New Rules for Employers with California-Based Employees: Meet the CCPA! What is an employee’s “personal information"?

January 28, 2019

Employers with operations in California should be aware of the California Consumer Privacy Act ("CCPA"),  a new privacy law that applies to data collected about California-based employees.   The CCPA will go into effect in early 2020, and employers who must comply should be addressing compliance obligations now.  In the coming months we will be releasing a series of articles that will help employers determine if they are required to comply with the CCPA and if so, what steps their HR professionals and IT departments should take to be in  compliance. 

The CCPA was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff friendly, ballot initiative.  Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).  In addition, because the CCPA refers to “consumers” many HR professionals don’t realize that the Act, as currently drafted, applies to data collected about California-based employees.

Employers who are complying with the GDPR will likely already be familiar with many of the requirements of the CCPA – and with some assistance, should be able to bring their operations and policies into compliance with respect to California-based employees.  For US employers who have not had to comply with the GDPR, the requirements of the CCPA for California-based employees will likely require a new analysis of the treatment of employee-data and updated or new data policies.

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA. 

Q. What is “personal Information?”

The CCPA defines the phrase “personal information” as referring to any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”1  While at first blush the phrase “consumer” suggests that the CCPA does not apply to employees, the Act defines the term as including any California resident about whom a company collects information.  As a result, as the Act is currently written, it applies to the data collected about California-based employees.

The CCPA’s definition of “personal information” is not identical to the definition used within the European GDPR, but there are obvious similarities.  The GDPR refers to the term “personal data” which it defines as “any information relating to an identified or identifiable” person.2  An “identifiable person” under the GDPR is someone who could be “identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.”3

The CCPA also differs from the GDPR insofar as it provides an extensive, and yet non-exhaustive, list of data types that may fall under the broad definition of “personal information.  The following are examples of data governed by the CCPA that employers are most likely to collect about their employees:

  1. Real name4
  2. Postal addres5
  3. Email address6
  4. Social Security Number7
  5. Driver’s license number8
  6. Passport number9
  7. Signature10
  8. Physical characteristics or description11
  9. Telephone number12
  10. State identification card number13
  11. Insurance policy number14
  12. Education15
  13. Educational information (as defined by 34 C.F.R. Part 99)16
  14. Employment17
  15. Employment history18
  16. Bank account number19
  17. Credit card number20
  18. Characteristics of protected classification under California law21
  19. Characteristics of protected classification under federal law22
  20. Biometric information23
  21. Internet or other electronic network activity24
  22. Browsing history25
  23. Search history26
  24. Audio information27
  25. Electronic information28
  26. Visual information29
  27. Profiles of a consumer’s behavior30
  28. Profiles of a consumer’s attitudes31
  29. Profiles of a consumer’s intelligence32
  30. Profiles of a consumer’s abilities33
  31. Profiles of a consumer’s aptitudes34

1. CCPA, Section 1798.140(o)(1).

2. GDPR, Article 4(1).

3. GDPR, Article 4(1).

4. CCPA, Section 1798.140(o)(1)(A).

5. CCPA, Section 1798.140(o)(1)(A).

6. CCPA, Section 1798.140(o)(1)(A).

7. CCPA, Section 1798.140(o)(1)(A).

8. CCPA, Section 1798.140(o)(1)(A).

9. CCPA, Section 1798.140(o)(1)(A).

10. Cal. Civil Code Section 1798.80(e) integrated into the CCPA through CCPA, Section 1798.140(o)(1)(B).

11. Cal. Civil Code Section 1798.80(e) integrated into the CCPA through CCPA, Section 1798.140(o)(1)(B).

12. Cal. Civil Code Section 1798.80(e) integrated into the CCPA through CCPA, Section 1798.140(o)(1)(B).

13. Cal. Civil Code Section 1798.80(e) integrated into the CCPA through CCPA, Section 1798.140(o)(1)(B).

14. Cal. Civil Code Section 1798.80(e) integrated into the CCPA through CCPA, Section 1798.140(o)(1)(B).

15. Cal. Civil Code Section 1798.80(e) integrated into the CCPA through CCPA, Section 1798.140(o)(1)(B).

16. CCPA, Section 1798.140(o)(1)(J).

17. Cal. Civil Code Section 1798.80(e) integrated into the CCPA through CCPA, Section 1798.140(o)(1)(B).

18. Cal. Civil Code Section 1798.80(e) integrated into the CCPA through CCPA, Section 1798.140(o)(1)(B).

19. Cal. Civil Code Section 1798.80(e) integrated into the CCPA through CCPA, Section 1798.140(o)(1)(B).

20. Cal. Civil Code Section 1798.80(e) integrated into the CCPA through CCPA, Section 1798.140(o)(1)(B).

21. CCPA, Section 1798.140(o)(1)(C).

22. CCPA, Section 1798.140(o)(1)(C).

23. CCPA, Section 1798.140(o)(1)(E).

24. CPA, Section 1798.140(o)(1)(F).

25. CCPA, Section 1798.140(o)(1)(F).

26. CCPA, Section 1798.140(o)(1)(F).

27. CCPA, Section 1798.140(o)(1)(H).

28. CCPA, Section 1798.140(o)(1)(H).

29. CCPA, Section 1798.140(o)(1)(H).

30. CCPA, Section 1798.140(o)(1)(k).

31. CCPA, Section 1798.140(o)(1)(k).

32. CCPA, Section 1798.140(o)(1)(k).

33. CCPA, Section 1798.140(o)(1)(k).

34. CCPA, Section 1798.140(o)(1)(k).