Privacy FAQs: Are work email addresses and business contact information governed by the CCPA?
The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).
To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.
Q. Are work email addresses and business contact information governed by the CCPA?
Yes and no.
The CCPA applies to the “personal information” of individuals that reside in the state of California.1 The term “personal information” is defined broadly as including any information that “relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular” California resident.2 The Act also provides a non-exhaustive list of examples of personal information which includes “employment,”3 as well as “professional or employment-related information.”4
The net result is that work email addresses that contain an employee’s name or business contact information, such as the employee’s name, job title, company, business address, work phone number, etc. are arguably covered within the definition of “personal information.” In contrast, generic business names, business addresses, generic email addresses or any other general business information, as long as the information has not been linked to an individual, are arguably not covered within the definition. So, for example, “John.Smith@acme.com” would most likely be considered “personal information” governed by the CCPA whereas “firstname.lastname@example.org” would not, even if the latter is used by the same employee to communicate with the public.
1. CCPA, Section 1798.140(o)(1).
2. CCPA, Section 1798.140(o)(1). Note that this definition is near identical to the definition of “personal data” within the European GDPR.
3. CCPA, Section 1798.140(o)(1)(B); California Civil Code Section 1798.80(e).
4. CCPA, Section 1798.140(o)(1)(I).
This document provides a general summary and is for information/educational purposes only. It is not intended to be comprehensive, nor does it constitute legal advice. Specific legal advice should always be sought before taking or refraining from taking any action.