BCLPatWork.com
Employer CCPA FAQs #2: What is “personal information” under the CCPA?
Apr 19, 2019As our series of FAQs regarding the California Consumer Privacy Act (“CCPA”) continues we are examining the scope of the law’s jurisdiction. These FAQs should help employers determine if they are required to comply with the CCPA and if so, what steps their HR professionals and IT departments should take to be in compliance.
As a reminder, the CCPA is a new privacy law that applies to data collected about California-based employees. The CCPA will go into effect in early 2020, and employers who must comply should be addressing compliance obligations now.
For US employers who have not had to comply with the GDPR, the requirements of the CCPA will likely require a new analysis of the treatment of employee-data and implementation of updated or new data policies. For employers with European operations, one key area of interest is the degree to which the CCPA aligns with the European General Data Protection Regulation (“GDPR”). Employers in compliance with the GDPR will likely already be familiar with many of the requirements of the CCPA – and with some assistance, should be able to bring their operations and policies into compliance with respect to California-based employees.
BCLP offers a complete compliance program for employers that includes a formal gap assessment and tailored policies, procedures, and protocols to close identified gaps. Bryan Cave Leighton Paisner LLP has a team of knowledgeable lawyers and other professionals prepared to help employers address their obligations under the California Consumer Privacy Act. If you or your organization would like more information on this or any other employment issue, please contact an attorney in the Employment and Labor practice group.
Question #2: What is “personal information” under the CCPA?
The CCPA defines the phrase “personal information” to refer to any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”[1] While at first blush the phrase “consumer” suggests that the CCPA does not apply to employees, the CCPA defines the term as including any California resident about whom a company collects information. As a result, as the CCPA is currently written, it applies only to the information collected about California-based employees.
The CCPA provides an extensive, and yet non-exhaustive, list of information that may fall under the broad definition of “personal information. The following are examples of information governed by the CCPA that employers are most likely to collect about their employees:
- Real name[2]
- Postal address[3]
- Email address[4]
- Social Security Number[5]
- Driver’s license number[6]
- Passport number[7]
- Signature[8]
- Physical characteristics or description[9]
- Telephone number[10]
- State identification card number[11]
- Insurance policy number[12]
- Education[13]
- Educational information (as defined by 34 C.F.R. Part 99)[14]
- Employment[15]
- Employment history[16]
- Bank account number[17]
- Credit card number[18]
- Characteristics of protected classification under California law[19]
- Characteristics of protected classification under federal law[20]
- Biometric information[21]
- Internet or other electronic network activity[22]
- Browsing history[23]
- Search history[24]
- Audio information[25]
- Electronic information[26]
- Visual information[27]
- Profiles of a consumer’s behavior[28]
- Profiles of a consumer’s attitudes[29]
- Profiles of a consumer’s intelligence[30]
- Profiles of a consumer’s abilities[31]
- Profiles of a consumer’s aptitudes[32]
For employers who have had to comply with the GDPR, it is useful to understand how the CCPA’s definition of “personal information” compares to the GDPR’s definition.
The CCPA’s definition of “personal information” is not identical to the definition used within the European GDPR, but there are obvious similarities. The GDPR refers to the term “personal data” which it defines as “any information relating to an identified or identifiable” person.[33] An “identifiable person” under the GDPR is someone who could be “identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.”[34]
[1] CCPA, Section 1798.140(o)(1).
[2] CCPA, Section 1798.140(o)(1)(A).
[3] CCPA, Section 1798.140(o)(1)(A).
[4] CCPA, Section 1798.140(o)(1)(A).
[5] CCPA, Section 1798.140(o)(1)(A).
[6] CCPA, Section 1798.140(o)(1)(A).
[7] CCPA, Section 1798.140(o)(1)(A).
[8] Cal. Civil Code Section 1798.80(e) integrated into the CCPA through CCPA, Section 1798.140(o)(1)(B).
[9] Cal. Civil Code Section 1798.80(e) integrated into the CCPA through CCPA, Section 1798.140(o)(1)(B).
[10] Cal. Civil Code Section 1798.80(e) integrated into the CCPA through CCPA, Section 1798.140(o)(1)(B).
[11] Cal. Civil Code Section 1798.80(e) integrated into the CCPA through CCPA, Section 1798.140(o)(1)(B).
[12] Cal. Civil Code Section 1798.80(e) integrated into the CCPA through CCPA, Section 1798.140(o)(1)(B).
[13] Cal. Civil Code Section 1798.80(e) integrated into the CCPA through CCPA, Section 1798.140(o)(1)(B).
[14] CCPA, Section 1798.140(o)(1)(J).
[15] Cal. Civil Code Section 1798.80(e) integrated into the CCPA through CCPA, Section 1798.140(o)(1)(B).
[16] Cal. Civil Code Section 1798.80(e) integrated into the CCPA through CCPA, Section 1798.140(o)(1)(B).
[17] Cal. Civil Code Section 1798.80(e) integrated into the CCPA through CCPA, Section 1798.140(o)(1)(B).
[18] Cal. Civil Code Section 1798.80(e) integrated into the CCPA through CCPA, Section 1798.140(o)(1)(B).
[19] CCPA, Section 1798.140(o)(1)(C).
[20] CCPA, Section 1798.140(o)(1)(C).
[21] CCPA, Section 1798.140(o)(1)(E).
[22] CCPA, Section 1798.140(o)(1)(F).
[23] CCPA, Section 1798.140(o)(1)(F).
[24] CCPA, Section 1798.140(o)(1)(F).
[25] CCPA, Section 1798.140(o)(1)(H).
[26] CCPA, Section 1798.140(o)(1)(H).
[27] CCPA, Section 1798.140(o)(1)(H).
[28] CCPA, Section 1798.140(o)(1)(k).
[29] CCPA, Section 1798.140(o)(1)(k).
[30] CCPA, Section 1798.140(o)(1)(k).
[31] CCPA, Section 1798.140(o)(1)(k).
[32] CCPA, Section 1798.140(o)(1)(k).
[33] GDPR, Article 4(1).
[34] GDPR, Article 4(1).
Related Practice Areas
-
Employment & Labor