August 6, 2019

CCPA Security FAQs: Can employees bring a class action under the CCPA following a data breach?

BCLP

+ Follow Contact

Facebook

Send

Embed

More than likely.

“Consumers” can bring suit under the CCPA if they can prove the following five elements:

A business incurred a data breach;
The data breach involved a sensitive category of information identified in California Civil Code Section 1798.81.5;
The business had a legal duty to protect the personal information from breach;
The business failed to implement reasonable security procedures and practices; and
The business’s failure resulted in (i.e., caused) a data breach.

While the common definition of “consumer” suggests that it refers to an individual that has “consumed” a product or a service in relation to a company, the definition ascribed by the CCPA is far broader. The term is defined to include any “natural person who is a California resident.”¹ Read literally, the phrase includes not only an individual that consumes a product (e.g., a customer of a store), but also that store’s California-based employees, and California-based business contacts or prospective customers.

It is worth noting that various legislative amendments have been proposed which would modify the definition of “consumer” to exclude employees. As of the date of publication, the only remaining proposed amendment concerning the applicability of the CCPA to employees would functionally delay the application of the CCPA’s privacy provisions to employee data an additional 12 months (i.e., until January 1, 2021), but not exempt employees altogether.² Specifically, employees might still be able to bring suit following a data breach.

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. CCPA, Section 1798.140(g).

2. See Assembly Bill 25.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Written by:

BCLP

Contact + Follow

less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

Increased visibility
Actionable analytics
Ongoing guidance

Learn More

Published In:

California Consumer Privacy Act (CCPA)

+ Follow

Class Action

+ Follow

Consumer Privacy Rights

+ Follow

Data Breach

+ Follow

Private Right of Action

+ Follow

Proposed Amendments

+ Follow

Civil Procedure

+ Follow

General Business

+ Follow

Elections & Politics

+ Follow

Privacy

+ Follow

less

BCLP on:

CCPA Security FAQs: Can employees bring a class action under the CCPA following a data breach?

Related Posts

Written by:

PUBLISH YOUR CONTENT ON JD SUPRA NOW

Published In:

BCLP on:

"My best business intelligence, in one easy email…"