Understanding the California Privacy and Security Litigation Tsunami: CCPA FAQ: What is a “consumer?”

February 6, 2019

Companies that do business in California know that it is a magnet for class action litigation.  The California Consumer Privacy Act ("CCPA"), a new privacy law that applies to data collected about California residents, will provide even more incentive to plaintiff’s attorneys to bring suit in California. 

The CCPA was enacted in early 2018 as a political compromise to stave off a poorly drafted ballot initiative.  Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).  To help address that confusion, BCLP is publishing a multi-part series to address the most frequently asked litigation-related questions concerning the CCPA.  BCLP is also working with clients to assess – and mitigate   litigation risks for when the CCPA goes into effect by putting in place the policies, procedures, and protocols needed to comply with the Act.

Q. What is a “consumer?”

The data privacy and security laws in the United States use different terms to describe the individuals about whose information the laws apply.  These include terms such as “covered person,”[1] “individual,”[2] and “customer.”[3]  The term used in a particular statute is less important than is its definition.  For example, two statutes may use the term “individual,” but one may define it as referring to all natural persons whereas another may define it as only referring to natural persons that are resident within the state.  As another example, one statute may use the term “covered person” while another uses the term “individual” and yet they define the terms in an identical manner.

The CCPA uses the term “consumer” to refer to the individuals whose information is governed by the statute.  While the common definition of “consumer” suggests that it refers to an individual that has “consumed” a product or a service in relation to a company, the definition ascribed by the GDPR is far broader.  The term is defined to include any “natural person who is a California resident.”[4]  Read literally, the phrase might include not only an individual that consumes a product (e.g., a customer of a store), but that store’s California based employees, and California-based business contacts or prospective customers.

From a litigation standpoint, the broad definition of “consumer” means that plaintiff’s attorneys are gearing up to use the CCPA to bring cases against companies that do business in California on behalf of a myriad of different groups about whom companies typically hold information including, for example:

  • End-use customers,
  • Employees,
  • Shareholders, and
  • Service providers and vendors.

1. See, e.g., Alaska Data Breach Notification Statute, Alaska Section 45.48.090(2).

2. See, e.g., Arizona Data Breach Notification Statute, Arizona Section 44-7501(L)(4).

3. See, e.g., Arkansas Data Breach Notification Statute, Arkansas Section 44-110-103(3); California Data Breach Notification Statute, Cal. Civil Code 1798.80(c).

4. CCPA, Section 1798.140(g).