New Rules for Employers with California-Based Employees: Does the CCPA apply to employee data?

January 30, 2019

Employers with operations in California should be aware of the California Consumer Privacy Act ("CCPA"), a new privacy law that applies to data collected about California-based employees.  The CCPA will go into effect in early 2020, and employers who must comply should be addressing compliance obligations now. In the coming months we will be releasing a series of articles that will help employers determine if they are required to comply with the CCPA and if so, what steps their HR professionals and IT departments should take to be in compliance. 

The CCPA was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff friendly, ballot initiative.  Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).  In addition, because the CCPA refers to “consumers” many HR professionals don’t realize that the Act, as currently drafted, applies to data collected about California-based employees.

Employers who are complying with the GDPR will likely already be familiar with many of the requirements of the CCPA – and with some assistance, should be able to bring their operations and policies into compliance with respect to California-based employees.  For US employers who have not had to comply with the GDPR, the requirements of the CCPA for California-based employees will likely require a new analysis of the treatment of employee-data and updated or new data policies.

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA. 

Q. Does the CCPA apply to employee data?

The data privacy and security laws in the United States use different terms to describe the individuals about whose information the laws apply.  These include terms such as “covered person,”1 “individual,”2 and “customer".3  The term used in a particular statute is less important than its definition.  For example, two statutes may use the term “individual,” but one may define it as referring to all natural persons whereas another may define it as only referring to natural persons that are resident within the state.  As another example, one statute may use the term “covered person” while another uses the term “individual” and yet they define the terms in an identical manner.

The CCPA uses the term “consumer” to refer to the individuals whose information is governed by the statute.  While the common definition of “consumer” suggests that it refers to an individual that has “consumed” a product or a service, the definition ascribed by the CCPA is far broader.  The term is defined to include any “natural person who is a California resident.”4  Read literally, the statute regulates data not only of individuals that consume a product (e.g., a customer of a store), but data stored relating to California-based employees, and California-based business contacts or prospective customers.  The statute's application to employee data is further confirmed by the fact that “personal information” is expressly defined to include “employment-related information.”5  

In contrast to the diverse terminology utilized within United States statutes, the European GDPR, and many EU Member State statutes implementing the GDPR, consistently uses the term “data subject” which is defined broadly as any “identified or identifiable natural person” and has been expressly interpreted as including employees.6 


1. See, e.g., Alaska Data Breach Notification Statute, Alaska Section 45.48.090(2).

2. See, e.g., Arizona Data Breach Notification Statute, Arizona Section 44-7501(L)(4).

3. See, e.g., Arkansas Data Breach Notification Statute, Arkansas Section 44-110-103(3); California Data Breach Notification Statute, Cal. Civil Code 1798.80(c).

4. CCPA, Section 1798.140(g).

5. CCPA, Section 1798.140(o)(1)(I).

6. GDPR, Article 4(1).