For most organizations, the most important question they have about the California Consumer Privacy Act (CCPA) is: Does it apply to us? The data privacy law has had a wide-ranging effect, requiring businesses all over the world to be transparent about their personal data practices and respect the privacy rights of California residents. Its reach is not universal, however, and in most cases it only applies to for-profit businesses that meet certain criteria. This has led to a common misunderstanding that the data privacy law does not apply to nonprofit organizations, when in fact the CCPA can apply to nonprofits in some situations.
The CCPA imposes its obligations on “businesses,” and then defines that term. The primary definition of a business is a for-profit legal entity that collects consumers’ personal information, does business in California, and meets at least one of these threshold requirements:
Because this definition states that only a for-profit entity can be considered a business, nonprofit leaders may assume that they have no CCPA obligations. However, the CCPA also has a second definition for “business”: Any entity that controls or is controlled by a business (as defined above), and shares common branding with that business. Using the term “any entity” removes the for-profit requirement, opening the way not just for parent companies and subsidiaries, but for nonprofit organizations as well. Nonprofits must therefore consider the definition’s two main requirements: control and common branding.
The statute defines control as: having more than 50% ownership or voting power of a business. control over the election of a majority of directors, or the power to exercise a controlling influence over the management of a company. A nonprofit can meet the control requirement by either controlling or being controlled by a business. It is much more common for a nonprofit to be controlled by a for-profit business, but it is possible in some circumstances for a nonprofit to have a for-profit subsidiary.
Common branding is defined as a shared name, servicemark, or trademark. The California Privacy Rights Act (CPRA), which goes into effect in January 2023, clarifies this definition by adding that the common branding would give the average consumer the understanding that the entities are commonly owned.
The CPRA also adds a third element to this definition: the business must share consumers’ personal information with the other entity. Such information can be anything from IP addresses to geolocation data. If there is no data sharing between the two organizations, then the CCPA will not apply (once the CPRA goes into effect).
An example of a nonprofit that falls under this definition is the Walmart Foundation. The Walmart Foundation is 100% funded by Walmart Inc., and its board of directors is composed entirely of Walmart executives. This meets the control requirement. As far as common branding goes, the Walmart Foundation obviously shares a name with Walmart, uses the Walmart logo, and in general makes no secret of its affiliation with the corporation. The CCPA therefore applies to the Walmart Foundation. If Walmart also shares any personal information with the nonprofit, then the CCPA will continue to apply after the CPRA goes into effect.
Whether your organization is a business or a nonprofit, becoming CCPA compliant can be a big task. The rules are complex, and handling compliance in-house may lead to costly mistakes. Hiring a law firm or consultant is expensive, easily costing tens of thousands of dollars, as well as taking potentially months to complete.
TrueVault Polaris is a software solution that automates the time-consuming work of CCPA compliance, combining the convenience of an in-house solution with the expertise of outside help. It provides a guided experience, taking your organization step by step all the way through full compliance and responding to consumers’ privacy requests. Contact our team today to learn more.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.