Under CCPA (Cal. Civ. Code Sec. 1798.140(c)(1)&(2))a ‘business’ can either qualify ‘directly’ (if it is a controller that meets certain requirements) or ‘indirectly’ (if it controls or is controlled by a business that qualifies ‘directly’ and operates under the ‘common branding’)
(1) To qualify ‘directly’ an entity must be for-profit controller established (‘do business’) in California that collects data from California residents and meets one of three thresholds (annual sales = $25M or more /number of records bought/sold or shared for ‘commercial purposes’ = 50k or more / percentage of annual revenue from sales = 50% or more)
To qualify ‘indirectly’ an entity must be a parent or a subsidiary company to an entity that qualifies as per (1) above and share common branding with such entity. A ‘business’ that qualifies ‘indirectly’ need not be established in California (i.e. ‘do business’ in the State), operate for profit, or be a controller
The California Consumers Privacy Act (CCPA) imposes obligations mainly on ‘businesses’, including the obligation to provide access to the data held and allow ‘consumers’ to opt-out of data sales. An entity can ‘directly’ or ‘indirectly’ qualify as a business under CCPA (see Section 1798.140(c) of the California Civil Code):
- An entity ‘directly’ qualifies as a ‘business’ where such entity meets the requirements under Cal. Civ. Code Sec. 1798.140(c)(1)
- An entity ‘indirectly’ qualify as a ‘business’ where such entity is related to an entity that directly qualifies in the manner described under Cal. Civ. Code Sec. 1798.140(c)(2)
Qualifying ‘directly’ as a business
Under Cal. Civ. Code Sec. 1798.140(c)(1)
(c) “Business” means:
(1) A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners, that collects consumers’ personal information, or on the behalf of which such information is collected and that alone, or jointly with others, determines the purposes and means of the processing of consumers’ personal information, that does business in the State of California, and that satisfies one or more of the following thresholds:
(A) Has annual gross revenues in excess of twenty-five million dollars ($25,000,000), as adjusted pursuant to paragraph (5) of subdivision (a) of Section 1798.185
(B) Alone or in combination, annually buys, receives for the business’ commercial purposes, sells, or shares for commercial purposes, alone or in combination, the personal information of 50,000 or more consumers, households, or devices.
(C) Derives 50 percent or more of its annual revenues from selling consumers’ personal information.
In order to qualify directly as a business, an entity has to meet all of the following requirements:
- Be a for profit entity in the private sector
- Collect (directly or through an entity ‘acting on its behalf’) data of ‘consumers’
- Act as a controller (i.e. ‘determines the purposes and means of processing’);
- Be established (‘do business’) in California;
- Satisfy at least one of three thresholds (annual gross revenue threshold; number of records sold/bought threshold; or percentage of annual revenues threshold)
Be a for profit entity in the private sector
Only sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity organized or operated for the profit or financial benefit of its shareholders or other owners can qualify ‘directly’ as a business. Therefore, non-for-profit entities cannot directly qualify as business, although it can qualify indirectly (see “Qualifying indirectly” as a business below). Federal, State and local governments, political parties, administrative agencies and administrative bodies are always precluded from qualifying as a business as they cannot qualify directly (they are not for profit entities) or indirectly (they cannot own or be owned by for profit entities)
Collect data subject to CCPA
In order to qualify as a ‘business’ directly, an entity must collect information subject to CCPA directly or through an entity acting on its behalf.
Collection under CCPA is a wide concept defined to mean “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. This includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior.” (See Cal Civ. Code 1798.140 (e)).
It is important to note that the mere accessing of the information constitutes collection as ‘accessing’ is considered ‘collection’ under Cal Civ. Code Sec. 1798.140 (e).
Act as a controller
In order to qualify as a business directly, an entity must “alone, or jointly with others, determines the purposes and means of the processing” of consumers’ personal information. This is the classic definition of ‘controller’ under data protection law.
You can read an article explaining the concept of ‘controller’ and providing examples here.
The reference “alone or jointly’ with others seems to open the door to the possibility of ‘join controllers’ under CCPA
Be established (i.e. ‘do business’) in California
In order for an entity or sole proprietor to qualify ‘directly’ as a business, such entity or individual must ‘do business’ in California.
For a discussion what ‘doing business’ in California means go here.
Satisfy one of three thresholds
First threshold: Annual gross revenue
Under Cal. Civ. Code Sec. 1798.140 (c) (1) (A) an entity must have $25M in gross revenue to meet the ‘gross revenue’ threshold. Presumably, the revenue to consider is the revenue from the preceding tax year counting back from January 2020 (when the law goes into effect).
The Californa Attorney General is authorized by CCPA to increase the $25M threshold every odd-numbered year to reflect any increase in the Consumer Price Index. (see Cal. Civ. Code Sec. 1798.185(a)(5))
To ascertain if an specific entity that does not currently met this threshold will qualify as a ‘business’ in the future it will be necessary to approximate the amount of future gross revenue based on the gross revenue figures available.
There are two open questions: whether the $25M threshold should operate at the group level and whether revenue not derived from California should count. A reasonable interpretation based on a plain reading Cal. Civ. Code §1798.140(c)(1)(A) is that the threshold operates at the level of the individual business (since the section reads ‘A sole proprietorship, partnership, limited liability company, corporation, association, or other legal entity […] that […] has annual gross revenues in excess of […]’] and does not exclude revenue derived from non-California business (as there is no indication any amount should be excluded from the ‘annual gross revenue’ in the text of the law
Second threshold: Number or records sold/bought
Under Cal. Civ. Code Sec. 1798.140(c)(1)(B) must “alone or in combination” sell/buy or shares/receive for “commercial purposes” more than 50,000 records of ‘consumers” “household, or devices” a year to meet the ‘number of records sold/bought’’ threshold.
