Does the California Consumer Privacy Act Apply to California Not-for-Profits?
The California Consumer Privacy Act (“CCPA”) is scheduled to go into effect on January 1, 2020. That is less than six months from now. Every San Diego business should be aware of the CCPA and should be taking steps to comply with the law if their business is subject to the Act. Do not assume, for example, that the Act does not apply to your business just because you do not have “consumers.” If your business is mostly with other businesses, the Act may still apply.
Similarly, if you are operating a not-for-profit organization, do not assume that the CCPA is inapplicable. You should seek the advice and counsel of an experienced San Diego corporate attorney. The intent of passing the CCPA was to give consumers legal protections with respect to
- What information is collected about them by companies
- How the information is shared, sold or transferred to others
- How the information is stored
- How long the information is stored
- How the information is deleted (if and when it is deleted)
- Under what circumstances consumers can request/demand that their data be deleted
- And more
Whether the CCPA applies to a not-for-profit organization depends on whether the organization meets the definition of “business” or whether the not-for-profit is deemed a “controller” of the data. Many not-for-profit organizations engage in a wide-variety of merchandising in order to raise funds. Those activities can be sufficient to make a not-for-profit a “business” as defined by the CCPA. The CCPA applies to any “… legal entity that is organized or operated for the profit or financial benefit of its shareholders or other owners.” Arguably, not-for-profits do not have “owners,” but focusing on the concept of “financial benefit,” a California court could easily interpret fund-raising to be a “financial benefit” for the “members” — who are similar to “owners” — of a not-for-profit.
A “business” is defined under the CCPA as an entity that “does business” in California, that either directly collects personal information or has that information collected on its behalf by another entity — such as a payment processor), decides what is done with the information or how it is processed and is collected), and meets one of these criteria:
- Has annual gross revenue in excess of $25 million or
- Alone or in combination with another entity, annually buys, sells, shares or receives for the organization’s commercial purposes, the personal information of 50,000 or more consumers, households, or devices or
- 50% or more of annual revenue originate from selling consumer personal data
Many not-for-profits derive revenue from selling their mailing list. Without question, such a mailing list contains personal information. If your not-for-profits is engaged in selling various data that is collected about your supporters, then the CCPA could apply if your not-for-profit is sufficiently large or if 50% or more of your revenue is derived from the sale of the data that you have collected.
Another issue to consider is the matter of control. Many not-for-profits are subsidiaries of larger not-for-profits or control smaller not-for-profits. Issues of control matter for the question of who is deciding to collect the information, share/sell the information, etc.
As can be seen, the CCPA is a complex statute and it is important to seek legal advice and assistance. And, since the effective date is fast approaching, it is important to immediately begin evaluating how the CCPA applies to your not-for-profit and your business.
Contact San Diego Corporate Law Today
For more information, contact attorney Michael Leonard, Esq., of San Diego Corporate Law. Mr. Leonard can be reached at (858) 483-9200 or via email. Mr. Leonard provides a full panoply of legal services for businesses including formation of corporate entities of all types. Like us on Facebook.