Is Your Crypto Company Subject to the CCPA?

One of the most important aspects of the California Consumer Privacy Act is its far reach. If your crypto company doesn’t buy or sell personal information, you may believe that the CCPA doesn’t apply to you. However, there are ways that your company may end up being subject to the CCPA that companies should examine. First, your company could be considered to be “doing business” in California. This standard captures many more businesses than one would think. Second, if your business has a related entity such as a DAO, LLC, or even offshore company, this relationship could bring your operational business under the CCPA. If this is your first time hearing about the CCPA, check out this article: Does the CCPA Apply to Crypto Companies?

Is Your Crypto Company Doing Business in California?

The CCPA is likely applicable if your business meets the following criteria:

  1. Gross Annual Revenue: If your business has a gross annual revenue surpassing $25 million;
  2. Collection of Personal Information: If your business collects personal information from even a single California resident; and
  3. “Doing Business” in California: If your business is considered to be “doing business” in California.

The first two factors are relatively straightforward. However, many businesses struggle to understand whether they are considered to be “doing business” in California under the CCPA. You’re likely hoping that you’re exempt from California privacy laws because your business is incorporated in Delaware or offshore. However, numerous activities could be deemed as “doing business” in California. “Doing business” in California brings your company within the scope of the CCPA. Due to the complexity of the CCPA, determining whether a business is “doing business” in California is not always straightforward.

Examine your business activities

It is difficult to determine whether a business is considered to be “doing business in California” for the CCPA. Several factors can contribute to this determination, including:

  1. Employees, Independent Contractors, and Job Recruitment: If your business has employees or independent contractors based in California or if you recruit job applicants in California,
  2. Physical Location or California Users: If your business has a physical presence in California or if you have users on your platform who are residents of California,
  3. Advertising and Marketing: If your business advertises and markets its products or services in California, specifically targeting California residents with its marketing efforts,
  4. Transactions within California: If your business conducts transactions within the state of California.

Complex corporate organizations subject to the CCPA

Maybe your business has a complex corporate organization that you hope exempts you from the CCPA. Many crypto and blockchain companies have complex corporate organization, often utilizing Swiss foundations, Cayman entities, or multiple US entities. Understanding your corporate organization is an important for step to ensure compliance with the CCPA because related entities can be subject to the CCPA even if the CCPA does not apply directly to them. 

There are additional tests in addition to the factors discussed above regarding whether the CCPA applies to your business. The CCPA also applies to any entity that controls or is controlled by a business that the CCPA directly applies to if they share common branding and consumers’ personal information. 

Corporate Control

To determine if an entity is “controlled” by another entity, factors such as ownership percentage, voting power, and control over the election of directors are considered.

To illustrate this, picture two entities: 

  1. TacoSwap Inc is a Delaware corporation that runs a large centralized exchange with annual revenue of $50m and serves California residents; and
  2. TacoLabs LLC, a Delaware LLC, is a research entity focusing on open source protocol development with employees only in New York. 

Examininge the control aspect first, here, an entity is considered “controlled” if:

  1. Another entity owns more than 50% of the business entity or holds more than 50% of the voting power;
  2. Another entity has control over the election of the majority of directors; or
  3. Another entity has the power to exercise a controlling influence over the management of the company. 

If TacoSwap Inc. owns 51% of TacoLabs LLC, TacoLabs LLC is also subject to the CCPA, and must comply with the CCPA in all of its dealings with the data of California residents. 

Controlling Influence

The determination as to whether 50% of a business is owned by another entity or whether another entity controls the election of a majority of directors is relatively straightforward. However, the “controlling influence” test is less determinable. The CCPA does not clearly explain the “controlling influence” test. The CCPA explains that a controlling influence is the power to exercise a controlling influence over the management of the company, but it is unclear to what extent that the influence must be exercised, and what kind of control is sufficient. This makes compliance CCPA difficult, especially when dealing with complex organizations in the blockchain space. Would a DAO whose votes bind the management decisions of a related entity be considered controlling influence? It likely would, which would mean that the related entity would also be subject to the CCPA. Questions like these require careful consideration for businesses. 

Common Branding 

Beyond corporate control, common branding is another factor used to determine whether the CCPA covers a subsidiary or related entity. The CCPA defines “common branding” as the use of a shared name, servicemark, or trademark that would indicate to the average consumer that two or more entities are commonly owned. Returning to the earlier example, Imagine TacoSwap Inc. and TacoLabs LLC share logos, fonts, and other branding elements. If this common branding led the average consumer to understand their connection, TacoLabs LLC is likely subject to the CCPA.

Determining whether your business is “doing business” in California or whether the CCPA applies to the numerous subsidiaries and related entities that are common in the corporate organzation of the crypto and blockchain space is often a complex and fact-specific endevor. 

Given the complexity, it’s advisable to consult with a knowledgeable attorney who can provide guidance tailored to your specific circumstances. We help businesses understand and comply with privacy and data protection laws, including the CCPA. If you’re uncertain about whether you are “doing business” in California under the CCPA, reach out to us.

Schedule a free consultation to learn more about how we can assist you in navigating this complex landscape.

Share The Article