Yes.

The CCPA includes within the definition of a “business” an entity “that controls or is controlled by [another] business” and that “shares common branding with the business.” ¹  This provision has been referred to by some companies as the “unified business provision” as it functionally states that entities under common control and common branding should be treated under the CCPA as a single “business” instead of as multiple business entities.  Other companies have referred to this as the “affiliate exception” owing to its functional impact on compliance.  Specifically, if the Act did not treat businesses that were under common ownership, control, and branding as a single business, then affiliates might find themselves in the situation in which transfers of data between and among members of a corporate group might constitute the “sale” of information as they might be viewed as transfers from one business to a separate business for consideration (if, for example, the affiliated entities were performing services for one another or cross-marketing products).  Viewing corporate affiliates as a single business unit for the purposes of the CCPA functionally creates an exception to the definition of “sale” for those situations in which Affiliate A transfers personal information to a commonly branded Affiliate B.

Not necessarily.

Although the CCPA’s definition of “consumer” includes employees that reside in California,¹  the CCPA applies only to a “business” — a term that is defined as being an entity that “does business in the State of California” and that meets one of the following three thresholds:

1. Annual gross revenue in excess of $25 million,
2. Purchase, receives for commercial purposes, sells, or shares for commercial purposes, personal information of 50,000 or more consumers, or
3. Derives 50% of annual revenue from selling consumer personal information.²

The net result is that if a business meets one of the three thresholds established  for gross revenue, quantity of data points, or revenue-generated by the sale of personal information, and has California employees, then it will be subject to the CCPA.  If a business does not meet one of the three thresholds set forth above, but has California employees, then it will not be subject to the CCPA.

Federal and state privacy laws do not expressly prohibit most acquirers (e.g., acquirers of a retail brand) from internally transferring the target’s data for use by affiliated companies.  That said, in 2000, the Federal Trade Commission took the position that a company which had included a broad statement within its privacy notice that it would not share personal information with third parties could not transfer personal information as part of the sale and/or acquisition of the company unless the acquirer met certain threshold qualifications (e.g., hailed from the same industry).¹  Forty-six states, the District of Columbia, and two federal territories took an even more restrictive position that the information could never be transferred to an acquirer.²  As a result of the positions taken by the FTC and state regulators, as a best practice, most organizations now include a clause within their privacy notices that affirmatively states that personal information may be shared as part of a merger or acquisition.  For example, many companies include a provision along the following lines:

“If another company acquires, or plans to acquire, our company, business, or our assets, we will also share information with that company, including at the negotiation stage.”

If the target has a disclosure similar to the above, the acquirer arguably can take and disseminate to corporate affiliates the personal information collected by the target consistent with federal and (most) state laws.

This result is largely consistent with the approach taken by the California Consumer Privacy Act.  The CCPA broadly defines the term “sale” as including the act of “disclosing” or “making available” personal information “for monetary or other valuable consideration” from one business to another.³ The CCPA includes an exception to the sale of information, however, in situations in which information is transferred as part of an acquisition in which the acquirer “assumes control of all or part of” the target.⁴ In those situations, the Act permits internal transfers to occur without classifying those transfers as “sales” so long as the information is “shared” consistently with the target’s privacy notice.⁵  On a going forward basis (i.e., post acquisition) the CCPA’s rules concerning affiliate sharing likely apply.  Under those rules, an entity that is owned by another entity is considered a separate business unless the two companies “share[] common branding.”⁶  For the purposes of the statute “common branding” is defined as a “shared name, servicemark, or trademark.”⁷

The net result is that if a privacy notice states that information can be shared between and among acquirers and affiliates, such sharing is arguably permitted at the time of acquisition.  On a go-forward basis, at least in California, the target would need to share common-branding with the acquirer in order to continue the sharing of information without raising the possibility that such continued use constitutes the “sale” of information for which an opt-out right would need to be given.  That said, an amendment to the CCPA deferred the full impact of the Act upon employee data until January 1, 2021.⁸

The CCPA broadly defines the term “sale” as “disclosing” or “making available” personal information “for monetary or other valuable consideration” from one business to another.¹  The CCPA implies that two (or more) entities are considered a single “business” if one of the entities “controls or is controlled by” the other, and the two entities “share[] common branding.”² A threshold question, therefore, asked by corporate affiliates that are part of large corporate structures is whether their relationship with a sister entity satisfies the “control[]” or “controlled by” language.

Confusion surrounding what it means to be “controlled” by another entity stems, in part, because the CCPA’s definition of “control” departs from the definitions used in other privacy statutes.  For example, the following compares the definition of “control” found within the CCPA and the definition of “control” found within the Gramm Leach Bliley Act’s (“GLBA”) Privacy Rule (Regulation P) that applies to financial institutions:

As indicated above, while the definitions are similar, an entity that owned a substantial, but minority, share of a second entity (e.g., 49%) would be considered to “control” the second entity under the GLBA, but would not be considered to “control” the second entity under the CCPA unless it also exercised some other control element (e.g., a controlling influence over management).

The CCPA adds additional confusion because, unlike many other privacy statutes, it does not define or use the term “affiliate” or “corporate group” to explicitly account for the reality that many modern corporate structures include intermediary ownership.  For example, Regulation P defines an “affiliate” to mean “any company that controls, is controlled by, or is under common control with another company.”¹¹  When the definition of “affiliate” is combined with the definition of “control,” it is clear that, under the following corporate structure, if Entity E were to transmit data to Entities A, B, C, D, F, G, H, I or J, they would be sharing with a corporate “affiliate:”

Because the CCPA lacks any definition of “affiliate” or “corporate group,” some companies have wondered whether the CCPA would only treat a transfer between two entities that are in a direct vertical relationship (e.g., Entity B and Entity A) as occurring within the same “business.”  Such an interpretation, however, would be highly unlikely for two reasons.  With regard to vertical transmissions of information up a corporate structure, as indicated above, the CCPA defines “control” as being not limited to just the entity that “owns” another entity, but an entity that “exercise[s] a controlling influence over the management” of another entity.  In the above corporate structure, it is likely that Entity A exercises a “controlling influence” (whether direct or indirect) with regard to all of the other corporate entities.  With regard to horizontal transmission of information (e.g., Entity B to Entity C), courts are likely to triangulate ownership such that if Entity B is “controlled by” Entity A it represents a single “business,”and if Entity A “controls” Entity C, then it too represents part of the same single business.

The net result is that while the language of the CCPA is far less artful than the language used in most other privacy statutes, it will likely be interpreted as permitting data to be shared between and among a corporate group, so long as all of the members of the group ultimately trace control or ownership back to a common source.