The California Consumer Privacy Act (“CCPA”) is going into effect on January 1, 2020. Among the many open legal questions is whether data can be shared with an affiliated business without the need for disclosure/consent and without violating the CCPA. In brief, the answer is likely “no.” Most likely, sharing with and/or disclosing personal data to an affiliated business must comply with the CCPA. The definition of what is a single unitary business is very narrow under the CCPA. As discussed below, the CCPA is complicated. It is essential for every business trying to comply with the CCPA to retain an experienced San Diego corporate attorney to help draft appropriate and compliant company policies and procedures. Changes to your website are also mandated.
In general, the CCPA prohibits businesses from “selling” personal data/information without proper disclosure to and without proper consent from its customers. Under the statute, the definition of “selling” is very broad. “Selling” is defined in the standard way — that is, providing the data in exchange for monetary or other compensation. However, the CCPA also defines “selling” as “disclosing” or “making available” if there is some value received. The “value received” can be anything that benefits the business providing the data. Thus, if your business shares data, likely your business will need to fully comply with the CCPA.
This raises the question of whether the CCPA provides an exemption if your business shares or disclosed personal data with an affiliated business — part of your corporate group. As noted above, the answer is likely “no.” Very likely, sharing and disclosing data among affiliated businesses must be disclosed and consent must be obtained. The CCPA defines a “business” as a for-profit entity. Further, a common business is defined as any entity that “controls or is controlled by a business” and “… that shares common branding with the business.” “Common branding” is defined to mean having a “shared name, service mark, or trademark.” See CCPA, Cal. Civ. Code, §1798.140(C)(2). Both parts of the statutory definition must be met to exempt data sharing/disclosure among affiliated businesses. The definition of “control” is ownership or the power to vote at least 50% of the outstanding shares of the other company or control over the election of a majority of the directors, or of individuals exercising similar functions.
Note that, because both parts of the definition must be met, a franchise relationship will likely not allow sharing of personal data without compliance with the CCPA. A franchise relationship involves common branding, but does not involve control. A franchisee is operated and controlled independently of the franchisor. Likewise, if there is no common branding between businesses, the fact that one business fully controls another will not allow data sharing/disclosure without compliance with the CCPA. Note that the CCPA does not use language suggesting similar branding — the entities must share a name, service mark, or trademark.
Call San Diego Corporate Law Today
For more information, call corporate attorney Michael Leonard, Esq. of San Diego Corporate Law. Mr. Leonard has been named as “Best of the Bar” by the San Diego Business Journal for the last four years. Mr. Leonard has extensive experience in drafting company policies and procedures and all other contracts and agreements necessary for running your business. Mr. Leonard can be reached at (858) 483-9200 or via email. Like us on Facebook.