The California Consumer Privacy Act is operative. Some companies have poured significant resources into understanding their practices involving individuals’ personal information, designing programs that provide individuals with information about those practices, and implementing, as appropriate, the rights granted by the CCPA.
Yet the CCPA applies only to companies that are “doing business in the State of California.” That phrase is undefined in the CCPA and has received little attention. What does it mean, and how could the interpretation of that threshold question impact out-of-state companies that find themselves defending against violations of the CCPA?
Determining the meaning of “doing business” means looking beyond the CCPA. The CCPA, its legislative history, or even the California Consumer Records Act (which provides the basic structure of the CCPA’s definition of a “business”) do not answer what those seven words mean or are intended to mean.
Instead, the answer may lie in different parts of California law:
- California’s tax laws,
- judicial decisions about California’s requirements for out-of-state companies to register with the state, and
- judicial decisions about when California courts can exercise jurisdiction over non-California companies.
Each uses the term “doing business,” and for each the definition can be different. (To simplify, this article uses “companies” as shorthand for the types of entities to which the CCPA applies; essentially legal entities organized on a for-profit basis or for its owners’ financial basis.
California Tax Code
First, a company could look to its obligation to pay taxes to California, as California’s tax code uses equivalent statutory language to the CCPA. Currently, a company must pay taxes to California if, among other requirements, it is “doing business in this state.”
In turn, “doing business” is defined as “actively engaging in any transaction for the purpose of financial pecuniary gain or profit. Indeed, that engagement must be active. Courts have rejected attempts to argue that an income-generating investment, passively held, is sufficient to satisfy the statute. See Swart Enters. Inc. v. Franchise Tax Bd. (Cal. Ct. App. 2017).
That is not necessarily absolute: It may be that investing in or divesting from a passive investment, or even monetizing a passive investment could, on some set of facts, satisfy the tax code’s active engagement requirement.
Even if the active engagement is satisfied, a company would still need to meet certain thresholds to be considered to be “doing business” in California for tax purposes. If a company’s California sales, property, or payroll exceed 25% of total sales or meet certain thresholds (for 2019, $601,967, $60,197 and $60,197, respectively), then that company is “doing business” in California.
Consequently, if a company can fairly conclude that it does not meet the definition of “doing business” in California for tax purposes, it could potentially argue in litigation or otherwise that it is not “doing business” in California for CCPA purposes.
Registering With Secretary of State
Second, a company could look to whether it is required to register with the California secretary of state as a non-California company. Unlike California’s tax code, the law governing this registration requirement uses different language: whether a company “transact[s] intrastate business.”
Yet that difference in language may not end the inquiry. Both California’s statutes and judicial opinions interpreting the registration requirement use the words “doing business” as interchangeable with the concept of “transact[ing] intrastate business.” See Hurst v. Bueczek Enters. LLC,(N.D. Cal. 2012).
And here, the California Legislature’s silence on the meaning of “doing business” matters: They may have intended to capture companies that fall in this category, and not those that must pay taxes to California.
Consequently, here too, a non-California company may be able to point out that it is not required to register with California because it does not transact intrastate business in California and, therefore, it is not subject to the CCPA’s “doing business” requirement.
Subject to Court Jurisdiction
Third, a company could look to whether it can be sued in California. Under well-established law, one question a court considers before exercising jurisdiction over an out-of-state entity is whether it is purposely availing itself of the privilege of doing business in the state. See, e.g., Boschetto v. Hansing, (9th Cir. 2008).
In the federal courts in California, that analysis is factual, practical, and pragmatic. If an entity is confident that it would not be subject to the jurisdiction of California’s courts, it can equally confirm it does not do business in the state—because if it did business in the state, then it would be subject to jurisdiction in California.
Admittedly, the jurisdictional question here—does the out-of-state company “purposely avail[] itself of the privilege of doing business”?—is different than simply “doing business,” so the fit is not perfect. But none of these possibilities are perfect fits and at least this analysis could provide some helpful guidance.
As out-of-state companies begin to defend lawsuits brought under the CCPA—either by the California attorney general or by private plaintiffs—they will be looking for procedural and substantive defenses to avoid liability.
There may soon be a body of substantive case law setting forth what it means for a company to “do business in state of California” for purposes of the CCPA. But until that time, companies potentially can avail themselves of the defense that they are not “doing business in” California by arguing in a motion to dismiss that they do not fall within the definition in any of these three related contexts.
To be clear, other defenses and interpretations exist as well that may result in a company avoiding CCPA liability.
This column does not necessarily reflect the opinion of The Bureau of National Affairs, Inc. or its owners.
Author Information
Matthew Stein is a special counsel, and Christopher Lisy a partner in the Boston office of Manatt, Phelps & Phillips, LLP. Stein and Lisy are members of Manatt’s Privacy and Data Security practice.
Any opinions expressed in this article are theirs, and not necessarily those of Manatt or any one or more of its clients.
To read more articles log in.
Learn more about a Bloomberg Law subscription.