For a deeper discussion of the new law, I recommend Morgan Lewis’ LawFlash updates from July and September. Many commentators are comparing the law to the European Union’s General Data Protection Regulation or GDPR.
To determine if you are subject to the CCPA, follow the analysis below.
- Are you a for-profit organization or legal entity?
- Do you collect personal information, either directly or indirectly, on California residents?
- Are you a covered business?
- Do you have annual gross revenue in excess of $25 million (including revenue from non-California clients)?
- Do you handle personal information of 50,000 or more consumers (including employees), households, or devices, or some combination of the three?
- Do you derive more than 50% of your annual revenue from selling consumers’ personal information?
The definition of “personal information” in the law is broad and extends beyond the typical personal identifiable information used in most SEC regulations; it also covers employees, owners, and contractors. If you answer yes to parts 1 and 2 and any of the thresholds in part 3, then you are a covered business.
Exceptions for Financial Services Firms
Even if an investment adviser is a covered business, it may be exempt from complying with the CCPA if it is meeting privacy standards under the Gramm-Leach-Bliley Act (GLBA). But as noted in the July LawFlash, it’s not clear whether the exemption is only for parts of the CCPA that conflict with the GLBA. Investment advisers that are covered businesses should consult with legal counsel to determine the best course of action.
New Consumer Protection Rights
Even if investment advisers are excluded from the CCPA, there’s a good chance that some of your system providers may not be excluded (e.g., your CRM provider). If you or a vendor are a covered business, then the new Consumer Privacy Rights impact compliance policies and procedures. Here is a summary of the rights.
California residents have:
- The right to know the categories of information that a business collects, sells, or discloses about the consumer, and to whom information was sold or disclosed, as well as the right to prevent the business from selling or disclosing the consumer’s personal information
- The right to access a copy of the “specific pieces of personal information that the business has collected about that consumer,” to be delivered free of charge within 45 days in a portable manner by mail or electronically
- The right to be forgotten by requesting that a business delete, and direct any third-party service providers to delete, any personal information collected about the consumer
- The right to opt out of the sale of personal information to third parties by requiring a business to post a “clear and conspicuous link” titled “Do Not Sell My Personal Information” on its website’s home page
- The right to equal service and price, which prohibits a business from discriminating against consumers who exercise their rights under the CCPA
Other Important elements of the CCPA
- In addition to the Consumer bill of rights listed above, investment advisers are prohibited from sharing personal information with a third party unless the third party contractually agrees not to sell the information or use it for any purpose outside of the contractual arrangement with the investment adviser (e.g., CRMs).
- Additionally, investment advisers cannot ask clients to contractually waive their rights under the CCPA, including any right to a remedy or means of enforcement (e.g., arbitration provisions).
- California residents now have a private right of action and access to statutory damages if there is a security breach related to their personal information.
- Work with legal counsel to determine if you are a covered business.
- Identify which of your system providers are covered businesses.
- Your covered vendors should ensure that your contractual agreements are CCPA compliant.
- For any covered business, review privacy notices and opt-out or -in rights to ensure they are compliant with the law.
- If needed, prepare to delete personal information data to comply with any requests-to-be-forgotten. Recent amendments to the law require that each covered business have at least two ways that consumers can request to have their information deleted.
- If needed, train personnel on the new regulations.