California’s Consumer Privacy Rights Act of 2020 (CPRA) purports to protect small and non-profit organizations from the scope of the law. In fact, the CPRA definition of an “activity” under California Civil Code 1798.140(d)(1) is:
(1) A sole proprietorship, partnership, limited liability company, corporation, partnership or other legal entity organized or operated for profit or the financial benefit of its shareholders or other owners, which collects the personal information of consumers, or on behalf of whom such information is collected and which alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, which operates in the State of California and which meets one or more of the following thresholds:
(A) Has as of January of the calendar year, had annual gross receipts exceeding twenty-five million dollars ($25,000,000) in the previous calendar yearas amended pursuant to paragraph (5) of subdivision (a) of Section 1798.185.
(B) Alone or in combination, buy annually, sell or share your personal information 100,000 or more consumers or families or devices.
(C) It derives 50% or more of its annual revenue from sales or sharing consumer personal data.
But the CPRA also includes two other, often overlooked provisions that can ensnare organizations that are not-for-profit or otherwise fail to meet one or more of the above thresholds.
Potentially infecting entities that share the same brand
California House Code 1798.140(d)(2) states that a “business” is also:
Whatever entity that controls or is controlled by a business, as defined in paragraph (1), and that shares the common brand with the business and with which the business shares consumers’ personal information. “Control” or “controlled” means ownership or voting power in more than 50% of the outstanding shares of any class of voting stock of a company; to control in any way the election of the majority of directors, or of subjects who exercise similar functions; or the power to exercise decisive influence over the management of a company. “Common Brand” means a shared name, service mark, or trademark that the average consumer would understand that two or more entities are under common ownership. (emphasis added)
Simply put, this section applies to entity and not businesses. This means that organizations organized as a non-profit or otherwise below the thresholds may be infected with the “enterprise” designation (and subject to the full scope and obligations of the CPRA) if that entity has a controlling interest in a for-profit organization that qualifies itself as a “company,” shares the same branding as the company, and shares personal information with the company (even a tiny amount, such as employment information).
While this sounds like an odd ratio – with potential tax implications if not done carefully – it’s not entirely unusual and there are various reasons for it. For example, a non-profit organization may want to provide a different type of compensation arrangement or benefits to employees of for-profit subsidiaries. Another reason could be to provide a revenue stream for the intellectual property developed by the non-profit organization, minimizing liability risk or potentially jeopardizing its tax-exempt and non-profit status. But while some of these benefits may persist regardless of the success of the for-profit entity, this relationship does not protect the non-profit organization from CPRA obligations if the for-profit organization grows too large and meets one of the thresholds outlined above. .
This also works in reverse: a for-profit entity that controls a non-profit organization with the same brand name and shares information with the non-profit organization infects the non-profit organization with the brand designation. activity and the full scope of obligations under the CPRA. Take, for example, a large corporate entity that is considered a business and has started a philanthropic branch organized as a non-profit organization. Take for example, a hypothetical Fortune 100 company creates the Fortune 100 Foundation. The Fortune 100 company is a “business” within the meaning of the CPRA, and because it controls its non-profit Fortune 100 philanthropic foundation and shares the same branding (and assuming they share personal information), the non-profit organization is infected from the designation of “enterprise” within the meaning of the CPRA, even though it is a non-profit organization and clearly excluded from the first part of the definition of enterprise.
These “controlled” and “parent” poles of this definition can spread like a virus – once a non-profit organization is considered a “business” under the CPRA because it controls a for-profit business of the same brand and shares personal information with that company, the other entities it controls with the same brand and with which it shares personal information, including non-profit entities, are also considered a company because they are now controlled by a company.
This part of the definition of “business” can cause one entity to virally infect one entity after another in the corporate structure. And, while many nonprofit organizations may be subject to exclusions (such as HIPAA or GLBA exclusions) for some data, it is likely that all of these organizations infected with corporate classification have employees and business relationships whose data would now fall within the scope of application of the CPRA now that the exceptions relating to employees and companies will expire. In short, no organization that has been infected by corporate classification is immune from the obligations of the CPRA.
Potential impact on joint ventures
There is also another section of the CPRA definition which can also have a viral effect. California Civil Code 1798.140(d)(3) applies to joint ventures between companies and the state:
(3) A joint venture or partnership composed of firms in which each firm has at least a 40% interest. For purposes of this title, the joint venture or partnership and each component enterprise of the joint venture or partnership shall be treated separately as a single enterprise, except that the personal information held by each enterprise and disclosed to the joint venture or partnership they will not be shared with the other company.
A joint venture or partnership, even a non-profit joint venture or partnership that otherwise does not meet the thresholds, is considered a business if it is owned by two businesses that own at least 40% of the joint venture. It is important that the ownership is between two enterprises which otherwise meet the definition of a separate enterprise: a joint venture or partnership formed by two entities which own between 40% and 50% (therefore the enterprise is not subject to the control (controlling part of the definition) where at least one is not a business (including a non-profit organization), cannot infect the joint venture or partnership with the corporate designation, provided the joint venture or partnership does not meets any other of the requirements part of the definition itself. However, unlike the controlled or controlling hub described above, a for-profit joint venture or partnership cannot similarly infect parent organizations. Even if the joint venture or partnership meets either party of the definition to be designated as an enterprise under the CPRA, the statute suggests that the joint venture or partnership may be infected by the enterprises if training, but the training firms are not similarly infected by the joint venture or partnership.
Recommendations for organizations
Ultimately, these three provisions must be examined for each entity in a business tree. Once an entity has been found to meet the definition of a business, each of the next closest business entities must be analyzed under the remaining parts of the definition. The analysis must be repeated until there are no more corporate entities that can be considered businesses.
Organizations, both for-profit and non-profit, that wish to avoid this viral effect of corporate designation under the CPRA should avoid sharing the same branding with entities in the corporate tree that meet a company’s threshold requirements o take care to keep the company at arm’s length and avoid allowing the company to share personal information with the other entity. Similarly, firms forming a joint venture should carefully consider each firm’s percentage ownership of the joint venture or ensure that one of the entities owning more than 40% of the joint venture is not considered a firm under the CPRA.