Does CCPA Apply to Nonprofits?

A Nonprofit Can Be a “Business”

The CCPA imposes its obligations on “businesses,” and then defines that term. The primary definition of a business is a for-profit legal entity that collects consumers’ personal information, does business in California, and meets at least one of these threshold requirements:

  • Has annual gross revenues in excess of $25 million
  • Buys, sells, shares or receives the personal information of at least 50,000 consumers, devices, or households
  • Derives 50% or more of its annual revenues from selling consumers personal information.

Because this definition states that only a for-profit entity can be considered a business, nonprofit leaders may assume that they have no CCPA obligations. However, the CCPA also has a second definition for “business”: Any entity that controls or is controlled by a business (as defined above), and shares common branding with that business. Using the term “any entity” removes the for-profit requirement, opening the way not just for parent companies and subsidiaries, but for nonprofit organizations as well. Nonprofits must therefore consider the definition’s two main requirements: control and common branding.

The statute defines control as: having more than 50% ownership or voting power of a business. control over the election of a majority of directors, or the power to exercise a controlling influence over the management of a company. A nonprofit can meet the control requirement by either controlling or being controlled by a business. It is much more common for a nonprofit to be controlled by a for-profit business, but it is possible in some circumstances for a nonprofit to have a for-profit subsidiary.

Common branding is defined as a shared name, servicemark, or trademark. The California Privacy Rights Act (CPRA), which goes into effect in January 2023, clarifies this definition by adding that the common branding would give the average consumer the understanding that the entities are commonly owned.

The CPRA also adds a third element to this definition: the business must share consumers’ personal information with the other entity. Such information can be anything from IP addresses to geolocation data. If there is no data sharing between the two organizations, then the CCPA will not apply (once the CPRA goes into effect).

An example of a nonprofit that falls under this definition is the Walmart Foundation. The Walmart Foundation is 100% funded by Walmart Inc., and its board of directors is composed entirely of Walmart executives. This meets the control requirement. As far as common branding goes, the Walmart Foundation obviously shares a name with Walmart, uses the Walmart logo, and in general makes no secret of its affiliation with the corporation. The CCPA therefore applies to the Walmart Foundation. If Walmart also shares any personal information with the nonprofit, then the CCPA will continue to apply after the CPRA goes into effect.

Does the CCPA Apply to Your Organization?

Whether your organization is a business or a nonprofit, becoming CCPA compliant can be a big task. The rules are complex, and handling compliance in-house may lead to costly mistakes. Hiring a law firm or consultant is expensive, easily costing tens of thousands of dollars, as well as taking potentially months to complete.

TrueVault Polaris is a software solution that automates the time-consuming work of CCPA compliance, combining the convenience of an in-house solution with the expertise of outside help. It provides a guided experience, taking your organization step by step all the way through full compliance and responding to consumers’ privacy requests. Contact our team today to learn more.

 

Schedule Call