Many small or solo franchisees, subsidiaries, and affiliates of larger businesses may think the California Consumer Privacy Act (CCPA), does not apply to you because you don’t meet one of the three threshold criteria. Your annual revenue is under $25 million, you do not annually collect the personal information of 50,000 or more California residents, households or devices, and you are not in the business of selling information. But upon closer inspection, you may be disappointed to learn that California’s groundbreaking new privacy law, which became effective January 1, 2020, may yet still apply to you. Here’s why.
If you rely on the internet for your legal advice (bad idea!), you will learn the basics – that the CCPA applies to any for-profit business that does business in California, collects the personal information of one or more California resident, and satisfies one of three thresholds: (1) generates annual revenue of $25 million or more; (2) collects the personal information of 50,000 or more California residents; or (3) derives 50% or more of its annual revenue from the selling of personal information. If your business is a local franchisee of a regional or national franchise, or a subsidiary or sister company among a family of companies, and your business does not satisfy any of the three thresholds, you may think this should be the end of the analysis. However, it is only the beginning.
The CCPA also applies to any other entity that “controls” or is “controlled” by a covered business and shares common branding with that covered business (whether the same trade name, dba, trademark or servicemark). This means that if your business is affiliated in any way with and shares common branding with another business that meets the above criteria and is subject to the CCPA, then the law would derivatively apply to your business if your business “controls” or is “controlled” by that CCPA-covered business. The CCPA’s definition of “control” for purposes of this analysis appears to be broader than the concept of control in other areas of law you may be familiar with (such as the control group test applied by the Employment Development Department, for purposes of the Affordable Care Act, or for joint employment).
The CCPA defines “control” or “controlled” as one of the following: (1) ownership of, or the power to vote, more than 50% of the outstanding shares of any class of voting security of the business; (2) control in any manner over the election of a majority of the directors of the business or of individuals exercising similar functions as directors; or (3) “the power to exercise a controlling influence over the management of” the business.
The first two tests for control under the CCPA’s definition are easy to understand and apply. The third test, however, is where the ambiguity and debate lie. Hence, this is where the risk of litigation and enforcement actions may be elevated. Neither the statute nor the attorney general’s proposed regulations shed light on what it means to have the power to exercise a controlling influence, what exercise of such power looks like, what a controlling influence means, and what constitutes “management” over which the level of influence must be assessed. Does this require control over all aspects of managing the business, or just simply one aspect of management such as product development or sales process?
In the context of franchisees, if the CCPA applies independently to the franchisor, then it will also apply to franchisees where the franchisor has “the power to exercise a controlling influence over the management” of the franchisee. Reading the words of the statute for their plain meaning, this appears to not be about whether the franchisor actually exercises a controlling influence, but whether the franchise agreement can be interpreted to vest the franchisor with the “power” to exercise such influence.
Reading further, the phrase “controlling influence over the management” does not seem to require the influence to be the primary or only controlling influence, but rather just “a” controlling influence. The meaning of this phrase is wide open for different interpretations. One possible interpretation is that having a controlling influence over a company’s management for purposes of the CCPA is not the same standard as “control” for purposes of joint employment and wage and hour issues, as management here is not limited to controlling the hours, schedules, timekeeping, and wage payment practices of the franchisee.
The franchise business model typically gives franchisors power and control over the brand, the making, preparation, packaging, and presentation of products sold or services provided by the franchisee, and the design, décor, marketing, etc. of the franchisee’s retail place of business (whether a restaurant, hotel, or other establishment). Under the franchise model, franchisees typically have to follow certain rules required by the franchisor to maintain the brand image – again, nothing to do with control over employees for purposes of joint employment. While no court has been presented with this issue yet and the final meaning of “controlling influence over the management” has not been determined, there is certainly a potential argument that the franchisee-franchisor relationship inherently and inescapably involves the franchisor not only having the power to exercise sufficient control but actually doing so in their daily operations.
Based on this analysis, it is possible that the CCPA will apply to franchisees, subsidiaries, and sister companies even if these individual entities do not satisfy any of the primary thresholds for CCPA coverage. The CCPA will apply to such businesses if they either (a) meet one of the 3 thresholds stated at top of this article, OR (b) share common branding with and are “controlled by” a parent company or franchisor that satisfies one of the 3 criteria, with the definition of “control” being so broad as to include “the power to exercise a controlling influence over the management of a company.”
If your business falls into one of these categories and you have not yet done anything to comply with the CCPA, it’s better to be late than never. Consult privacy counsel immediately and start working on your employee and consumer notices, privacy policy, and consumer request platform. DIY’ing CCPA compliance is just as risky as relying on the internet for legal advice. Fisher Phillips has a thriving Data Security and Workplace Privacy Practice Group and experienced attorneys ready to work with you on all aspects of CCPA compliance, including all consumer, employee, and website-related requirements. Feel free to contact me directly or any other attorneys in our privacy practice group or one of our five California offices.
Leave a Reply