July 12, 2019
The California Consumer Privacy Act (CCPA) regulates how companies collect, store, and process California consumers’ Personal Information and also grants new rights of access to and control of their Personal Information to California consumers. Because the CCPA is written broadly, it applies not only to entities operating in California but to many entities outside of California. For organizations with parent-subsidiary-sibling relationships, determining whether each organization is subject to the CCPA add a layer of complexity to CCPA compliance.
To begin, you must determine whether any of your entities are directly subject to the CCPA. You should answer these questions for each of your entities:
First, does the entity handle personal information from California residents? Keep in mind: the definition of personal information is very broad. Personal information includes any data that has to do with a specific person, including names, addresses, height, weight, preferences, etc.
If the answer is no, this entity likely does not need to comply with the CCPA based on its direct activity. The new law only applies to companies that do business in California, or otherwise handle personal information from California residents.
If the answer is yes, however, you need to answer the next question.
Second, do any of the following apply to the entity: (1) it makes over $25 million in revenue per year, (2) it handles personal data for 50,000 people, devices, or households from California per year, or (3) it makes at least half of its revenue from selling the information of California residents? If none of these three apply, the entity likely does not need to comply with the CCPA based on its direct activities. Keep in mind that there are a few exceptions, so it’s important to speak with a lawyer to know for certain. If any of those three scenarios do apply, however, then you need to answer the next question.
Third, is the entity for-profit? If the answer is no, then the entity likely does not need to comply with the CCPA. The CCPA only applies to for-profit businesses; there is, however, an important exception if your non-profit handles information on behalf of a for-profit entity. In that scenario, your organization would need to comply with the new law.
If you answered yes to all three questions, then that entity likely needs to comply with the CCPA based on its own activities. However, even the entities that do not directly come in under this test may need to comply based on their relationship to the entity/ies that do(es) need to comply.
To see a free automated version of the questions that generates results for you, please click here for a CCPA applicability quiz. You can retake it for each of your entities.
Subsidiary Organizations and the CCPA
For affiliated companies, the relationship may be the determining factor in deciding whether some organizations need to comply. First, you must determine whether a parent-subsidiary relationship meets the CCPA’s definition of control. If a company owns (or has the voting power of) more than 50% of the outstanding shares of any class of another business’s voting security; in any way controls the election of a majority of directors of that business; or has the power to exercise a “controlling influence over the management” of that business, the company qualifies as a controlling or parent company under the CCPA.
If either the parent or the subsidiary company is directly subject to the CCPA, the other organization is indirectly subject to the CCPA if they share common branding. Under the CCPA, common branding means a shared name, servicemark, or trademark.
If a subsidiary is directly subject to the CCPA (i.e., if you answered ‘yes’ to the three questions in the above section), its controlling or parent company becomes subject to the CCPA only if they share common branding. Similarly, if a parent entity is directly subject to the CCPA and shares common branding with another company it controls, that controlled company becomes indirectly subject to the CCPA and must also comply. (See Cal. Civ. Code Sec. 1798.140(c)). In this way, subsidiary and parent organizations that operate outside the state of California may find themselves being drawn into the CCPA regulatory regime through the actions of their affiliates.
‘Sibling’ Organizations and the CCPA
What about parent organizations that are not directly subject to the CCPA but have some subsidiaries directly subject to the CCPA and other subsidiaries that are not? Those parents, as described in the above section, will have to comply with the CCPA. However, the subsidiaries that are not themselves directly subject to the CCPA will not have to comply. This is because their parent organization is indirectly, as opposed to directly, subject to the CCPA. These ‘siblings’ of organizations directly subject to the CCPA are exempt. It is only when the parent organization is directly controlled by the CCPA that all of the siblings will have to comply.
What Does This Mean for Data?
If a parent organization is susceptible to the CCPA, it will have to implement privacy and security protocols to come into compliance. If it is directly susceptible, all of its subsidiaries will have to do the same. If the parent is indirectly susceptible, it may be beneficial to roll those privacy and security changes out across all of its subsidiaries, even those that are not required to comply with the CCPA. This decision will largely depend on how the companies are organized and the degree to which they share data. Affiliated entities that currently share personal information data need to check that practice against the requirements of the CCPA if any of the entities within the family are regulated by the CCPA. In order to streamline the sharing, bringing all of the entities into compliance may be the best solution.
Hypothetical Example 1:
Mega ABC has multiple subsidiaries. It controls and shares branding with some, but not all, of those subsidiaries. Mega ABC makes over $25 million in revenue, collects the personal information of California consumers, and is a for-profit organization. The CCPA applies to it directly.
Two of Mega ABC’s subsidiaries handle the personal information of over 50,000 California consumers per year and are for-profit organizations, so they are also directly susceptible to the CCPA.
Mega ABC controls five subsidiaries with which it shares common branding that are not directly susceptible to the CCPA. Because of Mega ABC’s control of and common branding with them, they are indirectly susceptible to the CCPA and must comply.
Mega ABC’s other subsidiaries are not directly susceptible to the CCPA and need not comply with it since they do not share common branding with Mega ABC.
Hypothetical Example 2:
Steel Supply Worldwide (SSW) has three subsidiaries. It controls and shares branding with some, but not all, of those subsidiaries. Steel Supply Worldwide does not collect the personal information of California consumers and is therefore not directly susceptible to the CCPA.
Steel Supply Worldwide has three subsidiaries it controls and shares branding with. One of those subsidiaries, SSW-USA, handles the personal information of over 50,000 California consumers and is for-profit. SSW-USA is directly susceptible to the CCPA, making Steel Supply Worldwide indirectly susceptible to the CCPA. Both entities must comply.
The other two Steel Supply Worldwide subsidiaries that it controls and shares branding with, SSW-Europe and SSW-Asia, do not handle any California consumers’ personal information. They are not directly susceptible to the CCPA. Although SSW must comply because of its relationship with SSW-USA, SSW-Europe and SSW-Asia are only siblings of SSW and need not comply.
For those parent and subsidiary organizations that do need to comply, the privacy requirements under the California Consumer Privacy Act can be divided into four main parts: (1) disclosures, (2) consumer requests, (3) data mapping, and (4) training. There are other smaller obligations under the law that apply in specific circumstances, but these four sections cover the majority of the new law. See our CCPA Privacy page to learn how we can help you automate these four responsibilities.
DISCLAIMER: This publication has been prepared by SixFifty, LLC to provide information of interest to our readers regarding the California Consumer Privacy Act. It is not intended to provide legal advice for a specific situation or to create an attorney-client relationship. SixFifty, LLC does not provide legal advice.
Written by Marie Kulbeth
Marie Kulbeth is a Co-Founder and General Counsel of SixFifty, and the co-director of BYU LawX, a legal design lab dedicated to solving access to justice problems. She works to make the law straightforward for everyone, regardless of education level or income. Marie keeps her passion for equitable, accessible legal services at the forefront of her career. Her role as...
Full Bio and other articles by Marie Kulbeth