CCPA Security FAQs: Can employees bring a class action under the CCPA following a data breach?

More than likely.

“Consumers” can bring suit under the CCPA if they can prove the following five elements:

  1. A business incurred a data breach;
  2. The data breach involved a sensitive category of information identified in California Civil Code Section 1798.81.5;
  3. The business had a legal duty to protect the personal information from breach;
  4. The business failed to implement reasonable security procedures and practices; and
  5. The business’s failure resulted in (i.e., caused) a data breach.

While the common definition of “consumer” suggests that it refers to an individual that has “consumed” a product or a service in relation to a company, the definition ascribed by the CCPA is far broader.  The term is defined to include any “natural person who is a California resident.”1  Read literally, the phrase includes not only an individual that consumes a product (e.g., a customer of a store), but also that store’s California-based employees, and California-based business contacts or prospective customers.

It is worth noting that various legislative amendments have been proposed which would modify the definition of “consumer” to exclude employees.  As of the date of publication, the only remaining proposed amendment concerning the applicability of the CCPA to employees would functionally delay the application of the CCPA’s privacy provisions to employee data an additional 12 months (i.e., until January 1, 2021), but not exempt employees altogether.2  Specifically, employees might still be able to bring suit following a data breach.

1. CCPA, Section 1798.140(g).

2. See Assembly Bill 25.