The California Consumer Privacy Act ("CCPA") was enacted in early 2018 as a political compromise to stave off a poorly drafted, and plaintiff’s friendly ballot initiative.  Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).

To help address that confusion, BCLP published the California Consumer Privacy Act Practical Guide, and is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the CCPA.

Q. Can corporate affiliates share information for marketing purposes?

Companies that share consumer information between and among corporate affiliates rarely consider themselves as “selling” information.  Specifically while corporate affiliates might be permitted to use the information to cross-market products and services, rarely do affiliated companies financially compensate each other for the information that they receive.  Furthermore, because the information stays within the hands of entities that are subject to common ownership many companies (and arguably many consumers) do not perceive the information as being “transferred” at all.

The CCPA broadly defines the term “sale” as including the act of “disclosing” or “making available” personal information “for monetary or other valuable consideration” from one business to another.¹  It furthermore states that two entities under common ownership are considered separate businesses unless they “share[] common branding.”²  For the purposes of the statute “common branding” is defined as a “shared name, servicemark, or trademark.”³  If a company “sells” information than the CCPA requires that it:

1. Disclose the fact that the information has been sold within its privacy policy,⁴ and    
2. Provide a “Do Not Sell My Personal Information” link on its homepage.⁵ If a consumer clicks on the link, the company must cease selling the consumer’s information.⁶

Based upon the above definition many corporate affiliates that share information for marketing purposes are concerned that their sharing could be interpreted as a sale, even if they receive no money in return for the information exchange, as a court might interpret the fact that information flows in both directions as “valuable consideration.”  For example, if two fashion retailers are owned by the same corporate parent, and combine their customer lists so that each concept can separately market to the other concept’s customers, it is possible that a court could interpret the information exchange as a “sale” with the consideration being that each concept has gained access to the other concepts’ information.

The CCPAs treatment of corporate affiliates as potentially separate businesses that could sell information to, and from, each other has led many businesses to investigate the degree by which they “share[] common branding.”  While that may be a straightforward inquiry in situations in which corporate affiliates operate under the same trade name and the same corporate logo, many affiliated corporate entities have some degree of autonomy from their sister corporations which raises questions and concerns regarding how much sharing of names, servicemarks, and trademarks is enough to be considered a unitary enterprise.  The following provides six examples where corporate affiliates might utilize shared names to varying degrees on their respective websites and, as a result, may be subject to varying risks of being classified as separate “business” under the CCPA for which a sale of information has been made:

1. CCPA Section 1798.140(t)(1).

2. CCPA, § 1798.140(c)(2).

3. Id.

4. CCPA, § 1798.130(A)(5)(C)(i).

5. CCPA, § 1798.135(a)(1), (2).

6. CCPA, § 1798.120(a), (d).