Nonprofit Hospitals: Are They Exempt From Cpra Laws?

are non profit hospitals exempt from cpra

The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) are pieces of legislation that aim to protect the privacy rights of California consumers. While the CCPA and CPRA primarily target large, profit-making businesses, they may also apply to nonprofits in certain situations. For example, a nonprofit with a for-profit subsidiary or a nonprofit that enters into a joint venture with a for-profit company may need to evaluate their compliance with the acts. Nonprofits are generally exempt from the acts, but they must still respect donor intentions and privacy and be aware of the evolving privacy principles and expectations of consumers.

Characteristics Values
CPRA's main target Large, profit-making businesses
CPRA's scope Any entity, whether it operates for profit or not
CPRA's applicability to nonprofits Nonprofits with for-profit subsidiaries, Nonprofits that are subsidiaries of CPRA-covered businesses, Nonprofits engaged in commercial activity
CPRA's exemption for nonprofits Not directly applicable to many nonprofit organizations
CPRA's impact on nonprofits Increased consumer expectations for access, control, and transparency
CPRA's enforcement California Privacy Protection Agency

shunhospital

Nonprofits with for-profit subsidiaries

The California Consumer Privacy Act (CCPA) was passed into law in 2020, with the California Privacy Rights Act (CPRA) amending it in 2023. The CCPA's main target is large, profit-making businesses, such as those with over $25 million in annual revenue. However, the CPRA's second definition of a "business" includes any entity that controls or is controlled by a business, regardless of whether it operates for profit or not. This significantly broadens the scope of the CCPA/CPRA, meaning that in some cases, the act could apply to nonprofits.

There are several reasons why a nonprofit may choose to establish a for-profit subsidiary. One reason is to engage in unrelated business activities that do not directly pertain to the stated mission of the nonprofit. By doing so, the nonprofit avoids paying an Unrelated Business Income Tax (UBIT). Another reason is to separate activities that stray from the original purpose of the nonprofit, protecting it from violating the primary purpose test. This ensures that the nonprofit is not organized for the primary purpose of carrying on an unrelated trade or business. A for-profit subsidiary can also help protect the organization's assets from legal liability.

When forming a for-profit subsidiary, the parent organization must decide on the ownership structure, which can be wholly owned, majority-owned, or minority-owned. The parent can maintain control over the subsidiary through board overlap or by stipulating in the governing documents that they can appoint the board. The parent may also consider loaning money to the subsidiary to pay vendors and staff and to operate as a for-profit corporation. However, the IRS closely monitors these transactions to prevent nonprofit founders from benefiting unreasonably from accumulated gains, which can jeopardize the exemption of the nonprofit parent.

shunhospital

Nonprofits that are subsidiaries of for-profit businesses

The California Consumer Privacy Act (CCPA) was enacted in 2020, with the goal of informing users about what data is being collected about them and why it is necessary. While the act primarily targets large, profit-making businesses, its second definition of a "business" includes any entity that controls or is controlled by a business, regardless of whether it operates for profit or not. This means that nonprofits that are subsidiaries of for-profit businesses may fall under the jurisdiction of the CCPA/CPRA in certain cases.

There are several reasons why a nonprofit may choose to establish a for-profit subsidiary. One reason is to engage in business activities that do not align with the mission of the nonprofit. By setting up a separate for-profit entity, leaders can avoid paying Unrelated Business Income Tax (UBIT) and protect the nonprofit from liability associated with certain business activities under tax-exempt status. Additionally, forming a for-profit subsidiary can help clarify which activities are carried out on behalf of each organization, satisfying IRS rules and regulations for each entity.

Another reason for creating a for-profit subsidiary is to access equity capital rather than just debt, which can be important for certain types of businesses. Supplemental income is becoming increasingly necessary for nonprofits, and having a separate board and employees for the for-profit business can free up personnel. It is important to seek legal and accounting advice when establishing a for-profit subsidiary to ensure clear lines of separation in bylaws, board meetings, financials, and other aspects of the organizations' operations.

shunhospital

Nonprofits engaged in commercial activity

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), applies to large, profit-making businesses, such as those with over $25 million in annual revenues. However, the CPRA's secondary definition of a "business" includes any entity that controls or is controlled by a business, regardless of whether it operates for profit or not. This significantly broadens the scope of the CPRA, bringing certain nonprofits into its jurisdiction.

Nonprofits with for-profit subsidiaries or those that are subsidiaries of CPRA-covered businesses may fall under the CPRA's jurisdiction. Additionally, nonprofits that are not part of a business but engage in commercial activity should also consider whether they are subject to the CPRA. For instance, a hunting club run by volunteers that exchanges membership fees for exclusive benefits and services has been deemed to be carrying out commercial activity and is thus subject to similar legislation in Canada.

Nonprofits that meet the definition of a "business" under the CPRA are required to comply with the same obligations as other businesses. One of the core obligations is to create a privacy policy that informs consumers about how their personal information is collected, used, and shared. "Personal information" covers any data that can be linked to a particular consumer or household, including their name, email address, browsing history, geolocation, fingerprints, and more.

