The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative.  Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA. 

Q. What is a “consumer?”

The data privacy and security laws in the United States use different terms to describe the individuals about whose information the laws apply.  These include terms such as “covered person,”¹ “individual,”² and “customer.”³  The term used in a particular statute is less important than is its definition.  For example, two statutes may use the term “individual,” but one may define it as referring to all natural persons whereas another may define it as only referring to natural persons that are resident within the state.  As another example, one statute may use the term “covered person” while another uses the term “individual” and yet they define the terms in an identical manner.

The CCPA uses the term “consumer” to refer to the individuals whose information is governed by the statute.  While the common definition of “consumer” suggests that it refers to an individual that has “consumed” a product or a service in relation to a company, the definition ascribed by the GDPR is far broader.  The term is defined to include any “natural person who is a California resident.”⁴  Read literally, the phrase might include not only an individual that consumes a product (e.g., a customer of a store), but that store’s California based employees, and California-based business contacts or prospective customers.

In contrast to the diverse terminology utilized within United States statutes, the GDPR, and many EU Member State implementing statutes, consistently uses the term “data subject” which is defined broadly as any “identified or identifiable natural person.”⁵  Unlike the CCPA, the term “data subject” contains no residency qualifier.

1. See, e.g., Alaska Data Breach Notification Statute, Alaska Section 45.48.090(2).

2. See, e.g., Arizona Data Breach Notification Statute, Arizona Section 44-7501(L)(4).

3. See, e.g., Arkansas Data Breach Notification Statute, Arkansas Section 44-110-103(3); California Data Breach Notification Statute, Cal. Civil Code 1798.80(c).

4. CCPA, Section 1798.140(g).

5. GDPR, Article 4(1).