The CCPA broadly defines the term “sale” as “disclosing” or “making available” personal information “for monetary or other valuable consideration” from one business to another.1 The CCPA implies that two (or more) entities are considered a single “business” if one of the entities “controls or is controlled by” the other, and the two entities “share[] common branding.”2 A threshold question, therefore, asked by corporate affiliates that are part of large corporate structures is whether their relationship with a sister entity satisfies the “control[]” or “controlled by” language.
Confusion surrounding what it means to be “controlled” by another entity stems, in part, because the CCPA’s definition of “control” departs from the definitions used in other privacy statutes. For example, the following compares the definition of “control” found within the CCPA and the definition of “control” found within the Gramm Leach Bliley Act’s (“GLBA”) Privacy Rule (Regulation P) that applies to financial institutions:
|
Criteria
|
CCPA
Definition of Control
|
GLBA (Regulation P)
Definition of Control
|
|
Ownership, or the power to vote, at least 25% of the outstanding shares of voting security.
|
Not in of itself Sufficient3
|
✓4
|
|
Ownership, or the power to vote, at least 50% of the outstanding shares of voting security.
|
✓5
|
✓6
|
|
Control in any manner over the election of a majority of the directors, or of individuals exercising similar functions.
|
✓7
|
✓8
|
|
The power to exercise a controlling influence over the management of a company.
|
✓9
|
✓10
|
As indicated above, while the definitions are similar, an entity that owned a substantial, but minority, share of a second entity (e.g., 49%) would be considered to “control” the second entity under the GLBA, but would not be considered to “control” the second entity under the CCPA unless it also exercised some other control element (e.g., a controlling influence over management).
The CCPA adds additional confusion because, unlike many other privacy statutes, it does not define, or use, the term “affiliate” or “corporate group” to explicitly account for the reality that many modern corporate structures include intermediary ownership. For example, Regulation P defines an “affiliate” to mean “any company that controls, is controlled by, or is under common control with another company.”11 When the definition of “affiliate” is combined with the definition of “control,” it is clear that, under the following corporate structure, if Entity E were to transmit data to Entities A, B, C, D, F, G, H, I or J, they would be sharing with a corporate “affiliate:”
Because the CCPA lacks any definition of “affiliate” or “corporate group,” some companies have wondered whether the CCPA would only treat a transfer between two entities that are in a direct vertical relationship (e.g., Entity B and Entity A) as occurring within the same “business.” Such an interpretation, however, would be highly unlikely for two reasons. With regard to vertical transmissions of information up a corporate structure, as indicated above the CCPA defines “control” as being not limited to just the entity that “owns” another entity, but an entity that “exercise[s] a controlling influence over the management” of another entity. In the above corporate structure, it is likely that Entity A exercises a “controlling influence” (whether direct or indirect) with regard to all of the other corporate entities. With regard to horizontal transmission of information (e.g., Entity B to Entity C), courts are likely to triangulate ownership such that if Entity B is “controlled by” Entity A it represents a single “business”; and if Entity A “controls” Entity C, then it too represents part of the same single business.
The net result is that while the language of the CCPA is far less artful than the language used in most other privacy statutes, it will likely be interpreted as permitting data to be shared between and among a corporate group, so long as all of the members of the group ultimately trace control or ownership back to a common source.
For more information and resources about the CCPA visit http://www.CCPA-info.com.
This article is part of a multi-part series published by BCLP to help companies understand and implement the General Data Protection Regulation, the California Consumer Privacy Act and other privacy statutes. You can find more information on the CCPA in BCLP’s California Consumer Privacy Act Practical Guide, and more information about the GDPR in the American Bar Association’s The EU GDPR: Answers to the Most Frequently Asked Questions.
1. CCPA Section 1798.140(t)(1).
2. CCPA, Section 1798.140(c)(2).
3. CCPA, Section 1798.140(c)(2).
4. 12 C.F.R. 332.3(g).
5. CCPA, Section 1798.140(c)(2).
6. 12 C.F.R. 332.3(g).
7. CCPA, Section 1798.140(c)(2).
8. 12 C.F.R. 332.3(g).
9. CCPA, Section 1798.140(c)(2).
10. 12 C.F.R. 332.3(g).
11. 12 C.F.R. 332.3(a).
[View source.]
