For most organizations, the most important question they have about the California Consumer Privacy Act (CCPA) is: Does it apply to us? The data privacy law has had a wide-ranging effect, requiring businesses all over the world to be transparent about their personal data practices and respect the privacy rights of California residents. Its reach is not universal, however, and in most cases it only applies to for-profit businesses that meet certain criteria. This has led to a common misunderstanding that the data privacy law does not apply to nonprofit organizations, when in fact the CCPA can apply to nonprofits in some situations.
The CCPA imposes its obligations on “businesses,” and then defines that term. The primary definition of a business is a for-profit legal entity that collects consumers’ personal information, does business in California, and meets at least one of these threshold requirements:
Because this definition states that only a for-profit entity can be considered a business, nonprofit leaders may assume that they have no CCPA obligations. However, the CCPA also has a second definition for “business”: Any entity that controls or is controlled by a business (as defined above), and shares common branding with that business. Using the term “any entity” removes the for-profit requirement, opening the way not just for parent companies and subsidiaries, but for nonprofit organizations as well. Nonprofits must therefore consider the definition’s two main requirements: control and common branding.
The statute defines control as: having more than 50% ownership or voting power of a business. control over the election of a majority of directors, or the power to exercise a controlling influence over the management of a company. A nonprofit can meet the control requirement by either controlling or being controlled by a business. It is much more common for a nonprofit to be controlled by a for-profit business, but it is possible in some circumstances for a nonprofit to have a for-profit subsidiary.
Common branding is defined as a shared name, servicemark, or trademark. The California Privacy Rights Act (CPRA) clarified this definition by adding that the common branding would give the average consumer the understanding that the entities are commonly owned.
The CPRA also added a third element to this definition: the business must share consumers’ personal information with the other entity. Such information can be anything from IP addresses to geolocation data. If there is no data sharing between the two organizations, then the CCPA will not apply (once the CPRA goes into effect).
An example of a nonprofit that falls under this definition is the Walmart Foundation. The Walmart Foundation is 100% funded by Walmart Inc., and its board of directors is composed entirely of Walmart executives. This meets the control requirement. As far as common branding goes, the Walmart Foundation obviously shares a name with Walmart, uses the Walmart logo, and in general makes no secret of its affiliation with the corporation. The CCPA therefore applies to the Walmart Foundation. If Walmart also shares any personal information with the nonprofit, then the CCPA will apply to the both entities.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Get monthly updates on the latest updates on policy & the shifting privacy landscape.
Dive into a world of knowledge, trends, and industry updates on the TrueVault blog.
