It’s hard to understate the range of issues the California Consumer Privacy Act (the “CCPA”) raises for covered businesses and their service providers. One of those issues involves the meaning of “consumer.” If you have been following CCPA developments, you know that at least for the first 12 months the CCPA is effective, the new law will, to a limited extent, apply to personal information of certain employees, applicants, and contractors. See AB 25.

But what about a covered business’s shareholders? Shareholders may not buy goods and services from the business, and they may not be employees of the business. However, some covered businesses, whether public or private, have shareholders who are natural persons residing in California, and from whom the business collects personal information. For example, businesses might collect personal information from shareholders through their investor relations websites, or the information might be collected on their behalf by third parties. Businesses subject to the CCPA should be considering what steps they need to take with respect to their shareholders or similarly-situated “consumers.”

In general, the CCPA defines “consumer” to mean a natural person who is a California resident. See Cal Civ. Code Sec. 1798.140(g). That definition would seem to include shareholders of the business who are natural persons residing in California. However, there is a question of whether, in their role as shareholders, they would fit under the changes made by AB25.

In general, the changes made by AB25 apply to personal information collected by a business about a natural person in the course of such person acting as a job applicant to or an employee, owner, director, officer, medical staff member, or contractor of that business, and to the extent the person’s personal information is collected and used by the business solely within the context of the natural person’s role or former role as a job applicant to or an employee, owner, director, officer, medical staff member, or contractor of that business.

That is a mouthful, but if shareholders are “owners,” shouldn’t they be covered by AB 25? Not in all cases. For purposes of this section of the law, “owner” means a natural person who either:

  1. Has ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business.
  2. Has control in any manner over the election of a majority of the directors or of individuals exercising similar functions.
  3. Has the power to exercise a controlling influence over the management of a company.

Shareholders without the ownership, control, or power noted above would not be considered “owners” for purposes of the changes made by AB 25. Additionally, for those shareholders, it does not appear that the “B2B” exception added under AB 1355 would apply. The relevant language in AB 1355 provides:

Personal information reflecting a written or verbal communication or a transaction between the business and the consumer, where the consumer is a natural person who is acting as an employee, owner, director, officer, or contractor of a company, partnership, sole proprietorship, nonprofit, or government agency and whose communications or transaction with the business occur solely within the context of the business conducting due diligence regarding, or providing or receiving a product or service to or from such company, partnership, sole proprietorship, nonprofit or government agency

Shareholders likely would not be engaged in this kind of activity in their role as shareholders.

Last week, the public comment period for the proposed regulations issued in October by Attorney General Xavier Becerra closed, and final regulations are expected shortly. Absent clarification by the Attorney General on whether CCPA obligations reach shareholders of a business, covered businesses should be considering shareholders as part of their compliance efforts.