California’s Consumer Privacy Rights Act of 2020 (CPRA) purports to shield small and not-for-profit organizations from the scope of the act. Indeed, the CPRA’s definition of a “business” under California Civil Code 1798.140(d)(1) is:
(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
(A) Has as of January of the calendar year, had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year, as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
(B) Alone or in combination, annually buys, sells, or shares on the personal information of 100,000 or more consumers or households, or devices.
(C) Derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.
But the CPRA also includes two more, often overlooked, provisions which may ensnare organizations that are not-for-profit or otherwise do not meet one or more of the above thresholds.
California Civic Code 1798.140(d)(2) states that a “business” is also:
Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business and with whom the business shares consumers’ personal information. “Control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, servicemark, or trademark that the average consumer would understand that two or more entities are commonly owned. (emphasis added)
Simply put, this section applies to entities and not businesses. This means organizations who are organized as not-for-profit or otherwise fall below the thresholds can be infected with the “business” designation (and subject to the full scope and obligations of the CPRA) if such an entity has a controlling interest in a for-profit organization that qualifies on its own as a “business,” shares the same branding as the business, and shares personal information with the business (even a miniscule amount, like employment information).
While this sounds like an odd relationship - with potential tax implications if not done carefully - it is not altogether unusual and there are various rationales for it. As an example, a not-for-profit may wish to provide a different type of compensation arrangement or benefits to employees of the for-profit subsidiaries. Another reason may be to provide a revenue stream for intellectual property developed by the non-profit while minimizing the risk of liability or potentially jeopardizing its tax-exempt and not-for-profit status. But while some of these benefits may be enduring regardless of the success of the for-profit entity, this relationship does not shield the non-profit from the obligations of the CPRA if the for-profit gets too big and meets one of the thresholds described above.
This also works in reverse – a for-profit entity that controls a not-for-profit with the same branding and shares information with the not-for-profit infects the not-for-profit with business designation and the full scope of the obligations under the CPRA. Take, for example, a large corporate entity that is deemed a business and has started a philanthropic subsidiary organized as a not-for-profit. Take for example, a hypothetical Fortune 100 Company creates the Fortune 100 Foundation. Fortune 100 Company is a “business” under the CPRA and, because it controls its not-for-profit philanthropic Fortune 100 Foundation and shares the same branding (and assuming they share personal information), the not-for-profit is infected with the “business” designation under the CPRA, despite it being a not-for-profit entity and clearly being excluded under the first part of the definition of a business.
These “controlled” and “controlling” prongs of of this definition can spread like a virus – once a not-for-profit is deemed a “business” under the CPRA because it controls a for-profit business with the same branding and shares personal information with that business, the other entities it controls with the same branding and that it shares personal information with, including not-for-profit entities, are also deemed a business because they are now controlled by a business.
This part of the definition of “business” can cause an entity to virally infect one entity after another in the corporate structure. And, while many not-for-profits may be subject to exclusions (such as HIPAA or GLBA exclusions) for some data, all such organizations infected by the business classification are likely to have employees and business-to-business relationships whose data would now be in scope under the CPRA now that the employee and business to business exceptions will expire. In short, no organizations that have been infected by the business classification are immune from the obligations of the CPRA.
There is also another section of the definition of the CPRA that can also have a viral effect. California Civil Code 1798.140(d)(3) applies to joint ventures between businesses and state:
(3) A joint venture or partnership composed of businesses in which each business has at least a 40 percent interest. For purposes of this title, the joint venture or partnership and each business that composes the joint venture or partnership shall separately be considered a single business, except that personal information in the possession of each business and disclosed to the joint venture or partnership shall not be shared with the other business.
A joint venture or partnership, even a not-for-profit joint venture or partnership that otherwise does not meet the thresholds, is deemed a business if it is owned by two businesses that own at least 40% of the joint venture. It’s important that the ownership has to be by two businesses that otherwise meet the definition of a business in their own right – a joint venture or partnership formed by two entities owning between 40% and 50% (so the business is not subject to the controlled/controlling part of the definition) where at least one is not a business (including a non-profit), cannot infect the joint venture or partnership with the business designation, so long as the joint venture or partnership does not meet any other of the parts of the definition by itself. However, unlike the controlled or controlling prong described above, a for-profit joint venture or partnership cannot similarly infect the parent organizations. Even if the joint venture or partnership does meet one of the parts of the definition to be designated a business under the CPRA, the statute suggests that the joint venture or partnership can be infected by the forming businesses, but the forming businesses are not similarly infected by the joint venture or partnership.
Ultimately, these three provisions must be looked at for each entity in a corporate tree. Once an entity is found to meet the definition of a business, each of the next nearest corporate entities must be analyzed under the remaining portions of the definition. The analysis must be repeated until there are no more corporate entities that may be deemed businesses.
Organizations, both for-profit and not-for-profit, that wish to avoid this viral effect of the business designation under the CPRA should avoid sharing the same branding with entities in the corporate tree that meet the threshold requirements of a business or take care to keep the business at arm’s length and avoid allowing the business to share personal information with the other entity. Similarly, businesses that form a joint venture should carefully consider each businesses percentage ownership of the joint venture or ensure that one of the entities that own more than 40% of the joint venture is not deemed a business under the CPRA.
For more information about complying with the CPRA and the viral effect of the business definition, or for information about compliance with the CPRA in general, please contact the author or any Partner or Senior Counsel in Foley’s Cybersecurity and Data Privacy team.