United States: Unraveling The Newest Development In The Data Protection Juggernaut: What Does The "California Consumer Privacy Act Of 2018" Mean For Employers?

Last Updated: July 13 2018
Article by Philip L. Gordon and Andrew Gray

With the May 25, 2018 effective date of the European Union's General Data Protection Regulation (GDPR) barely in the rear-view mirror, California's Governor Jerry Brown, on June 28, 2018, signed into law the "California Consumer Privacy Act of 2018"1 (CCPA or "the Act"). The law flashed onto the scene after a concerned and wealthy California citizen funded, and obtained the approval of, a ballot initiative for a similar law to be placed on the November 2018 electoral ballot. The initiative's backer used that approval as leverage in the waning days of June to force the California government to enact an alternative law in exchange for his withdrawal of the initiative from the November 2018 ballot before the June 30 publication deadline. The CCPA is aimed at granting individuals more control over their personal information and more insight into how businesses use and disclose their personal data.

By its name and its stated purpose, the CCPA ostensibly is only consumer protection legislation with a focus on e-commerce. The Act's legislative findings highlight the revelations in March 2018 that "tens of millions of people had their personal data misused by a data mining firm called Cambridge Analytica."2 The findings then express the "intent of the Legislature to further Californians' right to privacy by giving consumers an effective way to control their personal information, by ensuring the . . . rights" established by the Act.3

The Act is written so broadly, however, that it could be read to confer rights on employees vis-à-vis their employers with respect to their personnel records. In this article, we describe how the Act creates this confusion, explain why the Act likely is not intended to be read so broadly, and identify the practical implications for employers if the Act were read to apply to their personal records. Fortunately, the Act does not go into effect until January 1, 2020, giving the California legislature time to amend and clarify a piece of legislation that was hastily drafted and rushed to Governor Brown's desk for signature.

Does the CCPA Confer New Rights on Employees With Respect to Their Personnel Records?

While the Act's name and legislative findings leave no doubt that the CCPA is a consumer protection law, other aspects of the Act could be read to suggest that it also confers rights on employees, and burdens on employers, with respect to personnel records. To begin with, the Act defines "consumer" without reference to the relationship between the individual and the entity that collects the individual's personal information. Instead, the Act defines "consumer" broadly to include employees, i.e., "a natural person who is a California resident . . . however identified, including by unique identifier."4 At the same time, the Act's definition of "personal information" includes "professional or employment-related information,"5 which arguably could include an employer's personnel records. The legislative findings specifically cite "apply[ing] for a job" as one of the activities that is "almost impossible to do . . . without sharing personal information" to support the need for the legislation.6 Moreover, nowhere does the Act either state that it applies only to personal information, collected in the course of a consumer transaction or expressly exclude "personal information" collected by an employer about its employees for employment purposes.

Despite these ambiguities, several aspects of the Act strongly suggest that California's legislature did not intend to confer new rights on employees vis-à-vis their employers with respect to their personnel records. As an initial matter, neither the legislative findings nor the Act itself ever uses the word "employer" or "employee"; instead, the findings reference only "consumers" and "businesses." Furthermore, the Act defines "business" by reference to the entity's annual gross revenue; the number of consumers, households or devices about which the entity processes personal information; or the percentage of the entity's annual revenue derived from selling consumers' personal information.7 By contrast, employment laws almost uniformly define an employer by reference to the number of the entity's employees.8

The Act's requirement to notify consumers of their right to opt out of the sale of their personal information, one of the central new rights conferred on consumers, also supports the conclusion that the CCPA is not intended to address the personal information collected during the employment relationship. The Act mandates delivery of that notice through the business' publicly facing "Internet webpage."9 That method of notification would be anomalous in the employment context where mandatory notices to employees customarily are delivered by physically posting them in the workplace, delivering them directly to employees, or including them in an employee handbook.10

The Act's anti-discrimination provisions also appear to demonstrate the legislature's intent not to regulate records management in the employment context. That provision prohibits businesses from discriminating against consumers who exercise their rights under the Act by denying service, charging different prices, or providing a lower-quality product.11 Had the legislature intended the Act to regulate the collection of personal information during the employment relationship, it almost surely would have prohibited a business from discriminating in the terms or conditions of employment against consumers exercising their rights.

