Some companies have objected to the CCPA’s definition of “business” which purports to treat some affiliated companies that utilize common branding as a single business for the purpose of the Act. Specifically, they have pointed out that there are situations in which corporate affiliates that share common branding might be of disparate size such that Affiliate A has revenues that exceeds the minimum set by the CCPA and, thus, would be covered by the Act (i.e., $25 million in annual gross revenue), but Affiliate B does not have revenues that meet the CCPA’s de minims threshold. They have argued that treating Affiliate A and Affiliate B as a unified business and, as a result, subjecting both to the requirements of the statute disregards the reality that the companies are separate legal entities which are entitled to be treated as such in connection with regulatory requirements.
During the rulemaking process, the Attorney General was asked to establish a rule that would permit affiliated companies that shared common branding not to be treated as a single “business” under the Act on the condition that the affiliates did not engage in data sharing. In essence, the request would allow affiliated entities with common branding to elect by their actions whether they should be treated as a unified business. The Attorney General refused the request, noting that, in his opinion, it was “inconsistent with the statute’s definition” of a “business.”1 The implication of the refusal is that whether affiliated entities are treated as a single “business” under the Act may be a question of fact regarding the degree of control and the degree of common branding between the companies; it may not be a choice that companies can elect as part of their compliance strategy.
For more information and resources about the CCPA visit http://www.CCPA-info.com.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
1. FSOR Appendix A at 5, 6 (Response 18).