Getting ready for the California Consumer Privacy Act is a priority for most U.S. organizations in 2019. From reviewing vendor contracts to updating privacy policies and data maps, seasoned privacy professionals are familiar with this exercise, as they have significant muscle memory built in from past compliance heavy lifts, such as the EU General Data Protection Regulation. However, little attention has been placed on the effects of the CCPA on intragroup data transfers, and many assume the act does not impose any limits on them. This assumption may be wrong.
As opposed to the California Financial Privacy Act that specifically excludes certain internal-sharing ("affiliate sharing") from the opt-out rule, the CCPA does not say anywhere whether intragroup sharing can be considered a "sale" or not. The interpretation that intragroup sharing is excluded rests on the peculiar definition of "business" under the CCPA.
Under the CCPA "business" is defined as:
- Any controller that collects data from "consumers" that is operated for-profit and meets certain thresholds, provided that it does "business in California."
- Any processor or controller, whether operated for-profit or not, that controls or is controlled by a business, as defined in paragraph one and operates under the same "brand."
Many practitioners have logically reasoned that a "business" is a combination of both the entity that meets the thresholds and those in its group operating under the same brand — or a "business group." If that is indeed the case, it would make sense to conclude that the restrictions on data sales under the code apply only to transfers outside the "business group," as the section states "a consumer shall have the right, at any time, to direct a business" (meaning, the consumer does not direct any individual entity within the group but the group as a whole).
However, there are several things to consider before accepting this interpretation and giving advice to clients on this point:
- There are other plausible interpretations: That a "business" equals a "business group," as assumed above, is not the only possible interpretation of the CCPA. The other feasible interpretation is that any organizations meeting the requirements in paragraphs one or two should be individually considered "businesses" under the CCPA. So in that interpretation, a business would mean "any single covered entity." The statutory language supports this interpretation. There is no conjunction between sections one and two of the code. Also, the language in section two, "controls or is controlled by a business," as defined in paragraph one, tends to indicate that an entity meeting the thresholds in paragraph one is to be considered a "business individually."
- The interpretation proposed is highly unusual: The proposed interpretation, that "business" equals "business group," although plausible, has no precedent under U.S. or international privacy law. Although corporate groups may be specifically subject to obligations or exceptions under U.S. privacy laws, all federal and state privacy laws define the entities subject to their requirements on an individual basis. In California, there are laws such as CalFIPA that already provide consumers with a right to opt out of certain internal transfers. This is the case also at the international level, with the GDPR not only regulating internal transfers but creating complex compliance structures to facilitate them.
- The interpretation does not completely solve the issue: Even if the "business" equals "business group" interpretation was to be adopted by the California attorney general, it is important to note that it will not exempt every internal transfer from potentially being a sale. If the affiliated organizations do not operate under the "same brand" or do not have a parent-subsidiary relationship (that is to say, they are sister companies) they will be excluded from the code and transfers to and from them could constitute sales.
- The interpretation may create more problems than it solves: Assuming the California attorney general’s office was to adopt the "business" equals "business group" interpretation, they would evenly apply such interpretation to all of the CCPA, not only the sales provision. For example, in "business = business group," arguably the whole business group could be sued and found liable for a data breach suffered by an individual subsidiary or be responsible for fines imposed on individual entities for violations of the CCPA.
Ultimately, the determination on what interpretation will be adopted rests on the California attorney general’s office. However, given the uncertainty, it would be wise for organizations that internally transfer data to review their internal transfers to ensure data minimization and need-to-know access restrictions are in place and formalize CCPA-compliant contracts with affiliates providing services. This has been done before for the GDPR and, for a relatively low cost, has the potential to significantly reduce CCPA-related risks and improve the privacy posture of organizations.