The California Consumer Privacy Rights Act of 2020 (CPRA) seeks to protect small and nonprofit organizations from the scope of the law. In fact, the CPRA’s definition of a “company” under California Civil Code 1798.140(d)(1) is:
(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity organized or carried on for the profit or financial benefit of its shareholders or other owners, which collects personal information from consumers, or on whose behalf such information is collected and which alone or jointly with others determines the purposes and means of processing personal information of consumers doing business in the State of California and meets one or more of the following thresholds:
(A) Has had since January of the calendar year annual gross revenues of over twenty-five million dollars ($25,000,000) in the previous calendar yearadjusted in accordance with paragraph (5) subsection (a) of Section 1798.185.
(B) Alone or in combination, buys annually, sells or shares the personal information of 100,000 or more consumers or households or appliances.
(C) 50 percent or more of its annual income from sales or share personal data of consumers.
However, the CPRA also contains two other often-overlooked provisions that can tempt organizations that are not-for-profit or otherwise fail to meet one or more of the above thresholds.
Potential infection of entities with the same branding
California Civic Code 1798.140(d)(2) states that a “company” also includes:
Any Unit that controls or is controlled by an entity referred to in paragraph (1) and that shares a common trademark with the entity and with which the entity shares consumer personal information. “Control” or “controls” means ownership or voting rights of more than 50 percent of the outstanding shares of any class of voting securities of a company; control in any way over the election of a majority of directors or persons performing similar functions; or the power to exercise a controlling influence over the management of a company. “Co-branding” means a common name, service mark, or trademark that the average consumer would understand as being commonly owned by two or more companies. (Added emphasis)
Simply put, this section applies to entities and not companies. This means that organizations organized as not-for-profit or otherwise falling under the thresholds may be infected with the designation “corporate” (and be subject to the full scope and obligations of the CPRA) if such entity has a controlling interest in a an for-profit organization that qualifies as a “company” on its own, has the same branding as the company, and shares personal information with the company (even a minute amount, such as employment information).
While this sounds like an odd relationship – with potential tax implications if not done carefully – it is not uncommon and there are a number of reasons why. For example, a nonprofit organization may want to offer a different type of compensation scheme or benefit to employees of its for-profit subsidiaries. Another reason may be to provide a revenue stream for intellectual property developed by the nonprofit while minimizing the risk of liability or potentially jeopardizing their tax-exempt and nonprofit status. But while some of these benefits may be permanent regardless of the success of the for-profit organization, this relationship does not protect the non-profit organization from the obligations of the CPRA if the for-profit organization grows too large and meets one of the thresholds described above.
This also works the other way around – a for-profit corporation that controls a nonprofit with the same branding and shares information with the nonprofit infects the nonprofit with the business name and full scope of obligations under the CPRA. Take, for example, a large corporation that qualifies as a corporation and has formed a philanthropic subsidiary that is organized as a non-profit. For example, suppose a hypothetical Fortune 100 company creates the Fortune 100 Foundation. The Fortune 100 company is a “company” for the purposes of the CPRA, and because it controls its nonprofit philanthropic Fortune 100 Foundation and uses the same branding (and assuming they share personal information), the nonprofit organization is associated with dem infects the term “company” in the CPRA, even though it is a non-profit entity and is clearly excluded in the first part of the definition of a company.
These “controlled” and “dominant” aspects of this definition can spread like a virus — once a nonprofit organization is considered a “corporation” under the CPRA because it controls a for-profit corporation with the same branding and shares personal information with that corporation that other companies it controls with the same brand and with which it shares personal data, including non-profit organizations, are also considered companies because they are now controlled by a company.
This part of the definition of ‘business’ can result in one entity virally infecting one entity at a time in the corporate structure. And while many nonprofits may be subject to exclusions (like HIPAA or GLBA exclusions) for some data, all of those organizations infected by business classification likely have employees and business-to-business relationships whose data would apply now fall within the scope of the CPRA as the worker and company exemptions are phased out. In short, no organization infected by business classification is immune to the obligations of the CPRA.
Potential Impact on Joint Ventures
There is also another section of the CPRA’s definition that can also have a viral effect. California Civil Code 1798.140(d)(3) applies to joint ventures between corporations and states:
(3) A joint venture or partnership composed of companies in which each company has a 40 percent or greater interest. For purposes of this title, the joint venture or partnership and each entity that makes up the joint venture or partnership are considered separately as a single entity, except that Personal Data is owned by each entity and not to the joint venture or the partnership may be shared with the other company.
A joint venture or partnership, including a not-for-profit joint venture or partnership, that otherwise does not meet the thresholds is considered a corporation if it is owned by two corporations that own at least 40% of the joint venture. Importantly, the ownership must be between two companies that otherwise meet the definition of a separate company – a joint venture or partnership formed by two companies that own between 40% and 50% (i.e. the company is not subject the controlled/controlling portion of the definition) where at least one is not a corporation (including a not-for-profit organization) cannot infect the joint venture or partnership with the corporation designation unless the joint venture or partnership is the same as another of the two parts of the definition for themselves. However, unlike the controlled or controlling prong described above, a for-profit joint venture or partnership cannot similarly infect the parent organizations. Even if the joint venture or partnership meets one of the parts of the definition to be called an entity under the CPRA, the law suggests that the joint venture or partnership can be infected by the forming entities that are However, forming companies are not similarly infected by the joint venture or partnership.
Recommendations for organizations
Ultimately, these three determinations must be considered for each entity in a corporate tree. Once an entity is determined to meet the definition of an enterprise, each of the closest corporate bodies must be analyzed according to the remaining parts of the definition. The analysis must be repeated until there are no more legal entities that can be considered as a company.
Organizations, both for-profit and not-for-profit, that wish to avoid this corporate branding viral effect under the CPRA should avoid sharing the same branding with entities in the corporate tree that meet a company’s threshold requirements, or take care to distance the company and to avoid that the company shares personal data with the other entity. Similarly, companies forming a joint venture should carefully consider each company’s percentage interest in the joint venture or ensure that any company that owns more than 40% of the joint venture does not qualify as a company for purposes of the CPRA.
For more information on CPRA compliance and the viral impact of the business definition, or for information on CPRA compliance in general, please contact the author or a Partner or Senior Counsel at Foley’s .