There are many aspects to compliance and from time to time, I like to bring in complementary experts to share their perspectives and knowledge. This week, I’m delighted to have Michael Williams from Clym (pronounced like “climb”) tell you more about data privacy on your website and an important new regulation from California that can affect any firm in the country. I hope you enjoy this post. After reading, please contact us or Michael if you think this could be an issue for your firm. – Bo Howell
by Michael Williams of Clym
The CCPA is currently in effect and covered businesses, regardless of whether they are located in or outside of California, are already obligated to comply with its provisions. The California Attorney General has stated that his office will enforce violations that occurred prior to the enforcement date, so unless that position changes, businesses must comply with CCPA regulations, or take the steps necessary to achieve compliance as soon as possible. The cost of noncompliance can be high.
Who is subject to CCPA?
Generally, for-profit companies doing business in California are subject to the law if they collect personal information from California residents and if one or more of the following is true:
- The business earns $25 million or more in annual revenue.
- The business holds or transfers personal data of at least 50,000 consumers; and/or
- The business derives at least 50% of its revenues from the sale of consumers’ personal data.
It is important to note that “doing business” in California does not mean that a company must have a physical presence in the state. Therefore, as long as the investment adviser, regardless if that adviser sits outside of California or even the United States, collects, buys, shares, sells or receives personal information of California consumers, households or electronic devices, the CCPA will likely apply.
Pro tip: Be sure to check both revenue tests and any CRM system that contains information on both potential and existing clients and employees.
Why is CCPA Important?
First, let’s talk about compliance with the law. Widely considered to be the strictest data privacy law enacted to date in the United States, the CCPA affects companies both inside and outside of California, by providing consumers with a wide array of privacy rights and protections. For companies subject to CCPA, implementing the mechanisms necessary to comply with the law can be a significant undertaking, a task made more difficult given that the California Attorney General has not yet issued final guidance regarding certain provisions of the CCPA. Registered investment advisors maintaining information on California residents should familiarize themselves with CCPA to avoid the significant financial penalties imposed for non-compliance.
Pro tip: The California Attorney General did release proposed regulations yesterday on how business can comply with CCPA.
The CCPA creates new consumer rights regarding personal information that is collected by businesses. The CCPA defines consumer as any “natural person who is a California resident.” The intentions of the CCPA are to provide California residents with the right to:
- Know what personal information is being collected about them;
- Know if and to whom their personal information is sold;
- Prevent the sale of personal information;
- Access their personal information;
- Request that a company delete their personal information; and
- Not be discriminated against for exercising their privacy rights.
The CCPA broadly defines personal information to include any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”. Additionally, the concept of a “sale” for CCPA purposes is the exchange of someone’s personal information for value (e.g. selling and renting but also disclosing, transferring and making available); this broad definition is important, as it could include information like cookies that are collected and tracked by websites.
Businesses subject to the CCPA must:
- Provide notice to consumers at or before the point of data collection;
- Make disclosures about the information that they collect and the rights held by consumers under the CCPA; and
- Create procedures to respond to requests from consumers to know, delete and opt-out within certain timeframes and verify the identity of consumers who make requests.
Am I Exempt from CCPA? Not Exactly.
You may have read that because SEC-registered investment advisers are subject to the Gramm-Leach-Bliley Act (“GLBA”), they are not subject to the CCPA. While CCPA has created a partial carve-out for those subject to GLBA, investment advisers are still subject to the requirements of the CCPA. The CCPA exempts personal information that is collected, processed, sold or disclosed pursuant to the GLBA, but as the CCPA covers a wider range of information than does the GLBA, it is not a blanket exemption for investment advisers. Additionally, the CCPA provides California residents with the ability to seek a private right of action against companies experiencing data breaches for lack of reasonable security policies and procedures. Further, the California attorney general can bring civil enforcement actions and assess penalties against companies of up to $7,500 per violation, a significant risk to noncompliant companies.
Additionally, as many other states are considering privacy bills, investment advisers would be well-served to implement the appropriate protocols in order to conform to the types of requirements contained in the CCPA to prepare for the possible 50-state data privacy framework in the United States.
How Should I Approach CCPA Compliance?
In the ever-evolving world of data privacy compliance, it can be hard to keep up with the changes. A best practice is to engage one or more trusted advisors to assist with data privacy compliance, which is where Joot and Clym can help.
Joot can help investment advisers update their policies and procedures, including their privacy statement. Additionally, Joot works with Clym to help investment advisers:
- Map and inventory data that they collect.
- Identify and train key personnel within the firm responsible for collecting, using, and maintaining the personal information.
- Determine and document whether they hold or transfer California residents and/or consumer personal information, and how that information flows in and out of the firm.
- Categorize the personal information collected from consumers in the preceding 12 months into the 12 categories defined in the CCPA.
- Develop and implement data retention policies and online privacy notices consistent with the requirements of the CCPA, then update those policies and notices on an annual basis.
If you need help with any of these items, contact Joot today! It is not too late.
If you already have the policies and procedures, but need help with implementation, Clym’s CCPA Compliance tool can help you get compliant. Clym’s website widget helps to make your website compliant easily and stress free.