The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative.  Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA. 

Q. If a company that is not subject to the CCPA acquires a company that is subject to the CCPA, can the acquisition “infect” the data of the first company?

Yes.

The CCPA applies to a “business” -- a term that is defined as being an entity that “does business in the State of California” and that meets one of the following three thresholds:

1. Annual gross revenue in excess of $25 million,
2. Purchase, receives for commercial purposes, sells, or shares for commercial purposes, personal information of 50,000 or more consumers, or
3. Derives 50% of annual revenue from selling consumer personal information.¹

It is entirely possible that a company would not fall under the definition of “business” before acquiring another entity, but would fall under the definition of a “business” post-closing.  The following provide a few examples of situations in which this might occur:

1. Acquirer has more than $25 million in gross revenue, but is not based in California and arguably does not “conduct business” within the state.  Target is based in California and is folded into an existing operating division of Acquirer.  Post-closing the Acquirer may satisfy the definition of “business” under the CCPA. ²
2. Acquirer has less than $25 million in gross revenue (e.g., $20 million).  The Target is based in California with gross revenues that will result in the post-closing entity exceeding $25 million in gross revenue (e.g., $6 million).  The Target will be folded into an existing operating division of Acquirer.
3. Acquirer annually purchases personal information about 40,000 California residents.  The Target is based in California and annually purchases personal information about 15,000 California residents.  The Target will be folded into an existing operating division of Acquirer. 

It is important to note that the CCPA was put together quickly (in approximately one week) as a political compromise to address a proposed privacy ballot initiative that contained a number of problematic provisions.  (For more on the history of the CCPA, you can find a timeline that illustrates its history and development on page 2 of BCLP’s Practical Guide to the CCPA).  Given its hasty drafting there are a number of areas in which the act intentionally, or unintentionally, is at best ambiguous, at worst leads to unintended results.  As a result, it is possible that how a transaction is structured may have an impact on whether the transaction infects an acquirer with the CCPA.  For example, it is possible that if a target is not folded into an existing operating division (e.g., maintains a separate legal existence) and does not share common branding with the acquirer courts will analyze whether each company meets the definition of a “business” separately.

In comparison, under European data privacy laws (i.e., the GDPR), if an American company that was not subject to the GDPR were to purchase a European company that was subject to the GDPR, there is a strong argument that data processed by the acquirer should not be subject to the GDPR unless the transaction changes how the acquirer processes the data in a way that would bring the data within the scope of the GDPR.  Put differently, the fact that the acquirer now owns a European company should not, in of itself, make the application of the GDPR more likely; there would need to be a change in the behavior and processing of the acquirer.  As the European Court of Justice has summarized the law that applies to data is “[not] where the controller is established,” but “where an establishment of the controller is involved in activities implying the processing personal data.”³

As a result, if post-transaction the target is operated independently of the acquirer and there is no transfer of personal data or cross-marketing between the two companies, the GDPR would more than likely not apply to the activities of the acquirer. If, however, post-transaction the acquirer uses the target to process personal data directly, or the target contributes in some way to the context of why the acquirer is processing data, an argument may exist that such data has begun to be processed within the “context of” the activities of the European establishment and, as a result, falls within the GDPR. 

The following are a few examples of situations where, post-closing, a United States acquirer’s data would be more likely to be considered within the scope of the GDPR:

• Post-closing European Target becomes a service provider / processor of United States Acquirer.

• Post-closing United States Acquirer centralizes global human resource functions or data into European Target. 

• Post-closing United States Acquirer centralizes some other common internal function that involves personal data within European Target. 
• Post-closing European Target markets the products or services of United States Acquirer to European clients.

1. CPPA, Section 1798.140(c)(1)(A)-(C).

2. While the three thresholds contained within the definition of a “business” have yet to be interpreted by a court, it is worth noting in connection with the first revenue-oriented threshold that the statute does not specify whether the $25 million must be generated within the state of California.

3. Unabhangiges Landeszentrum fur Datenschutz Schleswig-Holstein v. Wirtschaftsakademie Schleswig-Holstein, ECJ Case C-210/16 at ¶ 92 (24 Oct. 2017) (emphasis added).

[View source.]