You may think of the California Consumer Privacy Act (CCPA), as amended by the CPRA, as a law that applies to big businesses and social media companies. But have you noticed that the CCPA/CPRA actually contains two definitions of "business?"
The CCPA/CPRA's main target is indeed large, profit-making businesses: for example, those with over $25 million in annual revenues. But the act's second definition of "business" encompasses any entity that controls or is controlled by a business.
This second definition significantly broadens the CCPA/CPRA's scope and means that, in some cases, the act could apply to nonprofits.
Read on to find out if your nonprofit could be covered by the CCPA (CPRA), and, if so, what you need to do to comply.
Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:
-
At Step 1, select the Website option or App option or both.
-
Answer some questions about your website or app.
-
Answer some questions about your business.
-
Enter the email address where you'd like the Privacy Policy delivered and click "Generate."
You'll be able to instantly access and download your new Privacy Policy.
- 1. The CCPA/CPRA's Two Definitions of "Business"
- 1.1. Core Definition of "Business"
- 1.2. Entity That Controls or is Controlled by a Business
- 2. When Might a Nonprofit Be a Business?
- 3. Obligations Under the CCPA (CPRA)
- 3.1. Create a Privacy Policy
- 3.2. Provide Notice at Collection
- 3.3. Set Up a Do Not Sell My Personal Information Page
- 3.4. Facilitate CCPA (CPRA) Consumer Rights
- 3.5. Set Up Service Provider Contracts
- 3.6. Protect Personal Information
- 4. Summary
The CCPA/CPRA's Two Definitions of "Business"
Let's compare the CCPA/CPRA's two definitions of "business," and consider how these might apply to a nonprofit.
Core Definition of "Business"
Here's the CCPA/CPRA's core definition of a "business," at §1798.140 (c) (1):
Let's break that down. The CCPA (CPRA) defines a "business" as any legal entity that:
- Operates for profit
- Does business in California
- Determines the purposes and means of the processing of personal information (decides how and why to process personal information)
-
Fulfills one or more of the following characteristics:
- It has annual gross revenues of more than $25 million
- It annually buys, receives for commercial purposes, sells, and/or shares for commercial purposes, the personal information of at least 100,000 consumers, devices, and/or households, or
- It derives more than 50 percent of its annual gross revenues from selling or sharing consumers' personal information
Entity That Controls or is Controlled by a Business
Let's look at the second part of the CCPA/CPRA's definition of a "business," at §1798.140 (c) (2):
This second part of the CCPA/CPRA's definition applies to "any entity," whether it operates for profit or not, as long as it either controls a business or is controlled by a business, and shares common branding with the business.
What does "control" mean in this context? An entity controls or is controlled by a business if:
- It owns or is owned by the business
- It has the power to vote, more than 50 percent of the outstanding shares of any class of voting security of the business
- It has control over the election of the majority of directors or similar individuals, or
- It has the power to exercise a controlling influence over the management of a company
Common branding means sharing a name, servicemark, or trademark.
In conclusion, a "business" can be the for-profit entity described at §1798.140 (c) (1) of the CPPA, or any entity, including a nonprofit, that fits the description at §1798.140 (c) (2) of the CCPA.
When Might a Nonprofit Be a Business?
There are several scenarios in which the CCPA (CPRA) might apply to nonprofits. For example:
- A nonprofit with a for-profit subsidiary that qualifies as a "business"
- A nonprofit entering into a joint venture with a CCPA/CPRA-covered business
- A nonprofit engaged in commercial activity
Nonprofits with for-profit subsidiaries, or nonprofits that are subsidiaries of CCPA/CPRA-covered businesses, should consider whether they fall under the CCPA/CPRA's jurisdiction.
Nonprofits that are not part of a business but that are engaged in commercial activity should also consider whether they might be subject to the CCPA (CPRA).
A reasonable point of comparison might be with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), which only applies to "private sector" entities, defined as entities that are carrying out "commercial activity."
Under certain circumstances, nonprofits have been found to be carrying out commercial activity and thus subject to PIPEDA. For example, a hunting club that was run by volunteers but involved exchanging a membership fee for access to exclusive benefits and services.
Obligations Under the CCPA (CPRA)
If you've established that your nonprofit meets the definition of a "business" under §1798.140 (c) (2) of the CCPA, you're required to comply with the same obligations as any CCPA-covered business.
Here's a brief overview of your CCPA (CPRA) responsibilities.
Create a Privacy Policy
Creating a Privacy Policy is one of the CCPA/CPRA's core obligations. Your Privacy Policy should inform consumers how your nonprofit collects, uses, and shares their personal information.
"Personal information" means any information that "identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household."