Finally, the Act's protections expressly extend to consumers under the age of 16, with additional protection for minors under the age of 13.12 With the exception of child labor laws, few if any laws relating to the employment relationship provide specific provisions for minors, especially those under 13.

Taken together, these points demonstrate the CCPA almost surely is not intended to confer rights on employees vis-à-vis their employers with respect to personnel records.

Practical Implications for Employers if the CCPA Were Applied to Personal Information Collected in the Context of the Employment Relationship

While it is unlikely that the Act applies to personal information collected in the context of the employment relationship, employers still should consider the Act's practical implications in the event the legislature does not amend the CCPA before it goes into effect to clarify that the new law does not confer rights on employees with respect to employment records maintained by their employer. The Act confers the following new rights on consumers: (a) the right to access personal information collected by the business;13 (b) the right to information about the business' collection, sale, and other disclosure of the consumer's personal information collected by the business;14 (c) the right to request deletion of personal information collected by the business;15 and (d) the right to opt out of the business' sale of the consumer's personal information.16 Of these rights, the right to access, if applicable, has the potential to be highly burdensome; the right to information should be manageable; and the deletion and opt-out rights should have minimal impact.

Under the right of access, a business is required, within 45 days of receiving a consumer's verified request, to provide all personal information collected by the business, free of charge. Given the breadth of the Act's definition of "personal information," many employers would be challenged to compile all information falling within the scope of a request. More specifically, the access request could encompass the following categories of personal information:

  • All identifiers related to the employee, including, for example, Social Security number, driver's license number, passport number, and contact information;17
  • Physical characteristics or description, insurance policy number, education, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information;18
  • "Biometric information," such as that collected through a biometric time clock;19
  • "Internet or other electronic network activity information, including, but not limited to, browsing history, search history, and information regarding a consumer's interaction with an Internet Web site, application, or advertisement," which would encompass a substantial amount of the information collected by many employers through standard workplace monitoring;20
  • "Geolocation data," which arguably could include information collected by employers through GPS units in company-owned vehicles as well as location information collected through applications downloaded by field employees to their company-issued mobile devices;21 and
  • "Professional or employment-related information," which effectively would include everything in an employee's personnel file.22

Fortunately for employers, there are several important limitations to this right. Most notably, it would apply only to entities falling within the Act's definition of "business," meaning businesses with annual gross revenue exceeding $25 million; that maintain information on more than 50,000 consumers, households or devices; or that derive more than half their annual revenue from the sale of personal information.23 In addition, the right of access covers only the 12 months preceding the verified request, limiting the burden of responding to requests by long-term employees.24 Finally, the Act provides that the rights afforded consumers "shall not adversely affect the rights and freedoms of other consumers."25 Consequently, an employer would not be required to provide an employee with access to information the disclosure of which could be detrimental to co-workers.

The right to information about collection and disclosure of personal information requires that a business, in response to a consumer's verified request, provide a report listing all types of personal information collected, the purposes for which the information will be used, the categories of sources for the collection, and any disclosure of that personal information. This right is subject to the same limitations as the right of access.26

In comparison to the access and information rights, the right to opt out of sales of information and the right to delete information should have minimal impact on employers. Employers rarely, if ever, sell employees' personal information to third parties other than in the course of a merger or acquisition. Yet the Act's definition of "sale" in connection with consumers' personal information expressly excludes such corporate transactions.27 Consequently, even if an employee were to exercise this right with respect to personal information in employment records, the opt-out would have no practical effect.

The right to deletion is subject to several exceptions that similarly minimize the right's impact as applied to personal information collected for employment purposes. First, the right does not apply to personal information the business must retain to comply with a legal obligation.28 Employment records typically include substantial amounts of personal information that employers are legally required to retain, such as payroll records subject to the Fair Labor Standards Act's three-year retention period and the obligation under IRS regulations to retain tax records for four years.29 The Act also excludes from the right to deletion any personal information that the employer needs: (a) "[t]o enable solely internal uses that are reasonably aligned with the expectations of the consumer based on the consumer's relationship with the business"; and (b) "[o]therwise [to] use . . . , internally, in a lawful manner that is compatible with the context in which the consumer provided the information."30 While the Act does not define "internal use" or "internally," those terms can reasonably be construed to encompass administration of the employment relationship.

