To be captured by the California Consumer Privacy Act, in addition to being in control of the collection of personal information, a business must do business in the state of California and must have an annual gross revenue more than $25,000,000 or must buy or sell the personal information of 50,000 or more consumers, devices or households or must derive 50% or more of their annual revenue from selling consumers' personal information. But the CCPA does contain a provision for joint controllers. Under the CCPA, a business is akin to a controller under the EU General Data Protection Regulation. For a business to qualify as a controller, it must meet the requirements set by the CCPA, a narrower set of requirements than the GDPR. However, once an entity in a company qualifies as a controller, parent companies and subsidiaries may automatically qualify, as well, even if they do not meet the CCPA's revenue thresholds or act as controllers.
What does ‘business’ mean?
Under the CCPA, “business” means a sole proprietorship, partnership, limited liability company, corporation, association or other legal entity that is organized for profit and collects consumers’ personal information. This information can be collected either on the company’s behalf, and the company may determine jointly with others, the purposes and means of the processing of consumers’ personal information.
Additionally, under the CCPA, a business can either qualify directly or indirectly, so long as it controls or is controlled by a business that qualifies directly and operates under common branding. In order to qualify directly, an entity must be a for-profit controller established in California that collects data from California residents and meets one of three thresholds (annual sales, number of records bought/sold or percentage of annual revenue from sales). In order to qualify indirectly, an entity must be a parent or a subsidiary company to an entity that qualifies directly and share common branding with such entity. As a result, a company can be a joint controller like the relationship as a subsidiary of a parent company.
The joint-controller relationship
A joint controller under the GDPR is created when different actors create a shared infrastructure to pursue their own individual purposes. Joint controllers can be held jointly and separately liable for compliance issues. Joint controllers are required to enter into agreements to make their respective responsibilities clear. Entities are not necessarily made joint controllers by data sharing.
A joint-controller-like relationship will exist when an entity is indirectly a business under the CCPA. Entities that are controlled by a business or are under common branding qualify indirectly as businesses, provided that the parent of the entity is itself a business under the CCPA. This would extend CCPA obligations to indirect businesses that reside outside of California. The indirect business becomes a "business" under the law through a direct business, a shared infrastructure that would allow both types of entities to pursue their individual interests. The CCPA extends obligations to indirect businesses but does not expressly impose joint and several liabilities between an indirect business and a direct business. California's attorney general has not yet submitted guidance on this particular issue.
California’s attorney general has not yet submitted guidance on this particular issue.
A joint controller relationship may not exist where the contracting third party is not a business under the CCPA's definition and not indirectly a business. The relationship will not be classified as joint controllers, but as between a business and a third party. Because the CCPA specifically references “jointly with others,” it is reasonable to infer that a business, as compared to a controller in the GDPR, can act jointly in the control of personal data. However, because the California attorney general has not submitted guidance on this particular issue, the role of joint controllers under CCPA may change.
The CCPA is thus trying to regulate the activities of the sorts of companies that decide how and why people’s personal information should be processed. It is also trying to replicate the kind of processing, being defined as “any operation or set of operations that are performed on personal data [sic] or on sets of personal data, whether or not by automated means." Under the GDPR, the processing is defined as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means."
Because the CCPA specifically outlines a business as being potentially defined by a joint control of personal data, a joint controller, as akin to the GDPR, does exist under the CCPA. The extent to which that joint controller exists within the CCPA is dependent on an entity’s status as a business and its relationship to other businesses. However, the official approach to businesses operating under the same brands will have to be determined by guidance outlined by the attorney general.
Although it remains unclear how the attorney general will interpret the possible role of joint controllers, the potential for liability on joint controllers of personal data should motivate privacy professionals to evaluate their client privacy protocols and determine the purposes for consumer processing.
If the CCPA does indeed apply to joint controllers, then companies jointly processing personal data will not be able to assign liability to each other. Liability for failure to comply with the CCPA will apply to any controller of data, regardless of whether there are multiple controllers or not. This provision can have far-reaching consequences for any data controller.
If you want to comment on this post, you need to login.