Are companies required under the CCPA to get employees’ consent before collecting their personal information?


The CCPA does not require that a company obtain the consent (or the “opt-in”) of a person before collecting or using their personal information.  The concept of consent only arises within the CCPA if a company intends to sell information.  In that context, consent applies in two situations when dealing with employees:

  1. Exemption from the definition of “sale.” The CCPA’s broad definition of “sale” could encompass a number of ordinary information transfers that consumers would hardly consider to be a “sale” as the term is generally understood.  The CCPA exempts from the definition of “sale” any transfer that takes place because the “consumer uses or directs the business” to “intentionally disclose personal information” to a third party.1  In other words, if an employee consents, or opts-in, to an information transfer it is not considered a “sale” under the CCPA.2
  2. Sale of information about minors.  The CCPA prohibits a business from knowingly selling the personal information of a consumer that is “less than 16 years of age” unless the consumer has “affirmatively authorized the sale” of personal information.3 In other words, opt-in consent is needed to sell the information of a minor-employee.  Interestingly, if a business obtained the affirmative consent to transfer personal information, as discussed in the previous paragraph the information transfer might not be a “sale” at all.
  3. Re-soliciting the ability to sell.  The CCPA states that if a person opts-out of the sale of information (E.g., click a “Do Not Sell My Personal Information” link) a business is not permitted to solicit their consent (or opt-in) to a future sale for “at least 12 months.”4 As a result, if a company sells the information of its employees, and provides employees a do not sell option, it is not permitted to ask those employees that opt-out for permission to sell for 12 months.

For more information and resources about the CCPA visit

This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes.  You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.

1. Cal. Civil Code § 1798.140(t)(2)(A).

2. Cal. Civil Code § 1798.140(t)(2)(A).

3. Cal. Civil Code § 1798.120(c).

4. Cal. Civil Code § 1798.135(a)(5).