As 2019 begins, we are one year away from the highly anticipated California Consumer Privacy Act of 2018 (CCPA or the Act) going into effect. As companies update their privacy policies to comply with the CCPA, it is essential to determine whose personal information the Act protects. Two issues businesses should consider when updating their data privacy policies are: (i) the geographic residence of the individuals whose information is collected; and (ii) whether the Act applies to their employees.
On its face, the CCPA applies to businesses that collect personal information of “consumers.” The Act defines a “consumer” as “a natural person who is a California resident, as defined in Section 17014 of Title 18 of the California Code of Regulations. . . .” Based on this definition, would the CCPA apply to individuals who were once California residents, but traveled out of state for work, school, or leisure? What about individuals who grew up out of state, but are now living in California for an indefinite duration? The answer to these questions is potentially yes.
Section 17014 defines a California resident broadly to include “(1) every individual who is in the State for other than a temporary or transitory purpose, and (2) every individual who is domiciled in the State who is outside the State for a temporary or transitory purpose. All other individuals are nonresidents.” Cal. Code Regs. tit. 18, § 17014. Based on this broad definition, it is a daunting task for a business to determine if the Act covers information it collects from customers. This is because “temporary or transitory” is a fact-specific inquiry that requires a business to assess if a consumer is coming to or leaving California for a short period. A business would have to assess if the customer, for example, came to or left California for vacation, to perform a specific transaction or contract, or to fulfill a particular engagement. However, because most consumer-side businesses collect massive amounts of data on individuals, it will be a costly and time-consuming endeavor to evaluate these facts for each consumer’s personal information, and regularly update the analysis to reflect the changing geographic location of its customers. In addition to the time and cost involved in conducting such an assessment, there is potential exposure to legal risk if a consumer’s residence is misidentified. Thus, the prudent response to this issue is to be over-inclusive in categorizing consumer information that is subject to the CCPA.
Next, it is an open question whether the CCPA applies to personal information businesses collect from their employees. The definition of “consumer” does not provide guidance on this issue. However, based on the term’s broad scope, it is likely to encompass the personal information of employees because it includes information regarding California residents, who could be employees of the business itself. The Act’s definition of “personal information” also suggests that the CCPA could apply to information collected from a business’s employees. The CCPA defines “personal information” to include “[p]rofessional or employment-related information.” Further, in enacting the CCPA, the legislature noted the importance of privacy in today’s age when, among other things, applying for a job. Simply put, the legislature’s decision to include “employment-related information” in the Act’s definition for “personal information” and recognition of the importance of privacy when applying for a job are telling, and courts could interpret it to mean that the CCPA applies to information businesses collect from their employees or job applicants.
In sum, businesses updating their data privacy policies in 2019 have a difficult decision to make regarding how broadly they want to interpret the Act. Businesses can either ensure compliance with the CCPA with respect to all of its consumer information, whether or not consumers are California or non-California residents, or businesses can conduct a thorough assessment on a regular basis to determine the geographic location of the individuals from whom they collect personal information. Businesses should also consider the nature of the employee-related information they collect, retain and use, and the extent to which such information should be protected under the CCPA.