08 March 2021
You may think of the California Consumer Privacy Act (CCPA) as a law that applies to big businesses and social media companies. But have you noticed that the CCPA actually contains two definitions of "business?"
The CCPA's main target is indeed large, profit-making businesses: for example, those with over $25 million in annual revenues. But the act's second definition of "business" encompasses any entity that controls or is controlled by a business.
This second definition significantly broadens the CCPA's scope and means that, in some cases, the act could apply to nonprofits.
Read on to find out if your nonprofit could be covered by the CCPA, and, if so, what you need to do to comply.
Let's compare the CCPA's two definitions of "business," and consider how these might apply to a nonprofit.
Here's the CCPA's core definition of a "business," at §1798.140 (c) (1):
Let's break that down. The CCPA defines a "business" as any legal entity that:
Fulfills one or more of the following characteristics:
Let's look at the second part of the CCPA's definition of a "business," at §1798.140 (c) (2):
This second part of the CCPA's definition applies to "any entity," whether it operates for profit or not, as long as it either controls a business or is controlled by a business, and shares common branding with the business.
What does "control" mean in this context? An entity controls or is controlled by a business if:
Common branding means sharing a name, servicemark, or trademark.
In conclusion, a "business" can be the for-profit entity described at §1798.140 (c) (1) of the CPPA, or any entity, including a nonprofit, that fits the description at §1798.140 (c) (2) of the CCPA.
There are several scenarios in which the CCPA might apply to nonprofits. For example:
Nonprofits with for-profit subsidiaries, or nonprofits that are subsidiaries of CCPA-covered businesses, should consider whether they fall under the CCPA's jurisdiction.
Nonprofits that are not part of a business but that are engaged in commercial activity should also consider whether they might be subject to the CCPA.
A reasonable point of comparison might be with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), which only applies to "private sector" entities, defined as entities that are carrying out "commercial activity."
Under certain circumstances, nonprofits have been found to be carrying out commercial activity and thus subject to PIPEDA. For example, a hunting club that was run by volunteers but involved exchanging a membership fee for access to exclusive benefits and services.
If you've established that your nonprofit meets the definition of a "business" under §1798.140 (c) (2) of the CCPA, you're required to comply with the same obligations as any CCPA-covered business.
Here's a brief overview of your CCPA responsibilities.
"Personal information" means any information that "identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
Enter your email address where you'd like your policy sent, select translation versions and click "Generate."
A list of the categories of personal information you have collected in the past 12 months, plus:
Your notice at collection must contain:
Here's an excerpt from Master Dynamic's notice at collection:
The listed in the left-hand column lists categories of personal information the company collects. The right-hand column lists the purposes for which the company collects the information.
For more information, see our article The CCPA's Four Consumer Notices.
If you sell personal information, you must create a link reading "Do Not Sell My Personal Information" on your website's home page. This link must lead to a form that consumers can use to instruct you not to sell their personal information.
For more information, see our article CCPA: What Constitutes a "Sale" of Personal Information.
Under the CCPA, consumers (California residents) have certain rights over their personal information. It's your duty to facilitate their rights.
The CCPA consumer rights include:
For more information, see our article Consumer Rights Under the CCPA.
Your nonprofit may share consumers' personal information with other companies, such as marketing companies, analytics firms, and accounts managers. If so, you should ensure these data-sharing relationships are covered by a service provider contract, where appropriate.
Here's how the CCPA defines a "service provider":
Here's how the CCPA's "service provider" provisions work:
A service provider contract must:
For more information, see our Complete Guide to CCPA Service Providers.
The CCPA contains two enforcement mechanisms:
Civil penalties imposed by the California Attorney General, for an amount of:
Private legal claims brought by consumers, for an amount of:
The most likely cause of big financial penalties (and the only grounds on which consumers can claim damages) is that you suffer a data breach.
Here's how the CCPA defines a data breach:
This definition of a "data breach" contains the following elements:
This means that you must take reasonable care to protect the personal information in your possession. Methods such as encryption in transit and in storage, using security software, and running staff training in data protection will be recognized as reasonable.
The CCPA may apply to your nonprofit if it controls or is controlled by a CCPA-covered business that shares your branding.
If so, this means you'll have to comply with the full range of CCPA responsibilities, including:
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.