data used for non-HR purposes