Although CCPA does not explicitly require that the household be physically located in California or the device be owned by a California resident, given that CCPA was enacted to give effect to the California Constitution right to privacy (see introduction to CCPA paragraph one) and such right is bestowed on California residents it would be logical to expect that such requirement be read into the statute.
- Given the reference to “alone or in combination’, a logical interpretation would be that this threshold is to be measured not at the level of the individual ‘business’ but at the level of the corporate group. For example, if any entity in a corporate group operates as a data broker, its data transfers will likely be considered sales and all entities in its group will be at high risk of meeting this threshold.
- For an explanation of what ‘sale’ means under CCPA including examples go here
- For an explanation of what ‘commercial purposes’ under CCPA means go here.
- For an explanation of what ‘consumers’ means under CCPA go here.
- ‘Household’ is not defined in CCPA.
- ‘Device’ is defined to mean ‘any physical object that is capable of connecting to the Internet, directly or indirectly, or to another device” (Cal Civ. Code Sec. 1798.140(j))
Third threshold: Percentage of annual revenue:
Under Cal. Civ. Code Sec. 1798.140(c)(1)(C) an entity must derive 50% percentage of its income from “sales” of records ‘consumers’ (i.e. California residents) to meet the percentage of annual revenue threshold.
- Because there is no reference to “alone or in combination” under this section it is reasonable to conclude this threshold should be analyzed at the individual entity level.
- For an explanation of what ‘sale’ means under CCPA including examples go here
Paradoxically, data brokers operating in multiple States are at a lower risk of reaching this threshold than smaller California focused brokers.
Qualifying ‘indirectly’ as a business
Parents and subsidiaries of entities that qualify ‘directly’ as a business, automatically qualify as a business themselves under CCPA if they share common branding with the entity in their corporate group that qualifies ‘directly’ Under Cal. Civ. Code Sec. 1798.140(c)(1)
Under Cal. Civ. Code Sec. 1798.140(c)(2)
(c) “Business” means:
(2) Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business. “Control” or “controlled” means ownership of, or the power to vote, more than 50 percent of the outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company. “Common branding” means a shared name, servicemark, or trademark.
In order to qualify indirectly as a business, an entity has to meet all of the following requirements:
- Be a parent company or a subsidiary of an entity that directly qualifies as a business
- Share common branding with that entity
“Control” or “controlled” means ownership of, or the power to vote, more than 50 percent of outstanding shares of any class of voting security of a business; control in any manner over the election of a majority of the directors, or of individuals exercising similar functions; or the power to exercise a controlling influence over the management of a company.
“Common branding” means a shared name, servicemark, or trademark.
Since many technology giants are based in California and they will likely qualify ‘directly’ as a business based on the thresholds described above, all of their subsidiaries operating worldwide will become subject to CCPA under this rule regardless of whether they operate in California or whether they are controllers themselves. It is unclear what are the obligations that subsidiaries acting as processors but qualifying as ‘business’ would be subject to under CCPA.
Google, LLC is based in California. Under the ‘indirect’ rule of CCPA, all of Google’s subsidiaries operating under the same brand qualify as ‘business’. This would include, for example, subsidiaries of Google, Inc operating the Google cloud even though they are data processors. Does this mean that they are required under CCPA as ‘business’ to provide access to data or respond to requests from data subjects for data erasure regarding the data of the companies Google provides cloud services for?
Given that entities that qualify ‘indirectly’ as a business may not be data controllers, how would they fulfill their obligations to provide access to data/erase/provide notifications/allow for ‘opt-out’ of sales? Possible answer: The California AG may take the position that processors that qualify as ‘business’ are only subject to a limited set of obligations (those that align with their function as processors).
Can it be argued that all transfers of data within a corporate group of ‘business’ operating under the same brand cannot be considered ‘sales’? Section (1) (describing the thresholds to directly qualify as a business) and section (2) (describing the process to qualify indirectly) of Cal. Civ. Code Sec. 1798.140(d) are not joined together by a conjunction ‘and’/’or’ which leaves this question open to interpretation.
One option is to take the position that both he business that qualify directly under (1) and those that qualify under (2) are, as a group, a ‘business’ under CCPA. The language in section (c) stating ‘“Business” means’ seems to point in this direction. In effect, under this interpretation we would be assuming that conjunction “AND” exist between section (1) and section (2). If that were the case internal data transfers would not be subject to the ‘right to opt-out’ even where the data is repurposed and monetized within the company group. That would arguably benefit large corporate conglomerates with numerous subsidiaries operating under the same brand that to the disadvantage of smaller business. It would also mean that every section where CCPA mentions ‘business’ should be read as ‘business group operating under the same brand’, which means that, for example, the right of access or erase would always be exercise against the group as a whole as opposed to a particular controller in the group.
Another option would be to consider that entities that qualify directly and indirectly are ‘business’. The language at the start of section (2)(C) points in this direction (it reads “Any entity that controls or is controlled by a business, as defined in paragraph (1), and that shares common branding with the business”). In effect, under this interpretation we would be assuming that a conjunction “OR” exist between section (1) and section (2). If that were the case internal data transfers would be subject to the ‘right to opt-out’ and intra-group contractual arrangements addressing transfers should be put in place to ensure that those transfers that do not qualify as ‘sales’ can benefit from the exemption from liability in Cal. Civ. Code Sec. 1798.145 (h). On the other hand, the right of access or erase would be exercisable against the individual business and not the group as a whole.