The term “consumer” as used by the California Consumer Privacy Act (CCPA) has caused a lot of confusion over what data is covered. Many companies are dismissing CCPA because they mistakenly believe it is not applicable to their business because they don’t collect “consumer” information.
CCPA 1798.140 (g): " “Consumer” means a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations, as that section read on September 1, 2017, however identified, including by any unique identifier. "
Under CCPA, a “consumer” is a California resident. If you have employees who are residents of California, leading law firms are warning you not to overlook the application of the CCPA to employee data.
“Read literally, the statute regulates data not only of individuals that consume a product (e.g., a customer of a store), but data stored relating to California-based employees, and California-based business contacts or prospective customers. The statute's application to employee data is further confirmed by the fact that “personal information” is expressly defined to include ‘employment-related information.’” - Bryan Cave
“Don’t let the ‘Consumer’ language of the CCPA fool you – under the CCPA, the definition of ‘consumer’ can easily include employees so long as they are natural persons who are California residents because they are either domiciled in California for a temporary or transitory purpose or are in California for more than a temporary or transitory purpose.” - Greenberg Traurig
“While use of the term ‘consumer’ may suggest a particular type of relationship, the term is defined broadly to include any California resident – and as a result, in its current form the CCPA also will apply to information collected by covered businesses about their California employees.” - Hunton Andrews Kurth
In short, the current scope of CCPA is not limited to only consumers. It grants current employees, past employees, and job candidates that you didn’t hire the same rights. Effective and defensible compliance, then, must account for this inclusion.
Are employee records and information accounted for in your data inventory?
Do you know what third parties are accessing, processing or storing your employee data?
Are you over-retaining any employee information in email, on shared drives, or in paper?
Access our CCPA White Paper for guidance on three essential steps for effective compliance.
Learn how Jordan Lawrence is helping companies effectively and defensibly prepare to meet regulatory obligations like CCPA.
No legal representation made. Jordan Lawrence is not a law firm and does not provide legal advice.