The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), originally exempted B2B data. That exemption expired. B2B contacts in California now have significant privacy rights.
Per intentional violation
Source: CPRA
Per unintentional violation
Source: CPRA
What Happened January 1, 2023
The B2B exemption expired.
When CCPA was enacted, it included a temporary exemption for personal information collected in B2B transactions. This was extended once by CPRA, but the extension ended January 1, 2023.
Translation: B2B contacts in California now have the same privacy rights as consumers.
Before (Exempted)
- • B2B contact info not covered
- • No disclosure requirements
- • No deletion rights
- • No opt-out rights
Now (Full Coverage)
- • All personal data covered
- • Full disclosure required
- • Deletion rights apply
- • Opt-out rights enforced
Who CCPA/CPRA Applies To
CCPA/CPRA applies to for-profit businesses that:
$25 million+ annual revenue
Gross annual revenue exceeding $25 million in the preceding calendar year.
OR
100,000+ consumers/households
Buys, receives, sells, or shares personal information of 100,000+ California consumers/households.
OR
50%+ revenue from selling data
Derives 50% or more of annual revenue from selling or sharing consumers' personal information.
Pro Tip
B2B Data Now Covered
With the exemption expired, the following B2B data is now protected:
Contact Information
- • Name
- • Work email address
- • Work phone number
- • Job title
Communication Records
- • Email correspondence
- • Call recordings
- • Meeting notes
- • CRM activity logs
Professional Data
- • Employment history
- • Education information
- • Professional qualifications
- • LinkedIn data
Any Other Personal Data
- • Photos
- • IP addresses
- • Device identifiers
- • Behavioral data
New Rights for B2B Contacts
Right to Know
They can request what personal information you've collected about them, where it came from, why you have it, and who you've shared it with.
Right to Delete
They can request deletion of their personal information. You must comply with limited exceptions (ongoing business relationship, legal obligations, etc.).
Right to Correct
They can request correction of inaccurate personal information you maintain about them.
Right to Opt-Out of Sale/Sharing
They can opt out of the "sale" or "sharing" of their personal information for cross-context behavioral advertising.
Response timeline:
You must respond to verifiable consumer requests within 45 days (with possible 45-day extension if necessary and communicated).
What MSPs Must Do Now
1. Privacy Notice Updates
Update your privacy policy to cover B2B data collection, use, and sharing. Disclose what you collect and why.
2. Data Inventory
Know what B2B personal data you have, where it came from, where it's stored, and who has access.
3. Request Handling Processes
Establish procedures to verify and fulfill access, deletion, and correction requests within 45 days.
4. Service Provider Agreements
Ensure contracts with data processors include CCPA/CPRA-compliant terms.
5. "Do Not Sell/Share" Link
If you "sell" or "share" personal information (broadly defined), provide a clear opt-out mechanism.
Enforcement Timeline
| Date | Event |
|---|---|
| Jan 1, 2020 | CCPA takes effect (with B2B exemption) |
| Nov 2020 | CPRA passed (extended B2B exemption to 2023) |
| Jan 1, 2023 | B2B exemption expires — full coverage begins |
| July 1, 2023 | CPPA enforcement begins |
| Ongoing | AG and CPPA enforcement actions |
Penalty Structure:
- • $2,500 per unintentional violation
- • $7,500 per intentional violation
- • $7,500 per violation involving minors
- • No cure period for intentional violations under CPRA
CCPA/CPRA Compliance Checklist
- Determined if thresholds apply ($25M revenue, 100K+ consumers, 50%+ data revenue)
- Updated privacy policy to cover B2B data
- Created data inventory (what B2B data, where stored, who has access)
- Established consumer request intake process
- Created verification procedures for requests
- Trained staff on handling access/deletion/correction requests
- Updated service provider contracts with CCPA/CPRA terms
- Implemented "Do Not Sell/Share" link (if applicable)
- Created record-keeping procedures for requests
- Reviewed data retention policies
Legal Disclaimer
This content is provided for educational purposes only and does not constitute legal advice. Regulations vary by jurisdiction and change frequently. We strongly recommend consulting with a qualified attorney or compliance professional regarding your specific situation before implementing any outreach program. Pipeline Engine is designed with compliance in mind, but ultimate responsibility for legal compliance remains with the business.