The Viral Effect of the CPRA’s Definition of a Business

17 November 2022 Innovative Technology Insights Blog
Author(s): Steven M. Millendorf

California’s Consumer Privacy Rights Act of 2020 (CPRA) purports to shield small and not-for-profit organizations from the scope of the act. Indeed, the CPRA’s definition of a “business” under California Civil Code 1798.140(d)(1) is:

(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:

(A) Has as of January of the calendar year, had annual gross revenues in excess of twenty-five million dollars ($25,000,000) in the preceding calendar year, as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185.

(B) Alone or in combination, annually buys, sells, or shares on the personal information of 100,000 or more consumers or households, or devices.

(C) Derives 50 percent or more of its annual revenues from selling or sharing consumers’ personal information.

But the CPRA also includes two more, often overlooked, provisions which may ensnare organizations that are not-for-profit or otherwise do not meet one or more of the above thresholds.

Potential Infection of Entities That Share the Same Branding

California Civic Code 1798.140(d)(2) states that a “business” is also:

Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business and with whom the business shares consumers’ personal information. “Control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, servicemark, or trademark that the average consumer would understand that two or more entities are commonly owned. (emphasis added)

Simply put, this section applies to entities and not businesses. This means organizations who are organized as not-for-profit or otherwise fall below the thresholds can be infected with the “business” designation (and subject to the full scope and obligations of the CPRA) if such an entity has a controlling interest in a for-profit organization that qualifies on its own as a “business,” shares the same branding as the business, and shares personal information with the business (even a miniscule amount, like employment information).

While this sounds like an odd relationship - with potential tax implications if not done carefully - it is not altogether unusual and there are various rationales for it. As an example, a not-for-profit may wish to provide a different type of compensation arrangement or benefits to employees of the for-profit subsidiaries. Another reason may be to provide a revenue stream for intellectual property developed by the non-profit while minimizing the risk of liability or potentially jeopardizing its tax-exempt and not-for-profit status. But while some of these benefits may be enduring regardless of the success of the for-profit entity, this relationship does not shield the non-profit from the obligations of the CPRA if the for-profit gets too big and meets one of the thresholds described above.

This also works in reverse – a for-profit entity that controls a not-for-profit with the same branding and shares information with the not-for-profit infects the not-for-profit with business designation and the full scope of the obligations under the CPRA. Take, for example, a large corporate entity that is deemed a business and has started a philanthropic subsidiary organized as a not-for-profit. Take for example, a hypothetical Fortune 100 Company creates the Fortune 100 Foundation. Fortune 100 Company is a “business” under the CPRA and, because it controls its not-for-profit philanthropic Fortune 100 Foundation and shares the same branding (and assuming they share personal information), the not-for-profit is infected with the “business” designation under the CPRA, despite it being a not-for-profit entity and clearly being excluded under the first part of the definition of a business.

These “controlled” and “controlling” prongs of of this definition can spread like a virus – once a not-for-profit is deemed a “business” under the CPRA because it controls a for-profit business with the same branding and shares personal information with that business, the other entities it controls with the same branding and that it shares personal information with, including not-for-profit entities, are also deemed a business because they are now controlled by a business.

This part of the definition of “business” can cause an entity to virally infect one entity after another in the corporate structure. And, while many not-for-profits may be subject to exclusions (such as HIPAA or GLBA exclusions) for some data, all such organizations infected by the business classification are likely to have employees and business-to-business relationships whose data would now be in scope under the CPRA now that the employee and business to business exceptions will expire. In short, no organizations that have been infected by the business classification are immune from the obligations of the CPRA.

Potential Impact on Joint Ventures

There is also another section of the definition of the CPRA that can also have a viral effect. California Civil Code 1798.140(d)(3) applies to joint ventures between businesses and state:

(3) A joint venture or partnership composed of businesses in which each business has at least a 40 percent interest. For purposes of this title, the joint venture or partnership and each business that composes the joint venture or partnership shall separately be considered a single business, except that personal information in the possession of each business and disclosed to the joint venture or partnership shall not be shared with the other business.

A joint venture or partnership, even a not-for-profit joint venture or partnership that otherwise does not meet the thresholds, is deemed a business if it is owned by two businesses that own at least 40% of the joint venture. It’s important that the ownership has to be by two businesses that otherwise meet the definition of a business in their own right – a joint venture or partnership formed by two entities owning between 40% and 50% (so the business is not subject to the controlled/controlling part of the definition) where at least one is not a business (including a non-profit), cannot infect the joint venture or partnership with the business designation, so long as the joint venture or partnership does not meet any other of the parts of the definition by itself. However, unlike the controlled or controlling prong described above, a for-profit joint venture or partnership cannot similarly infect the parent organizations. Even if the joint venture or partnership does meet one of the parts of the definition to be designated a business under the CPRA, the statute suggests that the joint venture or partnership can be infected by the forming businesses, but the forming businesses are not similarly infected by the joint venture or partnership.

Recommendations for Organizations

Ultimately, these three provisions must be looked at for each entity in a corporate tree. Once an entity is found to meet the definition of a business, each of the next nearest corporate entities must be analyzed under the remaining portions of the definition. The analysis must be repeated until there are no more corporate entities that may be deemed businesses.

Organizations, both for-profit and not-for-profit, that wish to avoid this viral effect of the business designation under the CPRA should avoid sharing the same branding with entities in the corporate tree that meet the threshold requirements of a business or take care to keep the business at arm’s length and avoid allowing the business to share personal information with the other entity. Similarly, businesses that form a joint venture should carefully consider each businesses percentage ownership of the joint venture or ensure that one of the entities that own more than 40% of the joint venture is not deemed a business under the CPRA.

For more information about complying with the CPRA and the viral effect of the business definition, or for information about compliance with the CPRA in general, please contact the author or any Partner or Senior Counsel in Foley’s Cybersecurity and Data Privacy team.

This blog is made available by Foley & Lardner LLP (“Foley” or “the Firm”) for informational purposes only. It is not meant to convey the Firm’s legal position on behalf of any client, nor is it intended to convey specific legal advice. Any opinions expressed in this article do not necessarily reflect the views of Foley & Lardner LLP, its partners, or its clients. Accordingly, do not act upon this information without seeking counsel from a licensed attorney. This blog is not intended to create, and receipt of it does not constitute, an attorney-client relationship. Communicating with Foley through this website by email, blog post, or otherwise, does not create an attorney-client relationship for any legal matter. Therefore, any communication or material you transmit to Foley through this blog, whether by email, blog post or any other manner, will not be treated as confidential or proprietary. The information on this blog is published “AS IS” and is not guaranteed to be complete, accurate, and or up-to-date. Foley makes no representations or warranties of any kind, express or implied, as to the operation or content of the site. Foley expressly disclaims all other guarantees, warranties, conditions and representations of any kind, either express or implied, whether arising under any statute, law, commercial use or otherwise, including implied warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Foley or any of its partners, officers, employees, agents or affiliates be liable, directly or indirectly, under any theory of law (contract, tort, negligence or otherwise), to you or anyone else, for any claims, losses or damages, direct, indirect special, incidental, punitive or consequential, resulting from or occasioned by the creation, use of or reliance on this site (including information and other content) or any third party websites or the information, resources or material accessed through any such websites. In some jurisdictions, the contents of this blog may be considered Attorney Advertising. If applicable, please note that prior results do not guarantee a similar outcome. Photographs are for dramatization purposes only and may include models. Likenesses do not necessarily imply current client, partnership or employee status.