Putting aside individual rights, employers should take particular note of the Act's provision related to data security breaches, which could have a significant impact on employers subject to the CCPA. The provision states that where a consumer's personal information is disclosed through unauthorized means, stolen, or otherwise hacked as the result of the business' failure to implement reasonable security procedures, the consumer has a civil cause of action against the business and can recover statutory damages, on a class basis, of between $100 and $750 per affected consumer per incident. However, before filing suit, the consumer must give the business written notice of the alleged violation and 30 days to cure.31 This provision creates a significant incentive for employers to review their information security practices and to address any deficiencies before the Act goes into effect.


While the California Consumer Protection Act of 2018 provides broad privacy protections for consumers, the Act likely does not apply to personal information collected by employers for employment purposes. The California legislature may amend the Act before its January 1, 2020 effective data to clarify whether it applies to employers. Employers should watch out for such a development. If the legislature were to specify that the Act does apply to employers, the access and information rights would impose significant burdens, and the right to recover statutory damages in the event a data breach resulting from a failure to implement reasonable information safeguards would expose employers to substantial litigation risk and monetary exposure. Consequently, any clarification that the Act applies to employees' personal information collected in the context of the employment relationship would be a call to action for employers falling within the scope of the Act.

This article first published in the IAPP's Privacy Tracker blog.


1 Assembly Bill No. 375. The act is codified to amend the California Civil Code Title 1.81.5 (commencing with Section 1798.100).

2 A.B. 375, § 2(g).

3 Id. § 2(i).

4 Cal. Civ. Code § 1798.140(g).

5 Id. at § 1798.140(o)(1)(I).

6 A.B. 375 § 2(c).

7 Cal. Civ. Code § 1798.140(c).

8 See, e.g., 42 U.S.C. § 2000e(b) (defining "employer" for purposes of federal anti-discrimination law as an entity with 15 or more employees); Cal. Gov't Code. § 12926(d) (defining "employer" for purposes of California anti-discrimination law as an entity with 5 or more employees).

9 Cal. Civ. Code § 1798.135(a)(1), (a)(2).

10 See, e.g., Cal. Lab. Code § 247 (requiring that the employer "display a poster in a conspicuous place" regarding employer sick leave policies); Cal. Code Regs. tit. 2, § 11049 (requiring that if an employer maintains an employee handbook, "that employer shall include a description of reasonable accommodation, transfer, and pregnancy disability leave" policies, among other notice requirements).

11 Cal. Civ. Code § 1798.125(a)(1).

12 See Cal. Civ. Code § 1798.120(d).

13 Cal. Civ. Code § 1798.100(c).

14 Cal. Civ. Code §§ 1798.100(a), 1798.110(a), 1798.115(a).

15 Cal. Civ. Code § 1798.105.

16 Cal. Civ. Code § 1798.120.

17 Cal. Civ. Code § 1798.140(o)(1)(A).

18 Cal. Civ. Code § 1798.140(o)(1)(B).

19 Cal. Civ. Code § 1798.140(o)(1)(D).

20 Cal. Civ. Code § 1798.140(o)(1)(F).

21 Cal. Civ. Code § 1798.140(o)(1)(G).

22 Cal. Civ. Code § 1798.140(o)(1)(I).

23 Cal. Civ. Code § 1798.140(o)(1)(c).

24 Cal. Civ. Code § 1798.130(a)(2).

25 Cal. Civ. Code § 1798.145(j).

26 See Cal. Civ. Code § 1798.130(a)(3), (a)(4).

27 Cal. Civ. Code § 1798.140(t)(2)(D).

28 Cal. Civ. Code § 1798.105(d)(8).

29 29 C.F.R. § 516.5; U.S. Internal Revenue Service, Employment Tax Recordkeeping (last updated Mar. 21, 2018), https://www.irs.gov/businesses/small-businesses-self-employed/employment-tax-recordkeeping.

30 Cal. Civ. Code § 1798.105(d)(7), (9).

31 Cal. Civ. Code § 1798.150(a)(1).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Philip L. Gordon
Similar Articles
Relevancy Powered by MondaqAI
Stroock & Stroock & Lavan LLP
In association with
Related Topics
Similar Articles
Relevancy Powered by MondaqAI
Stroock & Stroock & Lavan LLP
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions