Employer CCPA FAQs #7: If an employer is based in California, will the CCPA requirements apply to all employee data held by the employer?

As our series of FAQs regarding the California Consumer Privacy Act (“CCPA”) continues we are examining the scope of the law’s jurisdiction. These FAQs should help employers determine if they are required to comply with the CCPA and if so, what steps their HR professionals and IT departments should take to be in compliance.

As a reminder, the CCPA is a new privacy law that applies to data collected about California-based employees. The CCPA will go into effect in early 2020, and employers who must comply should be addressing compliance obligations now.

For US employers who have not had to comply with the GDPR, the requirements of the CCPA will likely require a new analysis of the treatment of employee-data and implementation of updated or new data policies. For employers with European operations, one key area of interest is the degree to which the CCPA aligns with the European General Data Protection Regulation (“GDPR”). Employers in compliance with the GDPR will likely already be familiar with many of the requirements of the CCPA – and with some assistance, should be able to bring their operations and policies into compliance with respect to California-based employees.

BCLP offers a complete compliance program for employers that includes a formal gap assessment and tailored policies, procedures, and protocols to close identified gaps. Bryan Cave Leighton Paisner LLP has a team of knowledgeable lawyers and other professionals prepared to help employers address their obligations under the California Consumer Privacy Act. If you or your organization would like more information on this or any other employment issue, please contact an attorney in the Employment and Labor practice group.

Question #7:  If an employer is based in California, will the CCPA requirements apply to all employee data held by the employer?

Probably not.

Assuming that the CCPA applies to the employer , it will only impact data that the company holds about “consumers.”  “Consumer” is defined by the CCPA as a “natural person who is a California resident,” which will include California-based employees.^[1]  As a result, if a California-based employer processes “personal information” about a resident of another state – or a resident of another country – that information should not be subject to the CCPA.  In other words, for multi-state employers, the CCPA will not apply to employees residing outside of California.

Example:  Assume Company A (with revenue over $25 million) is based in Palo Alto and has both European and American employees.  The CCPA should only apply to the information collected about Californians and should not apply to the information collected from residents in other states or in Europe.  ^[2]

As a practical matter, this means that an employer that must comply with the CCPA, but has national or global operations, will have to have a set of privacy notices, employee procedures, and vendor agreement provisions that are tailored for its California- resident employees.

[1] CCPA, Section 1798.140(g).

[2] EDPB, Guidelines 3/2018 on the territorial scope of the GDPR (Article 3) – Version for public consultation (16 Nov. 2018) at 8.