Are the “unified business provision” and the “affiliate exception” within the CCPA the same thing?


The CCPA includes within the definition of a “business” an entity “that controls or is controlled by [another] business” and that “shares common branding with the business.” 1  This provision has been referred to by some companies as the “unified business provision” as it functionally states that entities under common control and common branding should be treated under the CCPA as a single “business” instead of as multiple business entities.  Other companies have referred to this as the “affiliate exception” owing to its functional impact on compliance.  Specifically, if the Act did not treat businesses that were under common ownership, control, and branding as a single business, then affiliates might find themselves in the situation in which transfers of data between and among members of a corporate group might constitute the “sale” of information as they might be viewed as transfers from one business to a separate business for consideration (if, for example, the affiliated entities were performing services for one another or cross-marketing products).  Viewing corporate affiliates as a single business unit for the purposes of the CCPA functionally creates an exception to the definition of “sale” for those situations in which Affiliate A transfers personal information to a commonly branded Affiliate B.