Question 5: If a company that is not subject to the CCPA acquires a company that is subject to the CCPA, can the acquisition “infect” the data of the first company?

Yes.

As discussed in the Series 2, Question 2 article, the CCPA applies to a “business” — a term that is defined as an entity that “does business in the State of California” and that meets one of the following three thresholds:

  1. Annual gross revenue in excess of $25 million,
  2. Purchases, receives for commercial purposes, sells, or shares for commercial purposes, personal information of 50,000 or more consumers, or
  3. Derives 50% of annual revenue from selling consumer personal information.[1]

An employer that does not meet the definition of “business” before acquiring another entity could meet the definition of a “business” following the acquisition. The following provide a few examples of situations where this might occur:

  1. Acquirer has more than $25 million in gross revenue, but does not have California-based employees and does not “conduct business” within California. Target is based in California and is folded into an existing operating division of Acquirer. Post-closing the Acquirer may satisfy the definition of “business” under the CCPA.[2]
  2. Acquirer has less than $25 million in gross revenue (e.g., $20 million). The Target is based in California with gross revenues that will result in the post-closing entity exceeding $25 million in gross revenue (e.g., $6 million). The Target will be folded into an existing operating division of Acquirer.

Employers with no California operations that are contemplating a transaction that may result in employing California residents post-closing should be prepared to address their CCPA compliance obligations relating to the newly acquired California employees. In particular, such an employer should plan for incorporating CCPA compliant provisions in employee privacy notices, employee policies, security procedures and applicable vendor contracts.