Here's a brief breakdown of the information your Privacy Policy should contain:
- Information about the CCPA/CPRA's "right to know" and how consumers can exercise it (we'll be looking at the CCPA (CPRA) consumer rights in more detail below)
-
A list of the categories of personal information you have collected in the past 12 months, plus:
- The categories of sources from which you collected it
- The business or commercial purposes for which you collected it
- The categories of third parties with whom you share it
- Information about how or whether you sell and/or disclose personal information for business purposes
- Information about the CCPA/CPRA's "right to delete" and how consumers can exercise it
- Information about the CCPA/CPRA's "right to opt out," including a link to your "Do Not Sell My Personal Information" page (if you have one)
- Information about the CCPA/CPRA's "right to non-discrimination, including a statement that consumers will not be discriminated against for exercising their CCPA (CPRA) rights
- Your contact details and an explanation of how to request more information
- The date on which the Privacy Policy was last updated
You must update your Privacy Policy every 12 months.
For the full set of Privacy Policy requirements, see our article CCPA Privacy Policy Checklist.
Provide Notice at Collection
Whenever you collect personal information from consumers, you must present "notice at collection." This can be a link to a section of your Privacy Policy, if you prefer.
Your notice at collection must contain:
- A list of the categories of personal information you are collecting
- The business or commercial purposes for which you are collecting each category of personal information
- A link to your "Do Not Sell My Personal Information" page, if you have one
- A link to your Privacy Policy
Here's an excerpt from Master Dynamic's notice at collection:
The listed in the left-hand column lists categories of personal information the company collects. The right-hand column lists the purposes for which the company collects the information.
For more information, see our article The CCPA/CPRA's Four Consumer Notices.
Set Up a Do Not Sell My Personal Information Page
If you sell personal information, you must create a link reading "Do Not Sell My Personal Information" on your website's home page. This link must lead to a form that consumers can use to instruct you not to sell their personal information.
You might not think this applies to your nonprofit. However, if you use cookies on your website, this might qualify as a sale of personal information.
For more information, see our article CCPA: What Constitutes a "Sale" of Personal Information.
Facilitate CCPA (CPRA) Consumer Rights
Under the CCPA (CPRA), consumers (California residents) have certain rights over their personal information. It's your duty to facilitate their rights.
The CCPA (CPRA) consumer rights include:
- The right to know: You must provide information about the types of information you have collected, used, and shared about a consumer over the past 12 months. Consumers may also request copies of the specific pieces of personal information that your business holds about them.
- The right to delete: Under certain conditions, you must delete a consumer's personal information.
- The right to opt out: You must not sell a consumer's personal information if they request that you do not do so.
- The right to non-discrimination: You must not provide goods or services of poorer quality or at a higher price if a consumer exercises their CCPA rights.
- The right to opt in (for minors): You must obtain opt-in consent before selling the personal information of minors under the age of 16. You must obtain parental consent before selling the personal information of minors under the age of 13.
For more information, see our article Consumer Rights Under the CCPA.
Set Up Service Provider Contracts
Your nonprofit may share consumers' personal information with other companies, such as marketing companies, analytics firms, and accounts managers. If so, you should ensure these data-sharing relationships are covered by a service provider contract, where appropriate.
Here's how the CCPA defines a "service provider":
Here's how the CCPA/CPRA's "service provider" provisions work:
- Because of the CCPA/CPRA's broad definition of "sale," businesses risk being deemed to have "sold" a consumer's personal information when they share it with other organizations.
- If a business fails to allow a consumer to opt out of a sale of their personal information, this is a serious violation of the CCPA (CPRA).
- However, if the data-sharing arrangement is covered by a valid service provider contract, the business can share personal information without offering the consumer an opt-out.
A service provider contract must:
- Clearly set out the purposes for which the service provider may process the personal information it receives from your nonprofit.
- Prohibit the service provider from using, disclosing, or retaining the personal information for any reason other than those permitted by the contract or by the CCPA (CPRA).
For more information, see our Complete Guide to CCPA Service Providers.
Protect Personal Information
The CCPA (CPRA) contains two enforcement mechanisms:
-
Civil penalties imposed by the California Attorney General, for an amount of:
- Up to $7,500 per intentional violation
- Up to $2,500 per unintentional violation
-
Private legal claims brought by consumers, for an amount of:
- Between $100 and $750 per consumer, per incident, or
- Actual damages for any losses caused
The most likely cause of big financial penalties (and the only grounds on which consumers can claim damages) is that you suffer a data breach.
Here's how the CCPA defines a data breach:
This definition of a "data breach" contains the following elements:
- Unauthorized access
- Exfiltration
- Theft
- Disclosure
- A failure to "maintain reasonable security procedures and practices"
This means that you must take reasonable care to protect the personal information in your possession. Methods such as encryption in transit and in storage, using security software, and running staff training in data protection will be recognized as reasonable.
Summary
The CCPA (CPRA) may apply to your nonprofit if it controls or is controlled by a CCPA/CPRA-covered business that shares your branding.
If so, this means you'll have to comply with the full range of CCPA (CPRA) responsibilities, including:
- Creating a Privacy Policy
- Providing notice at collection
- Setting up a "Do Not Sell My Personal Information" page
- Facilitating CCPA (CPRA) consumer rights requests
- Setting up service provider agreements
- Protecting personal information in your control
Comprehensive compliance starts with a Privacy Policy.
Comply with the law with our agreements, policies, and consent banners. Everything is included.