While nonprofits are generally exempt from the CPRA, they should be aware that consumer expectations around data privacy are increasing. Consumers and donors will likely demand more access, control, and transparency regarding their data, even when shared with nonprofits. Additionally, nonprofits should be mindful that their consumer data sources and third-party direct marketing sources are not exempt from the CPRA. Nonprofits must also respect donor intentions and privacy when requested and stay informed about the latest data privacy legislation.

shunhospital

Nonprofits with contractual relationships with for-profit entities

The California Consumer Privacy Act (CCPA) applies to large, profit-making businesses, such as those with over $25 million in annual revenue. However, the act's second definition of a "business" includes any entity that controls or is controlled by a business, regardless of whether it operates for profit or not. This means that nonprofits with for-profit subsidiaries or that are subsidiaries of for-profit businesses may fall under the jurisdiction of the CCPA.

Nonprofits with for-profit subsidiaries or vice versa should consider whether they fall under the CCPA's jurisdiction. Nonprofits that are not part of a business but engage in commercial activity should also consider their potential obligations under the CCPA. For example, nonprofits may want to enter into joint ventures with for-profits to raise capital, access expertise, and take advantage of opportunities not otherwise available to them. Conversely, for-profits may seek to enter into joint ventures with nonprofits to access new sources of capital, exploit specific assets owned by the nonprofit, take advantage of tax credits, and gain greater community or political support.

When a nonprofit enters into a joint venture with a for-profit entity, it must retain control of the charitable activities of the joint venture and have the right to appoint at least half of the board of a corporate joint venture entity. A true partnership would be owned by both parties, with each party jointly and severally liable for any liabilities of the partnership. A limited liability company (LLC) would be owned by both parties but could be structured to shield the owners from liabilities. A for-profit corporation would be owned by both parties and provide its owners with limited liability protection. A nonprofit corporation, which has no owners, would be governed by a board appointed by both parties, who might retain other rights, such as voting rights.

Resource-sharing agreements between nonprofits and for-profit entities can also facilitate the sharing of office space, equipment, and employees for greater efficiency. These agreements should detail the resources to be shared and how costs will be allocated. Nonprofits must enter into these agreements carefully, as they can trigger issues involving leases, insurance, licenses, permits, employees, and independent contractors.

While nonprofits are generally exempt from the CCPA, they should not ignore this law, as consumer expectations regarding data privacy are increasing. Consumers and donors will likely demand more access, control, and transparency into how their data is being used. Nonprofits should anticipate these questions and be prepared to respond appropriately. Additionally, while nonprofits may be exempt, their consumer data sources and third-party direct marketing sources are not.

shunhospital

Nonprofits that control or are controlled by for-profit entities

The California Consumer Privacy Act (CCPA) targets large, profit-making businesses, such as those with over $25 million in annual revenues. However, the act's secondary definition of a "business" includes any entity that controls or is controlled by a business. This significantly expands the scope of the CCPA, bringing certain nonprofits under its jurisdiction.

Nonprofits with for-profit subsidiaries or those that are subsidiaries of businesses covered by the CCPA/CPRA should assess whether they fall under the act's jurisdiction. Additionally, nonprofits not affiliated with a business but engaged in commercial activities should also consider their potential obligations under the CCPA/CPRA.

To determine if a nonprofit meets the definition of a "business" under the CCPA, it is essential to examine the nature of control between the entities. Control in this context refers to having:

  • The power to vote with more than 50% of the outstanding shares of any class of voting security of the business.
  • Authority over the election of a majority of the directors or similar individuals.
  • The ability to exert a controlling influence over the management of the company.

Nonprofits that meet these criteria and are considered "businesses" under the CCPA have specific obligations to fulfil. They must create a Privacy Policy, informing consumers about the collection, usage, and sharing of their personal information.

While nonprofits may be exempt from certain provisions of the CCPA, consumer expectations have shifted. Consumers and donors increasingly demand access, control, and transparency regarding their data usage. Therefore, nonprofits should be prepared to address these concerns and provide appropriate responses.

Frequently asked questions

Non-profit hospitals are generally exempt from CPRA.. However, they may be required to comply with CPRA if they engage in commercial activity or have a for-profit subsidiary. Non-profit hospitals should also be aware of evolving privacy principles and consumer expectations regarding data privacy.

CPRA stands for California Privacy Rights Act. It is a law that aims to protect the privacy rights of California consumers by giving them the right to know, delete, and correct their personal information. CPRA also establishes an agency to implement, enforce, and educate the public about the law.

While nonprofits are generally exempt from CPRA, they may be required to comply if they meet certain guidelines. This includes nonprofits that engage in commercial activity, have a for-profit subsidiary, or enter into joint ventures with for-profit companies. Nonprofits should also pay attention to consumer expectations and privacy principles, even if they are not directly covered by the law.

Written by
Reviewed by
Share this post
Print
Did this article help you?

Leave a comment